Pando

Chase's record-breaking hack was caused by an oversight, not technical wizardry

By Nathaniel Mott , written on December 23, 2014

From The News Desk

At this point it might seem safer to keep bundles of cash underneath your mattress than to trust your life savings to a financial company. At least you'll know exactly how secure -- or insecure -- all that money will be instead of just relying on crossed fingers and luck.

The "crossed fingers and luck" strategy seems to be what breached companies like the Charge Anywhere payments company and JPMorgan Chase seem to be doing.

I've written before about Charge Anywhere's decision not to encrypt some of the payment authorization requests, which included sensitive information about consumer credit cards, that traveled along its network from retailers to payment processors. This allowed a hacker who intercepted the requests to steal the relevant credit card info.

But at least that was a stupid decision which has since been addressed. Chase, on the other hand, is said to have enabled its own data breach thanks to sheer incompetence.

The New York Times reports that the breach -- which is thought to have exposed the email addresses, phone numbers, and home addresses of 83 million people -- resulted from an "overlooked server" which hadn't been updated to the two-factor authentication system used to prevent attackers from gaining access with basic login credentials.

As the Times explains in the report based on unnamed sources familiar with the breach:

The attack against the bank began last spring, after hackers stole the login credentials for a JPMorgan employee, these people said. Still, the attack could have been stopped there.

Most big banks use a double authentication scheme, known as two-factor authentication, which requires a second one-time password to gain access to a protected system. But JPMorgan’s security team had apparently neglected to upgrade one of its network servers with the dual password scheme, the people briefed on the matter said. That left the bank vulnerable to intrusion.

This oversight allowed the hack to occur when it should have been caught by Chase's other safeguards. It also made the hack seem more sophisticated than it was -- some had suspected the bank was targeted by a state-sponsored group or other "sophisticated adversary," according to the Times. The truth, as usual, is much less exciting than that.

Hackers don't need to be technical geniuses to steal information from tens of millions of people. They just have to figure out where their targets failed to secure this data; after that it seems like stealing sensitive information isn't much harder than taking candy from a baby.

[illustration by Brad Jonas]