JPMorgan Goes to War
Bloomberg (02/19/15) Robertson, Jordan; Riley, Michael A
JPMorgan Chase has built a vast security operation and staffed it increasingly with former military officers. The move comes after the massive breach of the bank’s computers last summer. JPMorgan is convinced that it faces threats from governments in China, Iran and Russia, and that the U.S. government is not doing enough to help. James Cummings, a former head of the U.S. Air Force’s cybercombat unit, oversees the bank’s digital security staff of 1,000, along with Gregory Rattray, a former Air Force colonel. In the attack, the hackers did not steal easily marketable data such as credit card numbers or account passwords, but may have been looking for deep vulnerabilities in the bank’s infrastructure or custom software to exploit later. Even with a security budget of a quarter of a billion dollars and an expensive system to capture data removed from the bank’s network, there are lingering questions about the attack. And regardless of any failings in protection by the government, some security experts say a mini-NSA in Midtown Manhattan is not the answer.
How Cyber Criminals Stole Up to $1B from Financial Services Companies
Fox Business (02/16/15) Kent, Jo Ling
Russian cyber security firm Kaspersky Lab says it has uncovered an ongoing cyber theft campaign targeting more than 100 banks and other institutions in 30 countries that may have resulted in the theft of as much as $1 billion. Kaspersky says the hackers, whose locations and origins are unclear, used spear phishing emails to infect targets with malware that allowed them to lay low and gather information about how the targets handle and move money throughout their systems. Ultimately, the attackers would use this information to manipulate these same systems to steal money, often by hijacking ATM networks, causing ATMs to dispense cash that was collected by the hackers’ associates. One victim lost $7.3 million to ATM fraud. Other attacks targeted the SWIFT financial network and Oracle databases to transfer funds out of bank accounts. Kaspersky says the attackers usually stole less than $10 million from any given target, which helped them go unnoticed. Only $300 million in losses have been confirmed, but Kaspersky suspects the true total is closer to $1 billion.
Businesses Use Fake Scam Emails to Root Out Security Issues
Associated Press (02/13/15)
A growing number companies are using fake phishing emails to test their employees’ security savvy and to provide a teachable moment for those that have not yet learned how to respond to a suspicious email. Eighteen percent of users will visit a malicious link in a phishing email, according to Verizon’s 2014 data breach report, and roughly one in four data breaches are caused by employees, according to a 2014 report from the Online Trust Alliance. Several companies such as Wombat Security and PhishMe actually offer fake phishing emails to enterprises as a service. PhishMe CEO and co-founder Rohyt Belani says that a mentality has built up in the security industry that users are “stupid” and the “weakest link,” but he says the fault lies at the feet of the security industry, which he believes needs to do more to educate users and fake phishing emails provide a means of doing that. Randy Withrow, chief information officer at Pinnacle Financial Partners, says his company has seen significant improvement among its workers since it adopted Wombat’s fake phishing email program. Successful phishing attempts have dropped by 25 percent at the company. Withrow says that workers will take it to heart when they fall for the fake phishing emails.
This Could Be the End of User Name and Password
Time (02/09/15) Calabresi, Massimo
The data breaches at JPMorgan Chase and Anthem likely will prompt New York Superintendent of Financial Services Benjamin Lawsky to impose new cyber-security rules on the banking and insurance industries — a move that could put an end to the simple user name and password identity checks used to access computer networks at the heart of the financial system. Law enforcement officials say early investigations of the Anthem breach indicate that foreign hackers used a company executive’s user name and password to access the personal data of 80 million people, and they note that the data theft could have been avoided if Anthem had implemented stronger identity verification methods. The Office of the Comptroller of the Currency says banks need to assess their own risks when determining whether additional verification methods should be used. Meanwhile, other regulators are worried that if New York’s Department of Financial Services or another agency strengthens standards on its own, banks with national operations will be forced to contend with a patchwork of rules. However, Lawsky says, “We really need everyone to go to a system of multi-factor verification.” Lawsky also plans to impose new requirements on third-party vendors.