Slashdot Mirror

← Back to Stories (view on slashdot.org)

JP Morgan Chase Breach Compromised Data of 76 Million Households

Posted by Soulskill on from the go-big-or-go-home dept.

JakartaDean writes with news that the cyberattack on J.P. Morgan Chase this summer resulted in stolen information on 76 million households and 7 million businesses. The compromised data included names, email addresses, phone numbers, and addresses. The bank said the attackers were unable to gather account numbers, social security numbers, or passwords. The hackers appeared to have obtained a list of the applications and programs that run on JPMorgan's computers — a road map of sorts — which they could crosscheck with known vulnerabilities in each program and web application, in search of an entry point back into the bank's systems, according to several people with knowledge of the results of the bank's forensics investigation, all of whom spoke on the condition of anonymity. ... Even if no customer financial information was taken, the apparent breadth and depth of the JPMorgan attack shows how vulnerable Wall Street institutions are to cybercrime.

76 comments

  1. To Big To Fail by BringsApples · · Score: 4, Informative

    To Big To Be Accountable

    --
    Politics; n. : A religion whereby man is god.
    1. Re:To Big To Fail by i+kan+reed · · Score: 4, Insightful

      There's definitely more than a little of that here, but in the internet era, the most important principle I've noticed is Too Big To Pass Up. If you're a hacker, a score of personal information numbering in the millions is essentially worth years and years and years of effort, huge investments of money, and risking obscene levels of punishment.

      The payout is too big not to. So big corporations make really really appealing targets. You're right that making big corporations more accountable for how they protect data would help a lot, but even if they were spending small fortunes on software security, things like heartbleed would still happen, where they're exposed and can do nothing about it.

      And I don't see a solution. More smaller companies might work. Maybe.

    2. Re:To Big To Fail by Anonymous Coward · · Score: 2, Insightful

      "and risking obscene levels of punishment."

      Hardly. The hackers mainly come from Russia or China. How is JP Morgan Chase supposed to punish them, even if they know exactly who they are? There's no risk at all for the hackers, which is why it keeps happening.

    3. Re: To Big To Fail by Anonymous Coward · · Score: 0

      Quick! We should give them another huge sum of money and more tax credits. Obviously they can't afford the bad press this will generate.

    4. Re:To Big To Fail by NeverVotedBush · · Score: 1

      I have a Chase account and since early/mid summer I have been getting fairly well written demands from my "ISP" telling me I need to go online to enable antivirus protection for my e-mail account.

      I haven't visited the sites I'm told to visit (not my real ISP addresses but similar) but wouldn't be surprised if that is the first step to compromising my computer to scrape login information to my Chase account, and also being able to intercept any e-mail alerts to fraudulent activity. If they mapped Chase's systems for vulnerabilities in applications, it's safe to assume they could hand out exploits tailored to web site visitor's systems.

      I can't say for sure that all the messages I've been getting to fix my e-mail account before it gets suspended are related to the Chase breaking but they did start about the time the break-in supposedly happened and I am a Chase customer so they likely have my e-mail address.

      As I said, the e-mails are definitely urgent and fairly well written and will likely fool a lot of people. I reported them to my ISP (Century Link) but they didn't respond and I'm still getting them so at least anecdotal evidence says they haven't done much or anything to block them fr their customers.

      I really feel sorry for anyone who "fixes" their e-mail account and possibly hands the keys over to their Chase account while they are at it (if they are connected - I don't know).

    5. Re:To Big To Fail by i+kan+reed · · Score: 1

      Our options are limited.

      The internet, by its nature, invites all the complexities of international law. It used to be you wouldn't have to worry about that unless you were near a border, on board a plane, or running a multinational corporation. Now it's a problem for everyone. People commit fraudulent crimes from places where they happen to be legal or unenforced, and every different way of doing things invites a new loophole.

    6. Re:To Big To Fail by BringsApples · · Score: 1

      Well, you're certainly correct. There's nothing that can be done to prevent every possible attack. And hey, maybe the reason that they didn't move all money into one account and close all the rest was because it would have triggered an alarm or two that are in place. But knowing that my SS# is out there makes me less secure, seeing as how it's how my bank recognizes (or confirms) me for all sorts of different reasons.

