"Mess with the best, Die like the rest!"
October 2, 2014 3:30 PM   Subscribe

JPMorgan Chase Says More Than 76 Million Accounts Compromised in Cyberattack [New York Times]
"The breach is among the largest corporate hacks, and the latest revelations vastly dwarf earlier estimates that hackers had gained access to roughly 1 million customer accounts."
posted by Fizz (122 comments total) 19 users marked this as a favorite
 
From the article:
"These people said it would take months for the bank to swap out its programs and applications and renegotiate licensing deals with its technology suppliers, leaving hackers plenty of time to mine the bank’s systems for unpatched, or undiscovered, vulnerabilities that would allow them reentry into JPMorgan’s systems."
Terrifying.
posted by Fizz at 3:33 PM on October 2, 2014


Remember when it was the a Very Serious Person's considered thought that these idiots should manage Social Security.

I am completely unsurprised by this.
posted by Pogo_Fuzzybutt at 3:42 PM on October 2, 2014 [20 favorites]


Terrifying.

slash awesome
posted by Potomac Avenue at 3:42 PM on October 2, 2014 [3 favorites]


G-ddamnit. Seriously?

I hate being right all the fucking time...
posted by mikelieman at 3:50 PM on October 2, 2014 [3 favorites]


Headline: JPMorgan Chase Says More Than 76 Million Accounts Compromised
3rd last graf: JPMorgan said there was no evidence that account information, including passwords or Social Security numbers, were taken.
Huh?
posted by gwint at 3:57 PM on October 2, 2014


This part:

Investigators in law enforcement remain puzzled by the attack on the bank because there was no evidence that the attackers looted any customer money from accounts.

The lack of any apparent profit motive has generated speculation among law enforcement officials and security experts that the hackers were sponsored by foreign governments either in Russia or in southern Europe.


is really curious. What's going on here?
posted by naju at 3:57 PM on October 2, 2014 [4 favorites]


Also: Anyone found a more technical write up?
posted by gwint at 3:58 PM on October 2, 2014 [2 favorites]


I'm a Chase customer. Their customer update on this has the following:

Here’s what you should know now:

There is no evidence that your account numbers, passwords, user IDs, date of birth or Social Security number were compromised during this attack.
However, your contact information – name, address, phone number and email address – was compromised.

Your money at JPMorgan Chase is safe:

Unlike recent attacks on retailers, we have seen no unusual fraud activity related to this incident.
Importantly, you are not liable for any unauthorized transaction on your account that you promptly alert us to.


Interestingly enough, my Chase card was just reissued last week, after someone used it to fraudulently purchase a couple grand in airline gift cards. And that card was itself only about three months old -- it had been reissued after the Target attack. I didn't shop at Home Depot in that time range, so I can only assume another retailer has had yet another security leak.

Fun times.
posted by pie ninja at 3:58 PM on October 2, 2014 [8 favorites]


And finally: This is really a systemic collapse happening in not quite slow motion, right? I mean, if you just take the 3 or 4 largest breaches that we know about in the last year, we're talking about most Americans having some financial account hacked.
posted by gwint at 4:00 PM on October 2, 2014 [36 favorites]


*raises hand* I had fraudulent charges on my Chase account in July. Two other people I know also had Chase fraud around the same time. It sounds like it's not related though, which is weird?
posted by naju at 4:01 PM on October 2, 2014 [2 favorites]


Why was JPMorgan not obligated (if not legally, then, I dunno... ethically?) to notify its account holders of this breach in late July, when they discovered it?
posted by argonauta at 4:02 PM on October 2, 2014


ETHICS? Man, do I have some stories to tell you about how ethics plays out in information security...
posted by mikelieman at 4:04 PM on October 2, 2014 [12 favorites]


Wow! That number is so huge! Of course, once you are inside someone's corporate systems, getting into more of their systems is one of your first priorities. Combine that with possible state sponsorship, and I could totally understand how it got so large.

I also want to say: expect more, large breaches to continue for at least two important reasons. Reason number one: incompetence. It's SUPER easy to accidentally leave your computers open to attack, both subtle and obvious. The larger your organization, the more likely this will happen.

And more importantly: the only completely secure system is the one unplugged from the internet. You can reach out and touch Chase (or anyone's) computers right from your home! Just log into their website! But wait, you say, that's different than logging in as an administrator with full database access! As a technologist, let me just say: only a little bit different, and it's only maintained through careful, constant vigilance.
posted by Phredward at 4:04 PM on October 2, 2014 [13 favorites]


Why was JPMorgan not obligated (if not legally, then, I dunno... ethically?) to notify its account holders of this breach in late July, when they discovered it?

**thinks about banks acting in an ethical manner**

hahahahhahahahahahahahahahahahahahaha
posted by Fizz at 4:06 PM on October 2, 2014 [26 favorites]


Considering that it took three separate visits to two separate branches in order to get them to issue an ATM card, I am really not that surprised.
posted by infinitywaltz at 4:13 PM on October 2, 2014


That's what you get for not allowing me to use special characters in my password, stupids!
posted by oceanjesse at 4:16 PM on October 2, 2014 [6 favorites]


Also: Anyone found a more technical write up?

"We're fucked."
posted by mikelieman at 4:16 PM on October 2, 2014 [16 favorites]


It doesn't seem implausible to me that "76 million household accounts" is the same as "all of the household accounts".
posted by aubilenon at 4:17 PM on October 2, 2014 [3 favorites]


What's the digital version of oil dispersant? Because they're going to pour that on this, declare the problem solved, and pay no fines.
posted by emptythought at 4:17 PM on October 2, 2014 [5 favorites]


"Rest assured, we've put engaged our best PR to help respond to this crisis"
posted by el io at 4:19 PM on October 2, 2014 [14 favorites]


*raises hand* I had fraudulent charges on my Chase account in July. Two other people I know also had Chase fraud around the same time. It sounds like it's not related though, which is weird?

Not that weird. Most people don't know just how huge JPMorgan/Chase really is. Would you care to hazard a guess about what percentage of American households are Chase customers?

