Lessons about Logins from the JP Morgan Breach

JP Morgan is another example of a company that was able to detect and clear out its compromised system without a third party notifying them of suspicious activity. The infiltration lasted two months, from mid-June to mid-August of this year. It was their own internal investigations that lead them to the discovery of a customized piece of malware that was leeching gigabytes of data that was routed through multiple countries before ending in up a large Russian city.

While JP Morgan is the more public face of this breach, it was not the only financial institution that the hackers tried. The same web-address tested over a dozen institutions, including companies like Fidelity Investments and E*Trade, though many have publicly denied they were tested or compromised. Even JP Morgan didn’t break the news of the breach until early October in a regulatory filing, saying up until that point that they were investigating but hadn’t found any unusual levels of fraud.

Hackers used what’s known as a zero-day strategy, designed to exploit a weakness or flaw that hasn’t yet been used so there’s no time for companies to prepare. It also explains why the hackers cast such a wide net, as they hoped to take as many companies unawares before word got out. In the JP Morgan case, hackers got in through a flaw in one of the company’s public facing websites.

The JP Morgan breach affected 76 millions households and 7 million small businesses, and hackers made off with names, phone numbers, and addresses (both email and physical). Some 90 servers were broken into, and they deliberately stayed away from accounts in order to avoid, or at least prolong, detection.

At first, there was concern that the attack wasn’t just a case of opportunistic hackers but perhaps something state-sponsored; JP Morgan was one of the financial institutions that had helped enforce sanctions against Russia in the wake of unrest in the Ukraine this past spring/summer. The FBI and the U.S. Secret Service are involved and the company has brought in CrowdStrike, FireEye and Stroz Friedberg, digital forensic investigation firms all with law enforcement ties, to help. Federal investigators now believe that the motive was profit-based and not politically motivated.

While no financial details were taken, security experts say what they took is useful for phishing attacks which may have been the goal all along. Since the breach, over 150,000 emails and 2,000 SMS messages were sent out to JP Morgan customers after the breach, asking the recipient for login credentials and attempting to install a Trojan onto their computer.

There will always be an incentive to steal sensitive information from financial institutions, making breaches like this inevitable. So long as the only barrier to entry for accessing personal bank accounts is merely entering the correct logins or the knowledge-based authentication answer, account takeovers and identity theft will continue to plague customers and make headlines.

The question for banks isn’t just how to stop breaches, it’s how to protect the login without impacting customer experience and mobile access. This is what’s driving the move for a more robust layering of authentication measures – such as requiring login credentials alongside passive, contextual information unique to the user – that in the end makes the low-hanging fruits of username and password of little interest.