      So in my saying "To Big To Be Accountable", I mean to say "What are they going to do to resurrect the security that used to be?" Probably nothing, and there isn't anyone that can make them. Recently my debit card was one involved in the Home Depot hack. I received a letter from my bank explaining that there was some activity on my card that led them to believe that it was included in that hack, and another card with a new PIN was issued to me. So, what can be done about my SS# and it's endless links to all of my banking data? That means home loans, the works. Do I get a new SS# and new house? Hell no. Who is accountable here, not in regards to failing to keep my info secure, but in regards to resurrecting the security that is no more?

      --
      Politics; n. : A religion whereby man is god.
    7. Re:To Big To Fail by i+kan+reed · · Score: 1

      The "security that used to be" was air gaps and manual processing of almost everything. It's the same security as living 2 miles from your neighbors before cars were invented.

    8. Re:To Big To Fail by mlts · · Score: 3, Interesting

      This is "all eggs in one basket" syndrome, and it is only going to get worse as more people move to the cloud, LEOs of various countries (the example of countries demanding access to Blackberry's BIS servers comes to mind) getting their backdoors (and thus a database of keys to them), and more data in general is stashed in one place.

      To boot, there is no real financial gain by companies in general to actually bother with more than token security. They lose nothing by a major compromise, as they will have zero consequences if someone's personal info or medical records get compromised. Same with cloud data. There are no laws securing it. Even in the financial sector, Visa will just do a light hand slap if PCI-DSS3 is completely ignored on all but the smallest merchants. HIPAA is lightly enforced in the medical sector, if that. FERPA as well.

      In the past, banks had to worry about regulators and the threat of more laws if they didn't run a tight ship. Now, there is no incentive either way, be it a carrot for being secure, nor a stick for not taking basic security precautions. Bank customers may complain, but most of the clients would have to change too much stuff to move to another financial institution, so they won't have that many people stop doing business overall, especially if there is some vague promise of "we will do better next time".

    9. Re:To Big To Fail by i+kan+reed · · Score: 1

      I'm wary of your "in the past" statement. When exactly in the past do you mean?

    10. Re:To Big To Fail by Sir_Eptishous · · Score: 1

      Probably before Clinton and the Republican Congress gutted bank regulators.
      What did you think he meant?

      --
      We play the game with the bravery of being out of range
    11. Re:To Big To Fail by mlts · · Score: 1

      Russia, China, Middle East, etc. Unlike the Internet when there was a threat of having the upstream pull the connection, so there was incentive of minding the store when it came to attacks, there is none now. In fact, some countries encourage it, since they dislike the West and view any place there as open season.

      Realistically, the only solution is to do like the US Government with SIPRNet and NIPRNet, and have dedicated wires (not VPNs or stuff running over existing Internet connections) for a financial network that is completely disconnected from the Internet.

      Perhaps a protocol can be designed from layer 1 up with public/private key encryption in the NIC hardware (preferably in a tamper-resistant case) so that a machine that is not expressly added to the core fabric is completely ignored. Since this network is not public, it can be designed from the ground up to be secure, with a strict central party being the gatekeeper of which machines can and cannot communicate with each other. With this in mind, plus the fact that the central authority has the ability to pull access if a member of machine gets compromised, it would boost security tremendously. Not 100%, as there will always be ways to bridge things, even air gaps, but will be far better than just having it accessible to the Internet if the internal firewalls get turned off.

    12. Re:To Big To Fail by i+kan+reed · · Score: 1

      Well, I mean only a few years before that was the fucking savings and loan crisis. Those idealized halcyon days should probably exist before we talk about how we have abandoned their principals. If you know me, you'll know I'm no fan of imaginary free market solutions to systemic problems, but the past was just as rife with pointless deregulation as today.