The answer is about half. JPMorgan/Chase has some commercial relationship (credit card, mortgage, auto loan, checking account etc.) with about half the households in America. One in six Americans -- counting every man woman and child in the country -- is a Chase customer.

So it would be kind of surprising if you didn't know a few Chase customers who had been victims of some kind of fraud, which goes on every day.
posted by The Bellman at 4:20 PM on October 2, 2014 [7 favorites]


The best thing that can come of this is that there's a lot of people with a lot of money able to say to a lot of vendors, "well guess what, we look pretty fucking stupid right now and we're going to get you to implement your shit with actual security or we're going to file a lawsuit that makes Carthage look like a minor disagreement between Romans and Carthaginians".
posted by Talez at 4:22 PM on October 2, 2014


It was a little weird in that I generally go most of my life without hearing about Chase fraud, and then three instances happen around me within the same week. And then now we find out that was exactly when the huge account compromise happened and was discovered, but we are told no customer fraud occurred. It's probably nothing, I just have my tiny anecdata.
posted by naju at 4:24 PM on October 2, 2014 [1 favorite]


So it would be kind of surprising if you didn't know a few Chase customers who had been victims of some kind of fraud, which goes on every day.

And this is why, when I was with Bank of America between 2008 and 2012, they were all over that Six Sigma shit... Every extra decimal place is people whose accounts aren't fucked up...

Maybe it's because of where I was in the bank for most of that, "Government Speciality Banking". We processed tax returns. "Ethically", probably the most straightforward and clearcut business in the whole company. We scanned the forms, and ACH'd the remittances. ITIL was a thing, and we did pretty damned well, I think.

I'll stop here...
posted by mikelieman at 4:25 PM on October 2, 2014 [2 favorites]


I'm surprised that many Americans still have money.
posted by srboisvert at 4:27 PM on October 2, 2014 [14 favorites]


I wouldn't be surprised if we saw Викиутечки popping up with salicious info on prominent US businessmen and their shady dealings c/o Chase as a way to embarrass and terrorize those capitalist pigs.
posted by Talez at 4:27 PM on October 2, 2014 [1 favorite]


A while back I read a compelling argument for why, if you're poor, it may be in your best interest to blow any small windfall you might receive, and as quickly as possible. That's a hard position to understand for most people."Well of course you save any extra money, and pay down debt," some would say, "over time compound interest market returns blah blah blah. Those are the only responsible moves." But, as the permanent poor have learned, money is a transient thing.

Lately I feel like that realization, that any money that rushes through your grubby fingers is fleeting and just as quick to rush out again so enjoy it while you can, is spreading upmarket. There are real reasons and imagined reasons for this: the low interest rate means traditional savings is a fool's game, more people are coming to terms with the idea that retirement is no longer a thing that will happen for them, even pensions are now on the defensive. But financial institution insecurity certainly adds to it. How many times will we all change a hundred passwords, double check our credit and banks statements, dispute credit reports, before we start feeling like the on-paper money isn't real and shouldn't be valued as such?

I'm pretty sure I read that original idea here and I wish I could find it again.
posted by 2bucksplus at 4:28 PM on October 2, 2014 [17 favorites]


Okay... even if "ethically" is its own joke (and it is), wouldn't you be straight-up pissed if you were a shareholder (let alone an account holder, I'm just speaking as close as possible to JPMC's conceivable self-interest), and you only find out because the NYT took a peek beyond the first page of their regulatory filings?? Criminy.

If nothing else it seems to indicate such terrible aptitude at PR. Getting out in front of the story might've felt more painful, but this seems like an absurdly worse way to go if you're actually trying to keep your customers. Or to attract any future ones. Or to help preserve, like, ANY consumer- or small-business-level confidence in the banking industry in general.

Forget the ethics. It just seems so self-defeating to sit on this, even if ONLY from a totally greed-driven business perspective. I must be missing something, because that boggles me more than the actual cybersecurity issues do.
posted by argonauta at 4:33 PM on October 2, 2014 [2 favorites]


you only find out because the NYT took a peek beyond the first page of their regulatory filings??

I am and I am.

But I am not a chase "customer" because of choice. They bought my mortgage. They bought the bank that orginally issued my credit card(s). They bought the bank I got my car loan through.

I'd prefer to never do business with them again, because, and I mean this in all seriousness - I've never interacted with an employee of theirs that could find their ass in a dark room if you shoved a flashlight up there. Every interaction with them is painful, and time consuming. DMVs are pleasant by comparison and a bastion of courtesy and intelligence compared to the yokels running JPMChase.

I wish I was exaggerating.
posted by Pogo_Fuzzybutt at 4:38 PM on October 2, 2014 [14 favorites]


Customer names, addresses, phone numbers and e-mail addresses were taken

Could be worse, they could have gotten the SSNs. Still, look for massive fallout as hackers with enough information go to town.

Security is such a silly pursuit.
posted by Tell Me No Lies at 4:38 PM on October 2, 2014


. I must be missing something, because that boggles me more than the actual cybersecurity issues do.

Does it help your understanding to consider that often from the top down -- Board of Directors, President, Senior Admins -- all the way to the guy plugging in the network cable -- pretty much no-one really understands risk management, the relevant issues in the technology domain, and the context of their own duty and responsibility in addressing them? And in that vacuum, people can make bad choices. Really bad choices...
posted by mikelieman at 4:42 PM on October 2, 2014 [2 favorites]


Security is such a silly pursuit.

It's really not. It just requires a bit of common sense.
posted by Talez at 4:43 PM on October 2, 2014 [1 favorite]


What's going on here?
posted by naju


From an e-mail, posted upthread by pie ninja-
" There is no evidence that your account numbers, passwords, user IDs, date of birth or Social Security number were compromised during this attack.
However, your contact information – name, address, phone number and email address – was compromised. "


Here's the thing. What they say was "not compromised" is very hard to prove. If those details (accounts numbers, passowords, user ID's, DOB or SS#) were stored as salted hashes in a database, and that database was accessed and read, all the hackers got was salted hashes. However, that data is still valuable, and if they copied it, and the servers were compromised in other ways, there is no reason to believe that they didn't steal the keys from the server as well, even if the keys were stored by another program or subservice (because they'd be needed at some point to decode that by some other service).

