JP Morgan Chase Breach Compromised Data of 76 Million Households 76
JakartaDean writes with news that the cyberattack on J.P. Morgan Chase this summer resulted in stolen information on 76 million households and 7 million businesses. The compromised data included names, email addresses, phone numbers, and addresses. The bank said the attackers were unable to gather account numbers, social security numbers, or passwords.
The hackers appeared to have obtained a list of the applications and programs that run on JPMorgan's computers — a road map of sorts — which they could crosscheck with known vulnerabilities in each program and web application, in search of an entry point back into the bank's systems, according to several people with knowledge of the results of the bank's forensics investigation, all of whom spoke on the condition of anonymity. ... Even if no customer financial information was taken, the apparent breadth and depth of the JPMorgan attack shows how vulnerable Wall Street institutions are to cybercrime.
To Big To Fail (Score:5, Informative)
Re:To Big To Fail (Score:5, Insightful)
There's definitely more than a little of that here, but in the internet era, the most important principle I've noticed is Too Big To Pass Up. If you're a hacker, a score of personal information numbering in the millions is essentially worth years and years and years of effort, huge investments of money, and risking obscene levels of punishment.
The payout is too big not to. So big corporations make really really appealing targets. You're right that making big corporations more accountable for how they protect data would help a lot, but even if they were spending small fortunes on software security, things like heartbleed would still happen, where they're exposed and can do nothing about it.
And I don't see a solution. More smaller companies might work. Maybe.
Re: (Score:2, Insightful)
"and risking obscene levels of punishment."
Hardly. The hackers mainly come from Russia or China. How is JP Morgan Chase supposed to punish them, even if they know exactly who they are? There's no risk at all for the hackers, which is why it keeps happening.
Re: (Score:2)
Russia, China, Middle East, etc. Unlike the Internet when there was a threat of having the upstream pull the connection, so there was incentive of minding the store when it came to attacks, there is none now. In fact, some countries encourage it, since they dislike the West and view any place there as open season.
Realistically, the only solution is to do like the US Government with SIPRNet and NIPRNet, and have dedicated wires (not VPNs or stuff running over existing Internet connections) for a financial
Re: (Score:2)
I haven't visited the sites I'm told to visit (not my real ISP addresses but similar) but wouldn't be surprised if that is the first step to compromising my computer to scrape login information to my Chase account, and also being able to intercept any e-mail alerts to fraudulent activity. If they mapped Chase's
Re: (Score:2)
Our options are limited.
The internet, by its nature, invites all the complexities of international law. It used to be you wouldn't have to worry about that unless you were near a border, on board a plane, or running a multinational corporation. Now it's a problem for everyone. People commit fraudulent crimes from places where they happen to be legal or unenforced, and every different way of doing things invites a new loophole.
Re: (Score:2)
So in my saying "To Big To Be Accountable", I mean to say "What are they going to do
Re: (Score:2)
The "security that used to be" was air gaps and manual processing of almost everything. It's the same security as living 2 miles from your neighbors before cars were invented.
Re:To Big To Fail (Score:4, Interesting)
This is "all eggs in one basket" syndrome, and it is only going to get worse as more people move to the cloud, LEOs of various countries (the example of countries demanding access to Blackberry's BIS servers comes to mind) getting their backdoors (and thus a database of keys to them), and more data in general is stashed in one place.
To boot, there is no real financial gain by companies in general to actually bother with more than token security. They lose nothing by a major compromise, as they will have zero consequences if someone's personal info or medical records get compromised. Same with cloud data. There are no laws securing it. Even in the financial sector, Visa will just do a light hand slap if PCI-DSS3 is completely ignored on all but the smallest merchants. HIPAA is lightly enforced in the medical sector, if that. FERPA as well.
In the past, banks had to worry about regulators and the threat of more laws if they didn't run a tight ship. Now, there is no incentive either way, be it a carrot for being secure, nor a stick for not taking basic security precautions. Bank customers may complain, but most of the clients would have to change too much stuff to move to another financial institution, so they won't have that many people stop doing business overall, especially if there is some vague promise of "we will do better next time".
Re: (Score:2)
I'm wary of your "in the past" statement. When exactly in the past do you mean?
