JP Morgan Breach Tied To Two-Factor Authentication Slip

itwbennett writes The attackers who stole information about 83 million JPMorgan Chase customers earlier this year gained a foothold on the company's network because a server reportedly lacked two-factor authentication, despite the company's practice of using two-factor authentication on most of its systems. The story, reported in the New York Times, echoes the warnings of security experts over the years that the breach of a single server or employee computer can put an entire network at risk.

Why the banks support a standard 2 factor system?

[140Mandak262Jamuna]

I got a RSA dongle from E-Trade. Schwab too has an RSA dongle 2 factor system, but they insist on me using a new schwab dongle. They would not work with E-Trade to register that dongle with their system. Each bank/brokerage wants to send out a dongle and expect the customers to jingle a dozen dongles like Mr McBeevee. Google with millions of customers allows you to get the second factor through cell phones and one-time pads. For free. Banks/credit cards in India send you an SMS every time there is a transaction. US financial institutions are worst in the world when it comes to implementing security for themselves, or helping the customers stay secure. Damn, they won't even let me freeze my credit reports. They let any Tom Dick or Harry pretend to be me, if they know my social security number.

Why can't they introduce two level log-ins for customers? First level log-in should be read-only, without any ability to modify anything. If you really want do a transaction, create a second level password. E*Trade used to have the system of "trade passcode" to be entered for doing actual trade, and the regular log in will only let you browse positions, balances, and set up alerts/watch lists. They took it away!

It figures, if they are that careless with their own servers, they don't give a rats tail about the customers security concerns.

Re:Why the banks support a standard 2 factor syste

[fuzzyfuzzyfungus]

Quite a few of the 'security' arrangements in financial areas make it abundantly clear that they suck because you don't really matter (this goes triple or worse for anything involving credit reports).

That said, RSA-fobs(or house-branded devices based on the same system) aren't actually something that would be trivial to share between organizations.

The RSA fob works because it is initialized with a given seed value at a given time. Every minute it performs a hash operation that provides enough output for the on screen numeric sequence along with the input for the next hash operation(if memory serves, it is reasonably well established that it is either impossible or computationally impractical to derive the internal state from knowledge of the screen output alone, even if you have many samples).

In order to enroll a fob in your authentication system, your auth server needs to know the seed and the initialization time. It can then run N rounds of the algorithm(based on the amount of time between initialization time and current time) and determine what should be displayed on the screen(sometimes allowing for a few minutes of slip, depending on how accurate the RTCs are believed to be), If you want Company B to use Company A's token, either Company B needs to pass every auth request to Company A for processing, and accept the result, or Company A actually has to send Company B the seed an initialization time for your fob(an operation that opens up certain obvious security concerns).

The RSA fobs are pretty cute(if it weren't for the fact that RSA stores all the seed values and times, and managed to get them stolen at least once), in that they require absolutely no communication between the fob and the auth server, ever; but they do suffer from the weakness that the data needed to validate a fob are also the data sufficient to clone a fob, which makes sharing a single fob between multiple entities pretty awkward.