The fact that the hackers were doing a service map of the system means that they may fully well intend to breach everything at some point, but hadn't gotten to that point yet. Now, of course, the clock is ticking. If they have the keys to the encryption used to encode the salted hashes in the database tables, then the game is up, and all they have to do is smash up some block scripts and start dumping out their own database full of unencrypted information.

It's kind of like cracking the admin password on a windows box from the PAM. The system, when running, will not let you decrypt the password into plaintext. However, if you get a copy of the keys and a dump of the hashed password tables, you can use a second system to decrypt everything (at least in theory now. I know you could do this with Windows XP and Windows 2000. Haven't had to do anything like that since about 2003). Here's hoping the hackers are lazy or don't have a lot of disk space and computing horsepower to create the massively indexed database tables that they are going to have to crunch through.
posted by daq at 4:43 PM on October 2, 2014 [5 favorites]


Ditto. They now own EVERY bank I have ever had an account or card with as an adult. They have forced me to change cards twice this year. Which I bet is related to the current proplem. I am now downloading my entire 2104 account history and eyeing it for discrepancies.

And switching to a hyperlocal credit union. Not a perfect solution, but being unbanked is not a reasonable option right now.
posted by Dreidl at 4:46 PM on October 2, 2014 [1 favorite]


Whenever someone asks, "why is financial software so clunky, ugly, and inelegant to use?", someone answers "well, developers have to prioritize either security or user-friendliness, and security is more important".

It's not-so-gradually becoming evident that the software is neither user-friendly nor secure.
posted by escape from the potato planet at 5:21 PM on October 2, 2014 [6 favorites]


There is no evidence that your account numbers, passwords, user IDs, date of birth or Social Security number were compromised during this attack."
Statements like this always tickle my spider-sense of hearing when someone is trying to be technically and legally correct, while totally missing the point. All that statement says is "Our systems didn't log the bad guys accessing the accounts."

What is fails to say is "We also didn't log them breaking into our systems, and our team know there are a number of methods for directly reading the database/filesystem that doesn't trigger audit logs. So, while we really hope they didn't, and while our legal team says we can technically say that we have no evidence, the honest truth is, they got in, they rummaged around, and we don't know what they might have seen."
posted by Static Vagabond at 5:24 PM on October 2, 2014 [15 favorites]


Dreidl: I am now downloading my entire 2104 account history and eyeing it for discrepancies.

Now that's a feature worth staying at Chase for.

"Okay, who spent 1500 galactic credits on android polish?"
posted by dr_dank at 5:25 PM on October 2, 2014 [18 favorites]


I swear I just saw a headline like three hours ago about Chase flatly denying an NYT story saying this had happened.

I absolutely don't enjoy seeing a company's innocent customer's suffer. But I'd be lying if I said I didn't think Jamie Dimon looks so much better with egg all over his face.
posted by scaryblackdeath at 5:26 PM on October 2, 2014 [2 favorites]


I have had my credit card re-issued twice this year, once after Target, now after Home Depot. Each time they essentially close the old card account and create a completely new account. I just spent a couple of hours today cleaning up my accounting. I also have to update each of the accounts online that use the card number. Where is my check to cover my time and effort? Where's the check issued by Target and Home Depot to my bank for all of their costs?

This is starting to happen so frequently that it shows a system wide failure. What's going to happen when they are issuing new cards every month?
posted by Xoc at 5:26 PM on October 2, 2014 [3 favorites]


I changed my password as soon as I read this. Thanks, Blue!
posted by Renoroc at 5:31 PM on October 2, 2014


JP Morgan Chase bought one of my credit card companies and one of my banks, and I still regret how long it took me to get fed up and finally close each of those accounts afterward.
posted by twsf at 5:33 PM on October 2, 2014


i think someone's trying to send a message - "we can steal everything - or we can wipe everything"

i'm inclined to believe they're more likely to wipe everything than steal it
posted by pyramid termite at 5:34 PM on October 2, 2014 [5 favorites]


(scaryblackdeath, I caught that headline of their denying it earlier today, too. On the BBC's site, I think -- and including a correction by the NYT? I'd be so interested in seeing someone recreate how that all went down.)
posted by argonauta at 5:38 PM on October 2, 2014


In a related note, my Meridian^H^H^HCoreStates^H^H^HFirst Union^H^H^HWachovia^H^H^HWells Fargo card was mysteriously replaced last month 'due to potential compromise.' No details were provided.

I'm starting to consider keeping everything in a sock under my mattress, except that I have reason to believe that hackers might get my mattress's root password.
posted by delfin at 5:42 PM on October 2, 2014 [2 favorites]


I have had my credit card re-issued twice this year, once after Target, now after Home Depot. Each time they essentially close the old card account and create a completely new account. I just spent a couple of hours today cleaning up my accounting.

I use a credit union (not a small one, but still not a major bank) and I got an email warning me that my cards needed to be watched because of the Home Depot issue.

Seeing all this, I'm starting to think it really is worth it to go back to pulling cash out for my retail stuff. It's not going to solve everything, obviously, but even just that measure of reducing exposure is starting to sound worth it.
posted by scaryblackdeath at 5:42 PM on October 2, 2014


If they wiped everything, our economy would instantly collapse, so that's a pretty damn serious threat. Back when we were all pitching paperless business processes a decade or so ago, I don't think anybody considered we might be making our entire economic system more precarious and subject to capture, but maybe that's an inevitable unintended consequence of going all in on networked systems... in which case, we overlooked a pretty gigantic national security threat in the rush to adopt all this new tech.
posted by saulgoodman at 5:44 PM on October 2, 2014 [3 favorites]


If they wiped everything, it would be restored from the offsite, physical backups that they are required to keep by law and their own self-interest.
posted by escape from the potato planet at 5:49 PM on October 2, 2014 [17 favorites]


It's been fun watching Neal Stephenson's Snow Crash slowly come to life.
posted by Fizz at 5:59 PM on October 2, 2014 [9 favorites]


This is way more vintage William Gibson. It'll be Stephenson when the mutant Aleut with the glass knives and the tactical nuke sidecar shows up.
posted by George_Spiggott at 6:03 PM on October 2, 2014 [11 favorites]


Here's hoping the hackers are lazy or don't have a lot of disk space and computing horsepower to create the massively indexed database tables that they are going to have to crunch through.

