Slashdot Mirror

← Back to Stories (view on slashdot.org)

JP Morgan Breach Tied To Two-Factor Authentication Slip

Posted by timothy on from the something-borrowed-something-blue dept.

itwbennett writes The attackers who stole information about 83 million JPMorgan Chase customers earlier this year gained a foothold on the company's network because a server reportedly lacked two-factor authentication, despite the company's practice of using two-factor authentication on most of its systems. The story, reported in the New York Times, echoes the warnings of security experts over the years that the breach of a single server or employee computer can put an entire network at risk.

3 of 71 comments (clear)

  1. Why the banks support a standard 2 factor system? by 140Mandak262Jamuna · · Score: 4, Interesting
    I got a RSA dongle from E-Trade. Schwab too has an RSA dongle 2 factor system, but they insist on me using a new schwab dongle. They would not work with E-Trade to register that dongle with their system. Each bank/brokerage wants to send out a dongle and expect the customers to jingle a dozen dongles like Mr McBeevee. Google with millions of customers allows you to get the second factor through cell phones and one-time pads. For free. Banks/credit cards in India send you an SMS every time there is a transaction. US financial institutions are worst in the world when it comes to implementing security for themselves, or helping the customers stay secure. Damn, they won't even let me freeze my credit reports. They let any Tom Dick or Harry pretend to be me, if they know my social security number.

    Why can't they introduce two level log-ins for customers? First level log-in should be read-only, without any ability to modify anything. If you really want do a transaction, create a second level password. E*Trade used to have the system of "trade passcode" to be entered for doing actual trade, and the regular log in will only let you browse positions, balances, and set up alerts/watch lists. They took it away!

    It figures, if they are that careless with their own servers, they don't give a rats tail about the customers security concerns.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  2. Re: open source 2 factor authentication? by cloudmaster · · Score: 3, Interesting

    Google Authenticator is an open source, easy to use TOTP (and HOTP) implementation which is not bad at all. The pam module is decent, and the smart phone (androit, ios, and blackberry support) client's QR Code enrollment is very convenient. Because [TH]OTP are standards, it's compatible with any other implementation of those standards, such as http://www.nongnu.org/oath-too... and the Yubikey tokens.

    Personally, I use the Google Auth client with pam_krb5 / mit kerberos using a custom preauth plugin with totp keys generated by oath and stored in an LDAP backend. It's pretty neat. I mostly went with TOTP because that allows me to more easily pre-generate keys for automation jobs, btw.

  3. Re:Banking IT by g0bshiTe · · Score: 3, Interesting

    Compared to whom?

    --
    I am Bennett Haselton! I am Bennett Haselton!