Re: (Score:2)
What did you think he meant?
Re: (Score:2)
Well, I mean only a few years before that was the fucking savings and loan crisis. Those idealized halcyon days should probably exist before we talk about how we have abandoned their principals. If you know me, you'll know I'm no fan of imaginary free market solutions to systemic problems, but the past was just as rife with pointless deregulation as today.
Re:"stolen?" (Score:5, Insightful)
Shhhh! You'll point out the groupthink's duplicity.
It's fine when it's about getting free shit even if that harms someone else's livelihood. Information wants to be free! But when it's YOUR info that's copied, even if you still have that info, well, that's very different, you see.
Prepare to be modded down for saying things people don't want to hear.
When JP Morgan leaks ... (Score:1)
Security through obscurity - useful but inadequate (Score:5, Insightful)
The hackers appeared to have obtained a list of the applications and programs that run on JPMorgan's computers — a road map of sorts — which they could crosscheck with known vulnerabilities in each program and web application
I find this interesting because it shows both the usefullness but ultimate inadequacy of security through obscurity. Had the hackers been unable to obtain this information, the implication is that the breach would not have happened, or at least not happened as soon. Without the ability to create a road map, they would have had to take the less efficient approach of randomly guessing and probing with the hope that something worked. So keeping that list of applications and programs a secret has some value.
On the other hand, it underscores the importance of the point that people have been making about security through obscurity for decades: it's very weak security, and once that layer of the security onion is breached, there had better be stronger security layers underneath. Like patched and updated programs and web applications that close known vulnerabilities. I'm guessing that didn't happen, because the JP Morgan Chase management has probably acted like many other management teams I've had the "pleasure" of working with - they placed higher value on the secrecy than actually fixing stuff, because the former costs less, and it kind of works until it doesn't (and then that policy fails in a big way).
I sincerely hope that these breaches light a fire under the asses of lax management at these large companies and they realize that spending the time and resources to *really* secure their systems is worth it in the long run.
And then I laugh sadly, because that's wishful thinking.
Re: (Score:2, Informative)
I have worked with JPMC several times, and can tell you you are way off base. They spend an ENORMOUS amount of money on IT and especially security.
No system is perfect. Given enough incentive, anything can be broken. And, make no mistake, there is a TON of incentive to successfully breach a banking system. In fact, it would seem that the fact all they got was names, etc, and not banking details, shows that there systems are not near as weak as you think.
Re: (Score:1)
Well, that's hardly comforting. So even spending an ENORMOUS amount of money on IT and security can't prevent your system from being breached in a big and spectacular way? Then either that enormous amount of money was spent poorly, or that information should not have been exposed to the internet in the first place until it was properly secured. They were breached, in a big way. So their systems were exactly as weak as I think, enormous expenditure aside. I fail to see your point. "They tried REALLY ha
Re: (Score:3)
"The point" is that no system is, or will ever be, perfect. You are the one making the claim that they are too cheap to patch systems, etc. They aren't.
Even with their precautions someone breached them. That does not mean the money was not well spent, it just means that their system (including all the users of their system) is not perfect. I suppose YOU could make a 'perfect system' for them?
Of course they COULD have kept that valuable customer name/email information off the internet. That would kind o
Re: (Score:2)
Other banks too? (Score:2, Interesting)
I seem to recall hearing JP Morgan and FIVE other banks were compromised in this attack. At the time, the news (and /.) only mentioned JP Morgan by name. The consensus as I remembered was the other five banks were small and WERE too little to fail.
Well, I would still like to know who these other victims were. What if it was a banking institution I use? I want to know if I have been exposed.
Maybe it's time for the law to require notifications and possibly penalties to those institutions which don't take
Litigate to mitigate ... (Score:2)
... legislate to regulate.
Until the likes of JP Morgan Chase feels pain, this crap will continue.
We need security liability laws.
This is insane... (Score:4, Interesting)
A static number that, once discovered, allows anyone to make a purchase until that number's use is deactivated? I should have 2-factor auth on all purchases, my credit card number should only act as a public key, or I should have the ability to generate new disposable numbers on the fly.