What hacker at this level wouldn't though? Even if they're not state sponsored, don't all these foreign hacking groups also control huge botnets?
posted by bradbane at 6:07 PM on October 2, 2014 [1 favorite]


I don't think anybody considered we might be making our entire economic system more precarious and subject to capture, but maybe that's an inevitable unintended consequence of going all in on networked systems... in which case, we overlooked a pretty gigantic national security threat in the rush to adopt all this new tech.

The banks likely assumed that they could socialize any losses that might result from reckless, profit-above-all decision making. Much of that networking took place after the Justice Dept. created the "too big to fail" bank, and that line of thinking obviously proved to be correct in 2008.

National security? Banks have no national loyalties - all they care about is profit.
posted by ryanshepard at 6:15 PM on October 2, 2014 [2 favorites]


i think someone's trying to send a message - "we can steal everything - or we can wipe everything"

i'm inclined to believe they're more likely to wipe everything than steal it
posted by pyramid termite at 7:34 PM on October 2 [+] [!]


Isn't this basically the end of Fight Club? Without the boom?
posted by MarvinTheCat at 6:18 PM on October 2, 2014 [4 favorites]


I canceled all but one credit card. I am well on my way to canceling that. Basically these breaches are half the reason as to why. It's cute how a company thinks they can keep my business after they allow this to happen. I'll never buy another Lacie drive as long as I live and I am an enterprise customer, and had brand loyalty before they compromised my data. I got hit by the Target thing, so I canceled my card. The card company kept telling me it wasn't their fault, that it was weak systems with Target. I said I didn't much care. If they weren't protecting me from end-to-end then I was out of there.
posted by cjorgensen at 6:18 PM on October 2, 2014


Presumably Chase and all the rest of them are going to use this as a pretext to implement some kind of Shock Doctrine exploit to make even more of your money their money.
posted by George_Spiggott at 6:18 PM on October 2, 2014 [2 favorites]


It'll be Stephenson when the mutant Aleut with the glass knives and the tactical nuke sidecar shows up.

We've already got a shirtless tiger-wrestling pan-bending megalomaniac in his place.
posted by poffin boffin at 6:37 PM on October 2, 2014 [2 favorites]


>>Security is such a silly pursuit.
>
>It's really not. It just requires a bit of common sense.

Humans can't do common sense consistently. Besides which there are times when there are no good choices, just sucky tradeoffs to be made.

Better to treat it like the weather and deal with the problems as they come. The security guys can go on trying to develop the Weather Dominator 3000(tm) and the rest of us will buy umbrellas and sunscreen and relax.
posted by Tell Me No Lies at 6:43 PM on October 2, 2014 [2 favorites]


It was a little weird in that I generally go most of my life without hearing about Chase fraud, and then three instances happen around me within the same week. And then now we find out that was exactly when the huge account compromise happened and was discovered, but we are told no customer fraud occurred. It's probably nothing, I just have my tiny anecdata.

Customer #174-6223.5b-47, you have been deemed statistically insignificant, therefore the instances of known fraud round to the nearest zero, therefore known instances of fraud are zero, therefore no fraud has occurred. We hope this addresses your concern. Thank you for your interest.
posted by anonymisc at 6:56 PM on October 2, 2014 [2 favorites]


Getting out in front of the story might've felt more painful, but this seems like an absurdly worse way to go if you're actually trying to keep your customers. Or to attract any future ones. Or to help preserve, like, ANY consumer- or small-business-level confidence in the banking industry in general.

Those wake-up calls were several years ago, and have been blaring away every month since. Anyone who is still using banks in the USA in 2014 is clearly the kind of "customer" that will presumably continue to stay no-matter how much abuse and fraud is heaped on them.
(I put "customer" in square quotes because as noted in this thread, many people have been forced into being customers against their will.)
posted by anonymisc at 7:08 PM on October 2, 2014


... it's only maintained through careful, constant vigilance.

Yeah, too bad JP Morgan Chase isn't big enough to have a dedicated department with this as their charter.


This is way more vintage William Gibson. It'll be Stephenson when the mutant Aleut with the glass knives and the tactical nuke sidecar shows up.

I was thinking Philip K. Dick but with more mushrooms.
posted by ZenMasterThis at 7:18 PM on October 2, 2014


The NSA - seriously, this is part of its role - in conjunction with NIST should approve standards for critical data protection. At this point we don't seem to know whether the user data was even encrypted, much less how good the encryption was. If we had published standards then every IT worker would be able to tell whether their company was compliant, and management would be forced to act. As it is, I bet encryption upgrades are likely to be put into the "too hard" basket, as something that will cost money, potentially cause problems, and will not produce any visible profit.
posted by Joe in Australia at 7:28 PM on October 2, 2014 [2 favorites]


"These people said it would take months for the bank to swap out its programs..."

without compromising current profitability, that is.
posted by j_curiouser at 7:33 PM on October 2, 2014 [3 favorites]


This is way more vintage William Gibson. It'll be Stephenson when the mutant Aleut with the glass knives and the tactical nuke sidecar shows up.

I was thinking Philip K. Dick but with more mushrooms.


Either way, the dystopic nightmares we were promised in our fictions has come true.
posted by Fizz at 7:33 PM on October 2, 2014


I do a fair amount of flying and a metric assload of card-based business expenses. Hypothetically speaking, of course, when I ditch my Chase/United card what would be the next best way to pick-up the slack/FF miles?
posted by ZenMasterThis at 7:39 PM on October 2, 2014


It's not-so-gradually becoming evident that the software is neither user-friendly nor secure.