    13. Re: To Big To Fail by Anonymous Coward · · Score: 0

      A quick bandaid to issue could be a result of mistakenly cutting international fiber cables. :)

  2. "stolen?" by Anonymous Coward · · Score: 0, Interesting

    "If you still have it it is not stolen."

    *mv* is theft, *cp* is not.

    1. Re:"stolen?" by Anonymous Coward · · Score: 5, Insightful

      Shhhh! You'll point out the groupthink's duplicity.

      It's fine when it's about getting free shit even if that harms someone else's livelihood. Information wants to be free! But when it's YOUR info that's copied, even if you still have that info, well, that's very different, you see.

      Prepare to be modded down for saying things people don't want to hear.

  3. When JP Morgan leaks ... by wylderide · · Score: 1

    ... Everybody listens.

    --
    This is the best restaurant I ever eat in
  4. Security through obscurity - useful but inadequate by c0d3g33k · · Score: 4, Insightful

    The hackers appeared to have obtained a list of the applications and programs that run on JPMorgan's computers — a road map of sorts — which they could crosscheck with known vulnerabilities in each program and web application

    I find this interesting because it shows both the usefullness but ultimate inadequacy of security through obscurity. Had the hackers been unable to obtain this information, the implication is that the breach would not have happened, or at least not happened as soon. Without the ability to create a road map, they would have had to take the less efficient approach of randomly guessing and probing with the hope that something worked. So keeping that list of applications and programs a secret has some value.

    On the other hand, it underscores the importance of the point that people have been making about security through obscurity for decades: it's very weak security, and once that layer of the security onion is breached, there had better be stronger security layers underneath. Like patched and updated programs and web applications that close known vulnerabilities. I'm guessing that didn't happen, because the JP Morgan Chase management has probably acted like many other management teams I've had the "pleasure" of working with - they placed higher value on the secrecy than actually fixing stuff, because the former costs less, and it kind of works until it doesn't (and then that policy fails in a big way).

    I sincerely hope that these breaches light a fire under the asses of lax management at these large companies and they realize that spending the time and resources to *really* secure their systems is worth it in the long run.

    And then I laugh sadly, because that's wishful thinking.

  5. Just left Chase by Anonymous Coward · · Score: 0

    six months ago and went over to USAA. Best thing I ever did banking wise. I left because of Chase's nasty debacle with the London whale and the way they handle business. I don't want to reward shady behavior. It angers me that they behave in this manner yet their CEO gets millions in bonues. No way I can support this...

  6. Other banks too? by Anonymous Coward · · Score: 2, Interesting

    I seem to recall hearing JP Morgan and FIVE other banks were compromised in this attack. At the time, the news (and /.) only mentioned JP Morgan by name. The consensus as I remembered was the other five banks were small and WERE too little to fail.

    Well, I would still like to know who these other victims were. What if it was a banking institution I use? I want to know if I have been exposed.

    Maybe it's time for the law to require notifications and possibly penalties to those institutions which don't take cyber security seriously.

  7. Litigate to mitigate ... by CaptainDork · · Score: 1

    ... legislate to regulate.

    Until the likes of JP Morgan Chase feels pain, this crap will continue.

    We need security liability laws.

    --
    It little behooves the best of us to comment on the rest of us.
  8. This is insane... by briancox2 · · Score: 3, Interesting

    Why have Visa and Mastercard not changed their purchase validation system?

    A static number that, once discovered, allows anyone to make a purchase until that number's use is deactivated? I should have 2-factor auth on all purchases, my credit card number should only act as a public key, or I should have the ability to generate new disposable numbers on the fly.

    They've pushed this nominclature of "identity theft" (which attempt to make consumers feel as though they've been robbed) when in truth these are just cases of fraud that were made possible and likely because Visa and Mastercard haven't improved THEIR security for about 20 years.

    --
    We should learn what we need to know about issues, before we decide what we need to feel about them.
    1. Re:This is insane... by the+eric+conspiracy · · Score: 1

      I don't know about you, but the cards I've been getting recently include a chip in order to support two factor authentication via chip and signature.

      The problem is the retailers haven't implemented terminals to support it yet.