They've pushed this nominclature of "identity theft" (which attempt to make consumers feel as though they've been robbed) when in truth these are just cases of fraud that were made possible and likely because Visa and Mastercard haven't improved THEIR security for about 20 years.
Re: (Score:2)
I don't know about you, but the cards I've been getting recently include a chip in order to support two factor authentication via chip and signature.
The problem is the retailers haven't implemented terminals to support it yet.
Re:This is insane... (Score:5, Interesting)
I don't know about you, but the cards I've been getting recently include a chip in order to support two factor authentication via chip and signature.
The problem is the retailers haven't implemented terminals to support it yet.
They are starting to. And the first place that I ever used my chipped CC at was Walmart. (Which confused the hell out of the associate who was insisting that I swipe the card, rather than inserting it into the chip reader slot)
Re: (Score:2)
No credit cards, just names and email addresses (Score:2)
> Why have Visa and Mastercard not changed their purchase validation system?
This story has nothing whatsoever to do with credit cards. The bad guys got a list of names and email addresses - a phone book.
Re: (Score:2)
Completely unrelated. (Score:2)
> ! You shouldn't be able to obtain a static number and then have the right to start charging money. . The story just highlights how wrong the current system is.
No, it doesn't. The story has absolutely nothing whatsoever to do with credit cards. That's a completely unrelated topic. Maybe credit card numbers are stupid, maybe Obama is stupid, maybe you're stupid. This story has absolutely nothing to do with any of those things.
Re: (Score:2)
So, I have made a new resolution. I will RTFA or at least drink coffee in the morning before posting on
Unexpectedly gracious and humble (Score:2)
Well that's an unexpectedly gracious and humble reply to a post which included the words "maybe you're stupid".
I'm sorry for including those words. Maybe you're a gentleman and a scholar, fine sir.
Re: (Score:2)
Re: (Score:2)
I just confirmed that. Here in the US, EMV cards can be used without a PIN. So, all it will take is an unscrupulous person to run the card in two EMV readers, the legit transaction, then another for another charge, and the customer wouldn't know until it hits the monthly statement.
I hope that if a PIN is set, an EMV transaction does not move foward, period... but we already have PINless debit transactions, so I wouldn't be surprised to see such a basic security upgrade like EMV gutted.
Re: (Score:3)
Why have Visa and Mastercard not changed their purchase validation system?
The short answer is that they haven't done it yet because they couldn't.
The longer answer is that if you look into this a bit, what you'll find is that they actually started making moves back in 2012 to get the ball rolling on the shift to EMV in the US, but these things take time and almost all of the migration is actually out of their hands. It isn't possible to respond with the massive roll out that's necessary, so we're still in the process of slowly migrating (our migration is different than most other
Re: (Score:1)
It's been around for over ten years. It provides disposable numbers. Each new number is locked into a single payee, and you can update/set the expiration date and credit limit for these numbers, so you never have to reveal the "root" CC number - not even for recurring bills
I don't think you can change the name on the card or the billing address.
When I was a kid... (Score:5, Insightful)
...they used to print all of that information up in a four-inch-thick book and leave it on your doorstep every six months or so. (Minus the email addresses, of course.)
Re: (Score:3, Funny)
That's the crime. Someone got it for free.
Re: (Score:2)
I got it for free.
From your mom.
Sensitive information (Score:5, Insightful)
Chase is really spinning this by saying that no sensitive information was taken in the hack.
Well, it seems that the crackers now have tens of millions of *confirmed* Names, addresses, phone numbers, and emails at the very least. That is a freakin treasure trove of information.
I like my privacy and take great care not to let information out into the world. But Doctors, banks, and gov always want every bit of info on you so they make the best targets.
Re: (Score:2)
And it is difficult to keep them under our control aftre we give them our personal datas. Who knows how much got leaked out even if there were no breaches. :(
Numbers don't seem right (Score:1)
There are only 115 million households in the US. JP Morgan lost info on 76 million. I find it hard to believe that 2/3 of the households in the US are JPMorgan/Chase customers.
I wonder if the info stolen was actually some sort of master marketing file, perhaps from one or all three of the credit bureaus.
Re: (Score:3, Insightful)
There are only 115 million households in the US. JP Morgan lost info on 76 million. I find it hard to believe that 2/3 of the households in the US are JPMorgan/Chase customers.