Not because we didn't tell the dumb-ass PM how to fix it - we know what to do.
posted by j_curiouser at 7:43 PM on October 2, 2014 [2 favorites]


Could be worse, they could have gotten the SSNs. Still, look for massive fallout as hackers with enough information go to town.

The PR agency advised to hold that little data point back until 5 minutes after the 2nd US Ebola contraction hits the wires.
posted by any major dude at 7:45 PM on October 2, 2014 [4 favorites]


i think someone's trying to send a message - "we can steal everything - or we can wipe everything"

Yeah, I'm starting to think these things aren't about stealing money. This is what it's going to look like when the real big players go to war someday. Air strikes? pfft, whatever. How about a grenade in your entire financial system?
posted by ctmf at 7:56 PM on October 2, 2014


> your contact information – name, address, phone
> number and email address – was compromised.

Oh, well, that's all easy enough to change, right?
posted by hank at 8:00 PM on October 2, 2014 [1 favorite]


I know some people sound skeptical but shouldn't everyone be skeptical of any claims regarding what was or wasn't taken? On the one hand, incompetence, and on the other, they still think they can win the long game. Maybe they can.

Meanwhile, I also canceled my account as soon as Chase bought Washington Mutual.
posted by Glinn at 8:06 PM on October 2, 2014


I don't understand economics or finances or corporations or security but this is all kind of scary to me. I thought target was a one-off but even my naive self can see that isn't the case.
posted by Aranquis at 8:27 PM on October 2, 2014 [1 favorite]


Until just a few weeks ago, executives at JPMorgan said they believed that only one million accounts were affected
Oh, only a million, well OK then.
posted by Flunkie at 8:48 PM on October 2, 2014


i'm inclined to believe they're more likely to wipe everything than steal it

That would be inconvenient, but not catastrophic. There are offsite tape backups of pretty much everything important.
posted by Itaxpica at 8:49 PM on October 2, 2014


saulgoodman: If they wiped everything, our economy would instantly collapse, so that's a pretty damn serious threat. Back when we were all pitching paperless business processes a decade or so ago, I don't think anybody considered we might be making our entire economic system more precarious and subject to capture, but maybe that's an inevitable unintended consequence of going all in on networked systems... in which case, we overlooked a pretty gigantic national security threat in the rush to adopt all this new tech.
I think the thing engineers, being engineers, didn't take into account is the willingness of business types to let things slide as long as possible if it's costing less money than actually doing things right. You see it in banking. You see it in retail. Hell you even see it in places where life safety is an issue like mining and nuclear power plants. The business school graduates think the nerds are just alarmists when they ask for redundant systems and "never alone" staffing, then put all the blame on them when something like this happens.

Not that I'm bitter.
posted by ob1quixote at 8:53 PM on October 2, 2014 [18 favorites]


The NSA - seriously, this is part of its role - in conjunction with NIST should approve standards for critical data protection.

The NSA is first and foremost in the business of signals intelligence. As its deliberate subversion of NIST cryptographic standards illustrates, NSA clearly sees critical data protection as a threat to its primary mission.
posted by ryanshepard at 8:57 PM on October 2, 2014 [5 favorites]


Aranquis: I don't understand economics or finances or corporations or security but this is all kind of scary to me. I thought target was a one-off but even my naive self can see that isn't the case.
Not to be an alarmist, but we covered a lot of this same exact ground two years ago when a bad update made RBS' systems go Tango Uniform and 8 million people couldn't access their accounts for a week or more.

Which come to think of it I made a very similar "Not that I'm bitter" comment in that thread.
posted by ob1quixote at 9:12 PM on October 2, 2014 [1 favorite]


Yeah, I'm starting to think these things aren't about stealing money. This is what it's going to look like when the real big players go to war someday. Air strikes? pfft, whatever. How about a grenade in your entire financial system?

Don't know how possible it is, but holy shit. Imagine a future conflict with Russia where, instead of a nuclear exchange, some nineteen year old in Volgograd pushes a button and all the money in the big banks... disappears. Or maybe their computer systems start malfunctioning in some catastrophic way and have to be shut down. Sure there's tape backups, but how often are they updated? Huge amounts could be lost every time it happens.
posted by Kevin Street at 9:42 PM on October 2, 2014


Inconvenient? Restore the data from tape, then what? The attackers somehow agree to wait until you've figured out the problem before attacking again? Take the system offline until you've audited all the software? If instead of deleting they had flooded the system with false transactions, would the real transactions be honored? Would people not just go withdraw all the cash they could? I think "inconvenient" is a little optimistic.
posted by ctmf at 9:49 PM on October 2, 2014 [6 favorites]


When China owns $1.3 Trillion of your debt, they don't actually want to wreck your economy. But they might want to signal to you that they could if they wanted to.
posted by George_Spiggott at 10:04 PM on October 2, 2014 [3 favorites]


Restore from tape? Seriously? When there are millions of transactions a minute?
posted by MarvinTheCat at 10:18 PM on October 2, 2014 [4 favorites]


When China owns $1.3 Trillion of your debt, they don't actually want to wreck your economy. But they might want to signal to you that they could if they wanted to.

There's no way for China to do anything of the sort without inflicting far more damage on its own economy.
posted by one more dead town's last parade at 10:21 PM on October 2, 2014 [3 favorites]


Another data breach. I feel sorry for the IT security group over there.

For as much you try, there is always more to secure. There is always a way in, there is no perfect security, there is however, good enough forensic trails and fraud detection to pick up the pieces, figure out where the failure domain was, fire the CIO and the 3rd party SOC monitoring your alerts. And maybe the senior data security engineer. At any rate, someone will probably lose their job over this and that sucks too.

The hackers are low life thieves, no better than the average gun toting, mask wearing bank robber. JP Morgan Chase was not asking for this, no one deserved it.
posted by Annika Cicada at 11:46 PM on October 2, 2014 [2 favorites]


The hackers are low life thieves, no better than the average gun toting, mask wearing bank robber JP Morgan Chase.
Just gonna move that full-stop a little to the right there.