    2. Re:This is insane... by OzPeter · · Score: 4, Interesting

      I don't know about you, but the cards I've been getting recently include a chip in order to support two factor authentication via chip and signature.

      The problem is the retailers haven't implemented terminals to support it yet.

      They are starting to. And the first place that I ever used my chipped CC at was Walmart. (Which confused the hell out of the associate who was insisting that I swipe the card, rather than inserting it into the chip reader slot)

      --
      I am Slashdot. Are you Slashdot as well?
    3. Re:This is insane... by Anubis+IV · · Score: 2

      Why have Visa and Mastercard not changed their purchase validation system?

      The short answer is that they haven't done it yet because they couldn't.

      The longer answer is that if you look into this a bit, what you'll find is that they actually started making moves back in 2012 to get the ball rolling on the shift to EMV in the US, but these things take time and almost all of the migration is actually out of their hands. It isn't possible to respond with the massive roll out that's necessary, so we're still in the process of slowly migrating (our migration is different than most other nations that have gone through a similar migration, owing mostly to the larger scale and the significantly greater penetration of the previous technology).

      Visa, Mastercard, Discover, and American Express all announced back in mid-2012 that they would be switching to EMV and implementing a liability switch for merchants who didn't keep up. But the whole thing succeeds or fails based on the cooperation of merchants who upgrade their POS systems to deal with EMV, which can mean a significant cost to them, so the merchants had to be given time to make those plans. As a result, the actual liability shift is still a year away, set to take place in October 2015.

      In the meantime, we're in a weird time, where magnetic strip technology is essentially broken, yet the replacement for it is still a year away and can't reasonably be pushed forward any sooner since the actual implementation of it is out of the credit card companies' hands.

    4. Re:This is insane... by Anonymous Coward · · Score: 0

      The credit card companies could have applied a larger forcing function: refuse all non-EMV transactions.

    5. Re:This is insane... by I'm+not+god+any+more · · Score: 1

      https://www.mbnashopsafe.com/o...
      It's been around for over ten years. It provides disposable numbers. Each new number is locked into a single payee, and you can update/set the expiration date and credit limit for these numbers, so you never have to reveal the "root" CC number - not even for recurring bills .
      I don't think you can change the name on the card or the billing address.

    6. Re:This is insane... by briancox2 · · Score: 1

      I wasn't referring to transactions where a card is physically present. I'm talking about the online use of the information where the only thing required is a static set of numbers. But I would also like to see disposable (one-use) numbers available for physical transactions using my phone as a 2-factor auth.

      --
      We should learn what we need to know about issues, before we decide what we need to feel about them.
  9. NSA "Treasure Map" tech by Anonymous Coward · · Score: 0

    Sounds like NSA technology and technique. Escaped into the 'wild'?
    http://www.spiegel.de/international/world/snowden-documents-indicate-nsa-has-breached-deutsche-telekom-a-991503.html

  10. The cyberbogeymen strike again! by Anonymous Coward · · Score: 0

    Who did what now? We don't know! So we're throwing out lots of scary sounding words out! But we're not informing, shame on us. -- the journo hacks.

  11. When I was a kid... by Anonymous Coward · · Score: 5, Insightful

    ...they used to print all of that information up in a four-inch-thick book and leave it on your doorstep every six months or so. (Minus the email addresses, of course.)

    1. Re:When I was a kid... by Anonymous Coward · · Score: 0

      Sure, but there wasn't a set of codes after each listing like

          J = JP Morgan Chase account holder
          H = HomeDepot shopper
          A = Slashdot AC poster

      etc.

    2. Re:When I was a kid... by Anonymous Coward · · Score: 0

      Yeah, in the bad old days you had to case the neighborhood on foot. I saw some interesting things when I was a paperboy. I realized that if I wanted to be a thief, there was a lot of low-hanging fruit in suburbia. There was one guy on my route who often fell asleep with the TV on and the door ajar. Then there were the drunk drivers. Tire tracks by the side of a wide driveway are the sign. When the actual deed occurs, you hit the house at 3 AM on Sunday morning. You know to hit because the car is parked at a weird angle in the driveway. Two wrongs don't make a right... but if the cops don't get you for DUI, a smart suburban thief might.

