Slashdot Mirror
JP Morgan Chase Breach Compromised Data of 76 Million Households
JakartaDean writes with news that the cyberattack on J.P. Morgan Chase this summer resulted in stolen information on 76 million households and 7 million businesses. The compromised data included names, email addresses, phone numbers, and addresses. The bank said the attackers were unable to gather account numbers, social security numbers, or passwords.
The hackers appeared to have obtained a list of the applications and programs that run on JPMorgan's computers — a road map of sorts — which they could crosscheck with known vulnerabilities in each program and web application, in search of an entry point back into the bank's systems, according to several people with knowledge of the results of the bank's forensics investigation, all of whom spoke on the condition of anonymity. ... Even if no customer financial information was taken, the apparent breadth and depth of the JPMorgan attack shows how vulnerable Wall Street institutions are to cybercrime.
"If you still have it it is not stolen."
*mv* is theft, *cp* is not.
I seem to recall hearing JP Morgan and FIVE other banks were compromised in this attack. At the time, the news (and /.) only mentioned JP Morgan by name. The consensus as I remembered was the other five banks were small and WERE too little to fail.
Well, I would still like to know who these other victims were. What if it was a banking institution I use? I want to know if I have been exposed.
Maybe it's time for the law to require notifications and possibly penalties to those institutions which don't take cyber security seriously.
Why have Visa and Mastercard not changed their purchase validation system?
A static number that, once discovered, allows anyone to make a purchase until that number's use is deactivated? I should have 2-factor auth on all purchases, my credit card number should only act as a public key, or I should have the ability to generate new disposable numbers on the fly.
They've pushed this nominclature of "identity theft" (which attempt to make consumers feel as though they've been robbed) when in truth these are just cases of fraud that were made possible and likely because Visa and Mastercard haven't improved THEIR security for about 20 years.
We should learn what we need to know about issues, before we decide what we need to feel about them.
My workplace gets regular audits from our clients, usually every 3-24 months depending on how big/paranoid the client is. JP Morgan Chase is one of them.
We could tell the audit this summer was a bit different. It took about twice as long and went into much more detail than usual specifically regarding our tech side. After the audit, we got an unexpected list of demands related to stopping leaks.
Now, we don't handle sensitive financial information for them, so it's possible they were just trying to cover all their bases and we got stuck with security theater. Irritatingly, everyone in IT immediately recognized that the demands wouldn't actually prevent leaks. When you have a company full of employees who regularly use FTP, email, and even dropbox to send files to clients, you're simply not going to be able to prevent it.
After months of back and forth trying to kill some of the more ridiculous demands -- like blocking access to Gmail, which we use for company email -- they simply wouldn't budge. We've been wondering why they're standing so firm about it, and now it all makes sense.
This is "all eggs in one basket" syndrome, and it is only going to get worse as more people move to the cloud, LEOs of various countries (the example of countries demanding access to Blackberry's BIS servers comes to mind) getting their backdoors (and thus a database of keys to them), and more data in general is stashed in one place.
To boot, there is no real financial gain by companies in general to actually bother with more than token security. They lose nothing by a major compromise, as they will have zero consequences if someone's personal info or medical records get compromised. Same with cloud data. There are no laws securing it. Even in the financial sector, Visa will just do a light hand slap if PCI-DSS3 is completely ignored on all but the smallest merchants. HIPAA is lightly enforced in the medical sector, if that. FERPA as well.
In the past, banks had to worry about regulators and the threat of more laws if they didn't run a tight ship. Now, there is no incentive either way, be it a carrot for being secure, nor a stick for not taking basic security precautions. Bank customers may complain, but most of the clients would have to change too much stuff to move to another financial institution, so they won't have that many people stop doing business overall, especially if there is some vague promise of "we will do better next time".
As someone who has done research on banks and disclosed security holes (plug -- live exploits posted to http://privacylog.blogspot.com... not always obvious, not always interesting) I can tell you NOBODY cares.
I am still working up the balls or requesting legal advice to tell me I am in the clear so I can tell you the details. But to summarize, there are still **egregious** security failures out there and they can be found by just one person. If you find one of these things you will see too that it is possible to get the federal and industry agencies on the phone that you would expect to be interested in this stuff. But it is purely a courtesy. As soon as you hang up, they will go back to focusing on botnets or revenue-impacting issues.
-- I was raised on the command line, bitch