Yeah, I know, It's cheap and puerile, but so am I :)
posted by fullerine at 11:57 PM on October 2, 2014 [6 favorites]


JP Morgan asked for this by taking stewardship of billions and billions of other people's money. In a world where money and information are valuable, their business is specifically to protect people's money and information, and they make an awfully, awfully large amount of money doing it. The fact that they aren't fully capable of upholding that duty or find it difficult is not a reason to pretend it isn't their actual job to deal with risks like these.
posted by forgetful snow at 12:36 AM on October 3, 2014 [3 favorites]


Sure there's tape backups, but how often are they updated? Huge amounts could be lost every time it happens.

Everyone is bringing this up, but...

If you can get in the door, and you want to do damage, why not spend weeks not showing you're in the door, purposefully corrupting enough backups(months, maybe even quarters) that once you break everything there's nothing meaningful to restore from.

Hell, you could get super rootkit-y with this and make it so even if they test the backups, it appears to load from the tape or automated BD-R rack(or all of the above) or whatever but pulls from the most recent network-accessible backup that's ostensibly "good" or something, and just crops any data newer than the backup.

After stuxnet, that seems like a goddamn iOS game.
posted by emptythought at 1:02 AM on October 3, 2014 [5 favorites]


The NSA - seriously, this is part of its role - in conjunction with NIST should approve standards for critical data protection.

We already have standards. What we don't have is enforcement.

Because of this ...

I think the thing engineers, being engineers, didn't take into account is the willingness of business types to let things slide as long as possible if it's costing less money than actually doing things right. You see it in banking. " -- posted by ob1quixote at 11:53 PM on October 2

Restore from tape? Seriously? When there are millions of transactions a minute?

If they're dropping the ball on basic security, why would anyone believe that either their backups, or their multi-site failover actually work?
posted by mikelieman at 1:03 AM on October 3, 2014 [3 favorites]


fire the CIO

Throw his ass in jail without bail for 3 years while he waits for trial... Like a black kid who is accused of stealing a backpack....
posted by mikelieman at 1:05 AM on October 3, 2014 [13 favorites]


I think the thing engineers, being engineers, didn't take into account is the willingness of business types to let things slide as long as possible

hmmm...i say we do take it into account, write the emails, publish the powerpoints, and are quietly asked, "that's a little in the weeds, how about a follow on discussion later [when the big guys are out of the room, implied. this meeting is never intended to actually occur]. the shit is technically complex, not voodoo. we can do it with the budget and resources.

why would anyone believe that either their backups, or their multi-site failover actually work?

Word. I cannot tell you how many table-top DR/COOP exercises (dry runs) i've been through with clients (DoD, finance, govt) who can't even get it right in *pretend*. I've seen one real-life-fuck-it-massive-let's-restore-from-tape that lost 30 days of transactions, that is the closest to a successful DR/COOP action I have witnessed [after a significant - not trivial - event].

Here is the real organizational test that no one has ever taken me up on:

Client: We have a comprehensive DR/COOP procedure. It's bulletproof and we are very confident we can restore full operations without loss of transactions within twenty-four hours.

Me: Sweet. Let's wait 'til Friday midnight, and nuke the data center. We can all stay over the weekend to see the restore demo'd.

Client: uhhhh. That's too risky.

Me: Yep.
posted by j_curiouser at 2:21 AM on October 3, 2014 [13 favorites]


Yes! I am invincible!
posted by markkraft at 2:58 AM on October 3, 2014 [1 favorite]


I've been sitting here with the conventional "holy shit! if they wreck the world's financial systems then we're screwed!" thoughts in my head.

But given how interconnected so many of the world's economies are, it seems like wiping a system out - even if it was just one country's - would be a self-immolating process for the hackers, no? I mean, these guys presumably have their own connections to a global economy. Slagging it would be self-defeating just based on ripple effects, right?
posted by Thistledown at 3:29 AM on October 3, 2014


I think it's possible that the attacks were not actually aimed at Chase (and certainly not at their retail customers). Think of Chase not as a target per se but as a kind of massive vector - like. e.g., Outlook servers or PDFs. Once you have compromised that vector, you can then go after your real targets. You've got the right SWIFT/IBAN and account info - which does not tend to change unlike passwords and personnel. You could then at your choosing launch a massive wire fraud attack against a large number of businesses. You could make some money if you spread it out over a month or two before you got caught. You could crash a minor country's economy or currency if you did it all at once. Think of the latter as a tactical strike rather than a strategic, MAD style attack.

That is assuming the breach wasn't to mine for even deeper relationships and patterns. The thought of which terrifies me.

Disclaimer: my industry - the petroleum industry - has been under sustained, sophisticated and ever-evolvoing cyber attack since the beginning of the year and NO ONE in this multi trillion dollar industry and I'm talking including the oil majors has the first clue how it's happening. So I may be more than usually paranoid.
posted by digitalprimate at 3:57 AM on October 3, 2014 [5 favorites]


So I may be more than usually paranoid.

Or not paranoid enough...
posted by mikelieman at 4:22 AM on October 3, 2014


Somewhere, someone told an engineer his deadline. "But that's too soon!" That's what you have. Get it done, or you're fired.
posted by sonic meat machine at 4:48 AM on October 3, 2014 [1 favorite]


And finally: This is really a systemic collapse happening in not quite slow motion, right?

NSA has got to pivot to meet real national security threats, and they'll need a congressional mandate to do it. They're the only TLA with the mental and computational horsepower capable of responding to this, and it's wasted in useless sigint.

American cyberwarfare so far has been focused on sigint and sabotage - stealing smartphone selfies and running them through face detection, self-destructing centrifuges, exploding gas-lines, advanced Russian anti-aircraft systems that can't seem to even see Israeli aircraft, tapping and decrypting in realtime "secure" phone lines from a mile off shore and thirty feet down, etc. This is all well and good, but our internet security is shit, and that is where our National economic interests will take a trouncing.