  12. Sensitive information by CimmerianX · · Score: 4, Insightful

    Chase is really spinning this by saying that no sensitive information was taken in the hack.

    Well, it seems that the crackers now have tens of millions of *confirmed* Names, addresses, phone numbers, and emails at the very least. That is a freakin treasure trove of information.

    I like my privacy and take great care not to let information out into the world. But Doctors, banks, and gov always want every bit of info on you so they make the best targets.

    1. Re:Sensitive information by Anonymous Coward · · Score: 0

      Names, addresses, and phone numbers. Aren't those in a phone book?

    2. Re:Sensitive information by Anonymous Coward · · Score: 0

      Names, addresses, and phone numbers. Aren't those in a phone book?

      Phone book? You mean those yellow dead tree things that I use to light my BBQ?

    3. Re:Sensitive information by antdude · · Score: 1

      And it is difficult to keep them under our control aftre we give them our personal datas. Who knows how much got leaked out even if there were no breaches. :(

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  13. Numbers don't seem right by Anonymous Coward · · Score: 1

    There are only 115 million households in the US. JP Morgan lost info on 76 million. I find it hard to believe that 2/3 of the households in the US are JPMorgan/Chase customers.

    I wonder if the info stolen was actually some sort of master marketing file, perhaps from one or all three of the credit bureaus.

    1. Re:Numbers don't seem right by CJL98 · · Score: 3, Insightful

      There are only 115 million households in the US. JP Morgan lost info on 76 million. I find it hard to believe that 2/3 of the households in the US are JPMorgan/Chase customers.

      I wonder if the info stolen was actually some sort of master marketing file, perhaps from one or all three of the credit bureaus.

      I don't.. Between credit cards, mortgages, car loans, etc I can believe it. I currently have a car loan with them and within the last 5 years had a credit card.

    2. Re:Numbers don't seem right by Phreakiture · · Score: 2

      Well, I can see two factors that you're not thinking about: (1) a person having accounts at more than one institution (e.g. I do) and (2) different people in one household having accounts at different institutions (e.g. my wife and I have mostly but not entirely the same banks). It makes it quite plausible that multiple large banks could have customers in over half of the nation's households.

      This can be particularly pronounced with loans and credit cards for various reasons including "brokering" a deal for the end customer (think in terms of a car dealer or realtor finding you a loan/mortgage) and the fact that loans get bought and sold between banks.

      --
      www.wavefront-av.com
    3. Re:Numbers don't seem right by michael_rendier · · Score: 1

      JP-Chase handles foodstamps accounts...

      --
      There are three kinds of people in the world. Those that can count, and those that can't.
  14. Tweets by Anonymous Coward · · Score: 0

    Reminds me of a post I saw on Twitter the other day:

    "Why hack celebrity nudes? Do something useful - hack Experian and give us all 800 credit!"

    Personally, I thought it a brilliant idea.

    -- CanHasDIY, too lazy to log in

  15. No credit cards, just names and email addresses by raymorris · · Score: 1

    > Why have Visa and Mastercard not changed their purchase validation system?

    This story has nothing whatsoever to do with credit cards. The bad guys got a list of names and email addresses - a phone book.

    1. Re:No credit cards, just names and email addresses by briancox2 · · Score: 1

      My point raymorris, is that that should not be possible! You shouldn't be able to obtain a static number and then have the right to start charging money. The story just highlights how wrong the current system is.

      --
      We should learn what we need to know about issues, before we decide what we need to feel about them.
  16. How much? by Anonymous Coward · · Score: 0

    76 million households? Isn't that the entire population of USA?

    1. Re:How much? by bigwheel · · Score: 1

      No. The US population is around 319 million. Also, JP Morgan handles the food stamp credit cards, which accounts for around 45 million. Finally, I assume that not all of the breached households are in the US.

  17. Why? Really? by Anonymous Coward · · Score: 0

    Why have Visa and Mastercard not changed their purchase validation system?

