Why $250 million didn’t protect JPMorgan from hackers…
Late last month CBS Nightly News reported about a robbery at American’s biggest bank, JPMorgan. This attack was no ordinary hold-up. JP Morgan Chase fell victim to a targeted cyberattack, despite spending $250 million dollars on cybersecurity. According to the information disclosed by sources to CBS, the criminal hacker gained unauthorized access by hacking into endpoint device of a bank employee. It was not clear if this attack targeted the employee’s mobile device, tablet, laptop or desktop and if it was corporate owned device or bring-your-own-device. What is clear is that hackers have once again captured national news coverage and mainstream attention for compromising a single user’s device to wreak havoc for a major corporation. With $250 million already spent, one can guess that this latest attack may be a top agenda item in the next boardroom meeting.
How could this have happened? Well, since JPMorgan is not yet a customer of Zimperium Mobile Security System I’ll have to speculate that this attack could have happened in one of two ways.
It is more than likely that the bank employee was a victim of a Spearphishing attack. The victim likely opened a client-side software with a potential zero-day attack buried in a link containing a browser exploit (read more) or one of the following file types: PDF, XLS, DOC, etc. This type of attack is applicable to users working on their mobile or desktop device.
Alternative scenario is that the victim could have fallen prey to a Man-In-The-Middle (MITM) attack while utilizing public WiFi. With more business being conducted on the go, outside of the office, on unsecured public WiFi networks than ever before, the risk of a targeted cyberattack is significantly increased. The victim may have been compromised using a MITM attack with an injection of an iframe/script which contains a client-side vulnerability on the user’s mobile device or laptop. Other options involve rogue Femtocell/Basestation which would have been placed by the hackers next to JP Morgan’s offices (read more) or if physically close to the attacker – NFC vulnerability (read more).
It is frightening to think that JPMorgan employs more than 1000 people to focus on cybersecurity. According to their annual shareholder letter they have spent more than $250 million on cybersecurity. They utilize multiple layers of defense and constantly monitor threat levels yet they still remain vulnerable.
Since I couldn’t have said it better myself, I’ll quote the CBS article published on MoneyWatch.
“One of the most important forms of protection is to regularly update servers, desktops, and mobile devices with the latest software security patches for the operating system and all programs on the machines. Large companies may have thousands of servers and tens of thousands of desktops and mobile devices, which makes the task daunting enough…”…” Also adding to the cybersecurity difficulty is the sheer numbers of hackers that are out there looking for unpatched vulnerabilities. There are always new system updates that may have created new security holes that haven’t been patched yet. As computer networks become increasingly complex — involving mobile devices tapping into wireless and cellular networks — any new change creates an opportunity for weakness that someone might find.
One attack can result in a security breach, compromising an organization’s data, assets and brand. Today’s organizations need protection against advanced attacks without impacting the employee’s experience, privacy and productivity.
Zuk Avraham is a world-renowned white-hat hacker and leading security expert. As Founder and CEO of Zimperium, Zuk leads a team of specialists dedicated to protecting organizations from the growing threat of infiltration via mobile devices. He and his team have pioneered many new security approaches, including signature-independent protection.