A lot of money and manpower needs to be spent 1) securing the network on a fundamental level and 2) reprisal response to malicious traffic. This means compromising and disabling the computational and financial resources of the attackers and their sponsors and accomplices electronically, and identifying and going after those harming the network.

No system will be perfect, not every black hat threat will be caught or countered, but we can make it prohibitively expensive and even physically dangerous to mount attacks on our infrastructure (unless you're exceptionally well connected and live in a hostile world power, a SEAL team in a silenced stealth helicopter will be escorting you to your arraignment on another continent.)

Right now it's not even the wild west, it's like the Wild West if the cowboys all had flamethrowers and a couple of divisions of the Imperial German Army armed with lightsabers to attack towns with. It needs to change, and quick - the computational resources to strip-mine vulnerable systems are increasing in power and sophistication daily, and the hackers are just beginning to use big data analytics. Once they get rolling, it will be very, very ugly.
posted by Slap*Happy at 5:06 AM on October 3, 2014 [4 favorites]


Are my bitcoins still safe, though?
posted by empath at 5:21 AM on October 3, 2014


1) securing the network on a fundamental level

This sounds like one of those phrases you hear in a boardroom that is so vague as to have no meaning.

2) reprisal response to malicious traffic

Sounds great until someone uses this policy to hide the source of an attack and get the U.S. to "retaliate" against an innocent third party.
posted by one more dead town's last parade at 6:40 AM on October 3, 2014


So basically the timeline is this:

1) Us threatens economic sanctions against russia and freezes russian accounts.
2) 'A state actor' initiates a huge cyberattack against us banks.
3) A bash vulnerability going back 20 years was just 'discovered' (ie, someone at the NSA finally told someone).
posted by empath at 6:44 AM on October 3, 2014


The hackers are low life thieves, no better than the average gun toting, mask wearing bank robber. JP Morgan Chase was not asking for this, no one deserved it.

One, they were probably spies, not thieves, and secondly, if you're a bank, its kinda your job to be secure. If they're not secure, it's their fault.
posted by empath at 6:46 AM on October 3, 2014


This sounds like one of those phrases you hear in a boardroom that is so vague as to have no meaning.

There's a lot of ground to cover. Where do you want to begin? I'm thinking applying heuristics to traffic to identify attacks in progress, and black-hole traffic from that ISP until they get their shit together. If ISPs can identify and charge you for accessing What's App and Facebook with a Sandvine appliance, they can figure out if a botnet is looking at C&C servers and shut that shit down. Not profitable enough, so it needs to be either removed from their level of responsibility (NSA's little network taps everywhere put to good use) or made to be massively unprofitable if they don't.


Sounds great until someone uses this policy to hide the source of an attack and get the U.S. to "retaliate" against an innocent third party.

This ain't the local Sherriff's Department deploying the 4Chan Party Van.
posted by Slap*Happy at 7:12 AM on October 3, 2014 [2 favorites]


When China owns $1.3 Trillion of your debt, they don't actually want to wreck your economy. But they might want to signal to you that they could if they wanted to.

Yep, Wouldn't be the first time "winnability" wasn't a necessary feature of the doctrine. And deterrence doesn't work if the enemy doesn't know you have the capability.
posted by ctmf at 7:24 AM on October 3, 2014


This ain't the local Sherriff's Department deploying the 4Chan Party Van.

I'm not even sure what you mean by this. It's not like someone can just walk up to a terminal and type "find-attack-source --street-address --driving-directions --avoid-tolls". That only happens in Hollywood.
posted by one more dead town's last parade at 7:24 AM on October 3, 2014


I love how everyone acts like there's this superhero Corporate IT banking system that can thwart several state-enabled groups determined to fuck us over. There's not a single CIO who can prevent this, what can is large scale private-public coordinated security systems that sit on our backbones monitoring this shit with realm-time offensive responses in place.

The best you can hope for in ANY CorpIT security group is a quick response to a bugs, patches and breaches and damn good forensics. A determined threat actor *always* finds a way in.
posted by Annika Cicada at 7:33 AM on October 3, 2014 [3 favorites]


Slap*Happy: "...it's like the Wild West if the cowboys all had flamethrowers and a couple of divisions of the Imperial German Army armed with lightsabers to attack towns with…"

Dang, Netflix should be making this movie, and not stupid Adam Sandler flicks!

posted by wenestvedt at 7:39 AM on October 3, 2014


I canceled all but one credit card. I am well on my way to canceling that. Basically these breaches are half the reason as to why. It's cute how a company thinks they can keep my business after they allow this to happen. I'll never buy another Lacie drive as long as I live and I am an enterprise customer, and had brand loyalty before they compromised my data. I got hit by the Target thing, so I canceled my card. The card company kept telling me it wasn't their fault, that it was weak systems with Target. I said I didn't much care. If they weren't protecting me from end-to-end then I was out of there.

Token-based approaches like Apple Pay are the future of credit cards.
posted by a lungful of dragon at 8:07 AM on October 3, 2014


To other people with Chase credit cards: when did you receive correspondence about this? I have two of them, and haven't heard anything.
posted by codacorolla at 8:16 AM on October 3, 2014


There's not a single CIO who can prevent this, what can is large scale private-public coordinated security systems that sit on our backbones monitoring this shit with realm-time offensive responses in place.

Would that that were true, but as we saw with HD and Target - software wasn't purchased, best practices and recommendations weren't followed, and alarms were turned off or ignored because reasons.

Home Depot even went on to hire a guy who torched his previous employer's network because they fired him, and they continued to retain him even after he was arrested and indicted.
posted by Pogo_Fuzzybutt at 8:24 AM on October 3, 2014 [2 favorites]


To other people with Chase credit cards: when did you receive correspondence about this? I have two of them, and haven't heard anything.
Also two cards, also no info. For that matter, they contacted us after the Target breach but didn't actually reissue the card until almost two months later (presumably when a fraudulent transaction finally hit). And they still haven't contacted us about the Home Depot breach. But the fraud prevention people contacted us after we tried to buy Czech theatre tickets online.