    Really? You have to ask why Visa and MasterCard who are paid a percentage of every transaction haven't made it a bigger PITA to make a transaction with one of their cards?

    Are you unaware that most of the costs of a fraudulent transaction fall on the merchants?

    When they implement EMV card security in the US they aren't even going to require a PIN to authorize purchases because American consumers might forget their PINs and end up putting fewer transactions on credit cards.

    1. Re:Why? Really? by mlts · · Score: 1

      I just confirmed that. Here in the US, EMV cards can be used without a PIN. So, all it will take is an unscrupulous person to run the card in two EMV readers, the legit transaction, then another for another charge, and the customer wouldn't know until it hits the monthly statement.

      I hope that if a PIN is set, an EMV transaction does not move foward, period... but we already have PINless debit transactions, so I wouldn't be surprised to see such a basic security upgrade like EMV gutted.

  18. once everybody's had there identity stolen by Anonymous Coward · · Score: 0

    Soon we'll ALL be Anonymous Coward.
    Then we can finally correctly implement our socialist utopia. Everyone will always get first post.

  19. One chase employee password by Anonymous Coward · · Score: 0

    According to the TV news this morning, the breach was one employee password. One employee password granted this level of access.

  20. And now it all makes sense by PhrostyMcByte · · Score: 3, Interesting

    My workplace gets regular audits from our clients, usually every 3-24 months depending on how big/paranoid the client is. JP Morgan Chase is one of them.

    We could tell the audit this summer was a bit different. It took about twice as long and went into much more detail than usual specifically regarding our tech side. After the audit, we got an unexpected list of demands related to stopping leaks.

    Now, we don't handle sensitive financial information for them, so it's possible they were just trying to cover all their bases and we got stuck with security theater. Irritatingly, everyone in IT immediately recognized that the demands wouldn't actually prevent leaks. When you have a company full of employees who regularly use FTP, email, and even dropbox to send files to clients, you're simply not going to be able to prevent it.

    After months of back and forth trying to kill some of the more ridiculous demands -- like blocking access to Gmail, which we use for company email -- they simply wouldn't budge. We've been wondering why they're standing so firm about it, and now it all makes sense.

    1. Re:And now it all makes sense by Anonymous Coward · · Score: 0

      What kind of fly-by-night company uses Gmail for their email? I can see why JP Morgan would worry with people like you.

  21. I'll bet you... by michael_rendier · · Score: 1

    that if i took a little bit of time on Google, I could find all this information as well...in the yellow pages...SMH

    --
    There are three kinds of people in the world. Those that can count, and those that can't.
    1. Re:I'll bet you... by gregsmac · · Score: 1

      So how long to Google 76 million? I am not in the Yellow pages and a google of me turns up zilch. I need to have faith that people I do share this info with don't let it get away.

    2. Re:I'll bet you... by michael_rendier · · Score: 1

      Two things... A) The right piece of code and the right piece of hardware could burn through 76 million searches rather quickly...Facebook itself has how many users with phone numbers and addresses? My android fones like to automagically take all my google plus contacts/email addys and facebook contacts and put them in my personal contact lists for me (i have to shut this off, as I don't like having to scroll through thousands of contacts to find my local friends whom I desire to call... B) Go check out the people searches like pipl.com etc...i have found my phone numbers and addresses clear back to when i was in the military in Colorado...the amount of information about EVERYONE on the internet is rather staggering... Either you don't know how to use google, or you're intentionally not using google properly to maintain your "Faith"...which is what some would call swimming in that river in egypt.

      --
      There are three kinds of people in the world. Those that can count, and those that can't.
  22. this year by Anonymous Coward · · Score: 0

    That can only means one thing:

    BIG BONUSES for JP Morgan execs this year!

  23. So essentially... by Fnord666 · · Score: 1

    The compromised data included names, email addresses, phone numbers, and addresses.

    Holy defecation Batman! Hackerz stole a phone book!

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
    1. Re:So essentially... by c0d3g33k · · Score: 1

      Don't trivialize this by ignoring the true nature of the breach.