I wonder if the info stolen was actually some sort of master marketing file, perhaps from one or all three of the credit bureaus.
I don't.. Between credit cards, mortgages, car loans, etc I can believe it. I currently have a car loan with them and within the last 5 years had a credit card.
Re: (Score:3)
Well, I can see two factors that you're not thinking about: (1) a person having accounts at more than one institution (e.g. I do) and (2) different people in one household having accounts at different institutions (e.g. my wife and I have mostly but not entirely the same banks). It makes it quite plausible that multiple large banks could have customers in over half of the nation's households.
This can be particularly pronounced with loans and credit cards for various reasons including "brokering" a deal for
Re: (Score:1)
Re: (Score:2)
No. The US population is around 319 million. Also, JP Morgan handles the food stamp credit cards, which accounts for around 45 million. Finally, I assume that not all of the breached households are in the US.
And now it all makes sense (Score:4, Interesting)
My workplace gets regular audits from our clients, usually every 3-24 months depending on how big/paranoid the client is. JP Morgan Chase is one of them.
We could tell the audit this summer was a bit different. It took about twice as long and went into much more detail than usual specifically regarding our tech side. After the audit, we got an unexpected list of demands related to stopping leaks.
Now, we don't handle sensitive financial information for them, so it's possible they were just trying to cover all their bases and we got stuck with security theater. Irritatingly, everyone in IT immediately recognized that the demands wouldn't actually prevent leaks. When you have a company full of employees who regularly use FTP, email, and even dropbox to send files to clients, you're simply not going to be able to prevent it.
After months of back and forth trying to kill some of the more ridiculous demands -- like blocking access to Gmail, which we use for company email -- they simply wouldn't budge. We've been wondering why they're standing so firm about it, and now it all makes sense.
I'll bet you... (Score:1)
Re: (Score:1)
Re: (Score:1)
So essentially... (Score:2)
The compromised data included names, email addresses, phone numbers, and addresses.
Holy defecation Batman! Hackerz stole a phone book!
Re: (Score:2)
Don't trivialize this by ignoring the true nature of the breach.
This is more like obtaining an exclusive unlisted client list detailing who exactly is doing business with a given organization. The phone book doesn't provide that connection - knowing names, addresses and phone numbers doesn't tell you which crucial and vulnerable businesses are associated with a household. Obtaining the same information from a business of interest is a different story entirely. Metadata is crucially important.
Nobody cares (Score:4, Interesting)
As someone who has done research on banks and disclosed security holes (plug -- live exploits posted to http://privacylog.blogspot.com... [blogspot.com] not always obvious, not always interesting) I can tell you NOBODY cares.
I am still working up the balls or requesting legal advice to tell me I am in the clear so I can tell you the details. But to summarize, there are still **egregious** security failures out there and they can be found by just one person. If you find one of these things you will see too that it is possible to get the federal and industry agencies on the phone that you would expect to be interested in this stuff. But it is purely a courtesy. As soon as you hang up, they will go back to focusing on botnets or revenue-impacting issues.
Re: (Score:1)
Re: (Score:2)
NSA's Information Assurance Division (not the spooks) works hard to help and to convince Big Corp to clean up their act. They recognize that financial IT security is fundamental to national security. Also, the FBI has a group that works to help companies improve security. So you might reach out to one of them.
The fundamental problem is typified by Home Depot's management - as a Redditor noted, when IT asked for budget to implement essential security, their upper management said, "We sell nails and hammer
Security - WWW (Score:2)
That phrase is quickly turning into the newest oxymoron.
Hey I know lets stitch together these 8 completely open and utterly un-certifiable frameworks, have everything talk to each other through XML files, store high value passwords in them so we can just look at the database like a black box. Then lets expose all that to the world of hackers and madmen and then act surprised when we discover its been broken into!
JPM's IT controls have been criticized repeatedly (Score:2)
JPM's audits have been "qualified" by PWC for the last couple of years, because (despite inhouse reports) the CIO has refused to implement proper controls. People in JPM who have reported these problems have been fired - from what I've heard, three heads of Risk Management have been fired in the last three years, each time after telling the CIO that he needs to fix these before their pension fund clients have to take action.