But aside from the lack of notification (so far) we have actually found the customer service to be the best of any credit card company we've ever had. We have Sapphire and Sapphire Preferred cards and I don't think the customer service is just because of the $95 annual fee on the Sapphire Preferred card, since they were great before we added that card. Citibank seems to be a least-effort bunch of jokers, Capital One was absolutely terrible, and while the Discover people are nice enough on the phone, the card isn't universal enough to supplant the ubiquitous Visa.
posted by fedward at 8:47 AM on October 3, 2014


I'm not even sure what you mean by this.

There's a larger conversation you're only picking up pieces of, and there may be some background context lost for you. I mean that there will be a good deal of intelligence gathering going into a raid on foreign soil to protect American infrastructure. It's not like 4Chan griefers calling in a narco raid from a compromised switchboard will now be able to summon a military response as well.
posted by Slap*Happy at 9:05 AM on October 3, 2014


To other people with Chase credit cards: when did you receive correspondence about this? I have two of them, and haven't heard anything.

I should have been clearer when I posed that, sorry. What I posted was actually part of an update on the Chase website, not an email they sent me. (I had to log in to see the update, which they had flagged above my account info.)
posted by pie ninja at 9:07 AM on October 3, 2014


NSA has got to pivot to meet real national security threats

That was part of their original mission. It's hopelessly compromised and impossible now that we know NSA has been illegally spying on Americans with total contempt for Americans' constitutional rights. There's no way most US companies would trust NSA inside their systems. Doubly so for companies doing significant international business. I mean you can't even trust them to build a secure encryption algorithm, for fear of a deliberately planted vulnerability.

The entire way we do networked computer security is broken. From bottom to top and all the way through.
posted by Nelson at 9:11 AM on October 3, 2014 [1 favorite]


I mean that there will be a good deal of intelligence gathering going into a raid on foreign soil to protect American infrastructure. It's not like 4Chan griefers calling in a narco raid from a compromised switchboard will now be able to summon a military response as well.

No, and that was never a worry. If an attacker is smart enough not to brag openly about it (which, if we're talking about state actors, is probably the case), there's not going to be solid proof of where the attack actually came from. However, if it becomes our policy that a military response is appropriate in cases of attacks on the financial system, you can be sure that the wrong people will get "responded to" from time to time.
posted by one more dead town's last parade at 9:20 AM on October 3, 2014


Is it worth calling Chase to ask about this? I can't imagine the person on the phone is going to know anything or be able to do anything other than reissue my cards or reassure me that there is no (evidence of a) problem.
posted by codacorolla at 10:15 AM on October 3, 2014


The chase problems are way beyond losing your credit card number. Their systems are no longer secure. They probably can't trust any of their numbers anymore. The Russians can probably create or destroy money at will at this point.
posted by empath at 10:29 AM on October 3, 2014


To other people with Chase credit cards: when did you receive correspondence about this?

No communication about my Chase Sapphire card. I did receive a "helpful" email from Home Depot offering credit monitoring, and Capital One and Citi have offered notices that they're "watching closely" for signs of fraud. But nothing else so far.

If I had an unlimited supply of tinfoil, I could imagine making a hat big enough to come up with a theory that {Apple | Google} are really determined to push {ApplePay | GoogleWallet}, and they employ plenty of talented hackers... Is it irresponsible to speculate? It would be irresponsible not to! (TM).

Seriously, tokenized payments are the future, and Apple looks like it got the timing exactly right, if they can pull it off. (And that will leave all three Google Wallet users furious because Android has had that feature for months and months.)
posted by RedOrGreen at 10:32 AM on October 3, 2014


Seriously, tokenized payments are the future, and Apple looks like it got the timing exactly right

Timing is easy when we're never more than 6 months from a large company being hacked!

Though: This is kind of irrelevant. Tokenized payments protect you when the merchant is hacked. They don't protect you when the bank is hacked.
posted by aubilenon at 10:47 AM on October 3, 2014


The lack of any apparent profit motive has generated speculation among law enforcement officials and security experts that the hackers were sponsored by foreign governments either in Russia or in southern Europe.
Collecting a mass of "personal contact information" from a bank is a possibly profit motive.
posted by IAmBroom at 11:38 AM on October 3, 2014


Tell Me No Lies: Security is such a silly pursuit.
Leave your wallet on a city street overnight, filled with cash, and get back to me with your updated beliefs.
posted by IAmBroom at 11:48 AM on October 3, 2014


There's still many innovations to be made balancing ease of use and security. As the technology gets better I would not be surprised to see keyboards with integrated fingerprint sensors in the keys. We may see smartphones adopted as the "something you have" when it comes to multifactor authentication given that they're being fabricated with unique keys already. Webcams using reliable facial recognition is probably less than a decade away. All of this will probably start combining into a single, transparent way of assessing if the person at the keyboard is actually the person they purport.
posted by Talez at 1:27 PM on October 3, 2014


Identity means nothing if you can get the device user to accidentally do your dirty work by proxy, as was the case here with spear phishing.
posted by Annika Cicada at 1:46 PM on October 3, 2014


As the technology gets better I would not be surprised to see keyboards with integrated fingerprint sensors in the keys.

Mooltipass...
posted by mikelieman at 2:09 PM on October 3, 2014




Are my bitcoins still safe, though?

As safe as ever!

So... that would be a "no" then?
posted by anonymisc at 3:28 PM on October 3, 2014


^ Anyone who is still using banks in the USA in 2014 is clearly the kind of "customer" that will presumably continue to stay no-matter how much abuse and fraud is heaped on them.

It's easy(ish) to move your money. It's hard, and expensive, to move your debt. And guess which the banks make more money off of...
posted by polymath at 8:41 PM on October 3, 2014


The entire way we do networked computer security is broken. From bottom to top and all the way through.

Next thing ya' know, the Cylons 'll become self-aware. Yeah, right.
posted by j_curiouser at 9:39 PM on October 3, 2014


« Older It's the bravest satellite of all.   |   "I hope Jason has a bedpan or something in his car... Newer »


This thread has been archived and is closed to new comments