      This is more like obtaining an exclusive unlisted client list detailing who exactly is doing business with a given organization. The phone book doesn't provide that connection - knowing names, addresses and phone numbers doesn't tell you which crucial and vulnerable businesses are associated with a household. Obtaining the same information from a business of interest is a different story entirely. Metadata is crucially important.

  24. Re:Security through obscurity - useful but inadequ by Anonymous Coward · · Score: 2, Informative

    I have worked with JPMC several times, and can tell you you are way off base. They spend an ENORMOUS amount of money on IT and especially security.

    No system is perfect. Given enough incentive, anything can be broken. And, make no mistake, there is a TON of incentive to successfully breach a banking system. In fact, it would seem that the fact all they got was names, etc, and not banking details, shows that there systems are not near as weak as you think.

  25. Nobody cares by fulldecent · · Score: 3, Interesting

    As someone who has done research on banks and disclosed security holes (plug -- live exploits posted to http://privacylog.blogspot.com... not always obvious, not always interesting) I can tell you NOBODY cares.

    I am still working up the balls or requesting legal advice to tell me I am in the clear so I can tell you the details. But to summarize, there are still **egregious** security failures out there and they can be found by just one person. If you find one of these things you will see too that it is possible to get the federal and industry agencies on the phone that you would expect to be interested in this stuff. But it is purely a courtesy. As soon as you hang up, they will go back to focusing on botnets or revenue-impacting issues.

    --

    -- I was raised on the command line, bitch

    1. Re:Nobody cares by Stan92057 · · Score: 1

      I've been saying this for years there needs to be some kinda national security committee that exploits are sent too. If said company ignores the problem they get fined big time that's the only think theses corporations care about, Money. so we need to start making the fines much larger and maybe criminal charges as well. Think about it who are they going to listen to first some stranger like you who has no power or a Government Office that has the power to shut them down and fine and jail?

      --
      Jack of all trades,master of none
    2. Re:Nobody cares by garyebickford · · Score: 1

      NSA's Information Assurance Division (not the spooks) works hard to help and to convince Big Corp to clean up their act. They recognize that financial IT security is fundamental to national security. Also, the FBI has a group that works to help companies improve security. So you might reach out to one of them.

      The fundamental problem is typified by Home Depot's management - as a Redditor noted, when IT asked for budget to implement essential security, their upper management said, "We sell nails and hammers. We don't need that." Now it may well cost them $1 billion.

      Here are a couple of rules of thumb you can tell your management. These are straight from web security and biometrics people I work with. A website breach (e.g. Target, Ebay, Home Depot, JPM) costs the company an average of $178 per customer (not website user - _customer_). That is a number that should invoke heart palpitations in the CFO - multiplied by the number of customers, it's probably more than the value of the company.

      In the healthcare industry, a single lost or misplaced laptop will cost a minimum of $2.5 million in fines (HIPAA violations), liability, paying for patients to get identity theft insurance, etc. - even if no data is actually compromised and the laptop is recovered! If data actually makes it into the black hat world, the price goes up by multiples.

      --
      It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
  26. Security - WWW by FlyingGuy · · Score: 1

    That phrase is quickly turning into the newest oxymoron.

    Hey I know lets stitch together these 8 completely open and utterly un-certifiable frameworks, have everything talk to each other through XML files, store high value passwords in them so we can just look at the database like a black box. Then lets expose all that to the world of hackers and madmen and then act surprised when we discover its been broken into!

    --
    Hey KID! Yeah you, get the fuck off my lawn!
  27. Completely unrelated. by raymorris · · Score: 1

    > ! You shouldn't be able to obtain a static number and then have the right to start charging money. . The story just highlights how wrong the current system is.

    No, it doesn't. The story has absolutely nothing whatsoever to do with credit cards. That's a completely unrelated topic. Maybe credit card numbers are stupid, maybe Obama is stupid, maybe you're stupid. This story has absolutely nothing to do with any of those things.

    1. Re:Completely unrelated. by briancox2 · · Score: 1

      Doh!

