Report: Two-Factor Authentication Hole Core To JPMorgan Breach

The JPMorgan Chase security team failed to implement additional authentication safeguards on its systems containing data on more than 83 million customers, resulting in a breach this summer that shook the financial giant.

CRN has learned that Mandiant, the digital forensics arm of security vendor FireEye called in following the lapse, is assisting with the investigation and continues to provide incident response services for the bank. JPMorgan Chase hired a team that is dedicated to the bank and staffs the company’s security operations center.

The New York Times reported on Tuesday, citing unidentified sources briefed on the bank's investigations, that the security team failed to implement two-factor authentication to access the database servers containing the data. Two-factor authentication is a secondary authentication measure that validates the authenticity of someone attempting to be granted access to sensitive resources.

[Related: FBI Probing J.P. Morgan Breach, Targeted Attacks On Financial Sector]

Sponsored post

The attackers reportedly gained access to the system after stealing the account credentials from a JPMorgan employee last spring, gaining access via the employee's personal computer. The intruders were detected accessing the company's internal network in August. JPMorgan Chase said the lapse impacted 7 million businesses and 76 million households. The exposed data included customer email addresses, physical addresses and phone numbers. It also impacted hundreds of small-business owners. The company is still conducting an internal assessment to address potential technology, process and policy improvements.

The Times reported that the criminals gained high-level access to more than 90 bank servers, but were caught before they could remove sensitive financial data and other customer information.

Early reports about the breach pointed to the potential for Russian government involvement as a result of the eroding relations between Washington and Moscow. But security experts at solution providers said financially motivated cybercrime was the most likely culprit. At least one of the attacks was traced to an IP address in Brazil.

Solution providers told CRN that the information stolen in the JPMorgan Chase Breach could fuel phishing attacks. Phishing campaigns could be crafted using the data to lure banking customers into giving up additional details or visiting an attack website. Up until now, security experts said there is no evidence that the data has been used in phishing campaigns or for other fraudulent activity.

A recent Ponemon Institute study found that more businesses are adding SMS-based two-factor authentication combined with one-time passwords as additional security measures for critical systems. The report found, however, that one of the biggest challenges for organizations is correctly implementing two-factor authentication.

The market for identity and access management technologies increased more than 20 percent from $4 billion in 2011 to $4.8 billion in 2013, according to IDC. Two-factor authentication can be a more cost-effective option to bolster security than adding network security gear, said Jon Oberheide, co-founder and chief technology officer at Duo Security, a company that sells multifactor authentication. Many of the high-profile data breaches stem from stolen usernames and passwords, Oberheide said. Additional authentication measures address prevention rather than detection and make it much more difficult for cybercriminals to gain access to sensitive servers with stolen credentials.

"These major breaches have placed a greater emphasis on costly recovery and incident response security technologies; prevention is not dead," Oberheide said. "In fact, in most breaches, big or small, stolen employee credentials obtained through simple attacks like phishing are the initial entry point into a victim's network. Simple technologies, like strong authentication, can offer effective preventative defense without falling into the typical expense-in-depth trap in the guise of defense-in-depth."