      So, I have made a new resolution. I will RTFA or at least drink coffee in the morning before posting on /. from now on. =)

      --
      We should learn what we need to know about issues, before we decide what we need to feel about them.
  28. Re:Security through obscurity - useful but inadequ by c0d3g33k · · Score: 0

    Well, that's hardly comforting. So even spending an ENORMOUS amount of money on IT and security can't prevent your system from being breached in a big and spectacular way? Then either that enormous amount of money was spent poorly, or that information should not have been exposed to the internet in the first place until it was properly secured. They were breached, in a big way. So their systems were exactly as weak as I think, enormous expenditure aside. I fail to see your point. "They tried REALLY hard" doesn't count for beans if they don't succeed.

  29. Doesn't Chase SELL this???? by Anonymous Coward · · Score: 0

    Doesn't Chase SELL this info to every Tom, Dick, & Harry who ponies up a few bucks?

    1. Re:Doesn't Chase SELL this???? by Anonymous Coward · · Score: 3, Funny

      That's the crime. Someone got it for free.

    2. Re:Doesn't Chase SELL this???? by Bite+The+Pillow · · Score: 1

      I got it for free.

      From your mom.

  30. Re:Security through obscurity - useful but inadequ by bws111 · · Score: 2

    "The point" is that no system is, or will ever be, perfect. You are the one making the claim that they are too cheap to patch systems, etc. They aren't.

    Even with their precautions someone breached them. That does not mean the money was not well spent, it just means that their system (including all the users of their system) is not perfect. I suppose YOU could make a 'perfect system' for them?

    Of course they COULD have kept that valuable customer name/email information off the internet. That would kind of make it impossible to offer on-line banking (something probably 99% of their customers want), wouldn't it.

    There will ALWAYS be tradeoffs between usability and security. A perfectly secure system would be virtually useless. The trick, of course, is finding the right balance. A breech like this does not show that balance is not currently right.

  31. Re:Security through obscurity - useful but inadequ by Bob+the+Super+Hamste · · Score: 1

    You also forget that there is spending a metric shit ton of money on products and actually being effective. Working in the field of computer security I see an awful lot of buy our magic product and it will do everything but get the cute girl in accounting to suck you off type of stuff. When you actually dig in you find out that most of it is a presentation targeted towards managers who know buzzwords and PowerPoint slides but the tool is completely worthless. I'm looking at you "event correlation tools" as they seem to be the popular ones now. Then there is the check box security where they buy products to check something off but never configure it properly. Why yes we have LDAP, network firewalls, as well as a software firewall on each host, none of them do a fucking thing but they are all fully patched. Don't forget your AV that you never bother to check the results of. I go to customer sites all the time most of which are targeted by state actors and there is a lot of check box security and security theater that they have spent a lot of money on but there is real functional security as well that even in it's limited capacity stops most things. Think of it like this it is the difference between what is done in Israel for airport security and what is done the the US for airport security, one wastes a lot of money for no real actual security but looks like it is doing something while the other actually stops threats and secures things.

    --
    Time to offend someone
  32. Unexpectedly gracious and humble by raymorris · · Score: 1

    Well that's an unexpectedly gracious and humble reply to a post which included the words "maybe you're stupid".
    I'm sorry for including those words. Maybe you're a gentleman and a scholar, fine sir.

    1. Re:Unexpectedly gracious and humble by briancox2 · · Score: 1

      Thank you. I have pretty thick skin. But I'm glad to cool things down also when I realized I wasn't paying enough attention. Mea culpa.

      --
      We should learn what we need to know about issues, before we decide what we need to feel about them.
  33. JPM's IT controls have been criticized repeatedly by garyebickford · · Score: 1

    JPM's audits have been "qualified" by PWC for the last couple of years, because (despite inhouse reports) the CIO has refused to implement proper controls. People in JPM who have reported these problems have been fired - from what I've heard, three heads of Risk Management have been fired in the last three years, each time after telling the CIO that he needs to fix these before their pension fund clients have to take action.

    --
    It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/