Target. Home Depot. EBay. Now JPMorgan Chase. If it feels like every big commercial institution is vulnerable to hackers, that’s because they are. Of all the high-profile breaches over the past few years, the biggest hit now appears to have been perpetrated on the biggest bank in America, one spending more than $200 million annually on cybersecurity.
In the physical world, bank security is obvious in the form of gleaming vaults, armored vehicles and ballistic glass. And even though the banking industry invests more in online security than any other, security experts told International Business Times that financial institutions have underinvested in the face of increasingly industrial-scale attacks. Moreover, as banks have grown through acquisitions, the complexity -- and vulnerability -- of their systems has increased, making them harder to defend.
“Banks aren’t as secure as everyone makes them out to be,” David Kennedy, CEO of security company TrustedSec LLC, near Cleveland, Ohio, said. “You have this bubble right now in the hacker industry and security systems in the U.S. are no where near able to handle the attacks we’re seeing.”
For banks, security is a cost center, and up until a few years ago, there simply wasn’t the data to justify ramping up the expenditure. When banks do ramp up security budgets, they tend to spend on dated software rather than the talent to understand complex systems and their vulnerabilities.
"It is absolutely a people problem," Dan Guido, CEO of New York-based security company Trail of Bits Inc., hackers-for-hire who work for financial institutions to find vulnerabilities, said. "There are not many people qualified to defend against these kinds of direct threats, and it is very hard for companies like JPMorgan to retain security talent."
“When you look at these attacks you’re seeing a continuing trend of very sophisticated, very organized and intelligent attacks looking to generate a financial gain,” Frank Dickson, network security principal at Mountain View, California-based Frost & Sullivan, said.
The type of attack on JPMorgan bore hallmarks of more sophisticated organizations. Rather than a blunt instrument smash-and-grab, this was a subtle and surgical incision meant to infiltrate a system over a period of time.
The Wall Street Journal reported that the hack went unnoticed at JPMorgan for two months from mid-June until mid August, but the attackers didn't get close to sensitive banking data. “The hackers likely weren’t steps away from the vault but ‘in the wrong building altogether,’” James Lewis, a cybersecurity expert at the Washington-based nonprofit Center for Strategic and International Studies, told the newspaper.
But that was likely part of their plan, to infiltrate and learn about JPMorgan's systems and exploit them over time. That’s what happened to Home Depot, where hackers had access for a month pulling out sensitive data.
Kennedy, who breaks into banks to test their vulnerability, says the first thing he does once inside a system is to hide the fact that he’s there so he can maintain access. “You can break into a smaller company or partner and then pivot to highly critical systems,” he said. “When I break into a company I don’t know anything about it. I have to figure out where the sensitive data is.”
JPMorgan has pledged to spend $250 million a year on security going forward, but CEO Jamie Dimon concedes that it is only keeping up with the growing threats. “We’re making good progress on these and other efforts,” he wrote in a letter to shareholders. “But cyberattacks are growing every day in strength and velocity around the globe.”
Banks are hardly alone, and corporate hacking will only grow in sophistication and intensity. Increasingly, like any kind of crime, prevention only gets you so far. “Everybody's under attack, this is the new normal and has been for years,” Dan Kaminsky, chief scientist at security company White Ops, which has offices in New York City, San Francisco and British Columbia, said. “What matters is how you constrain the damage and respond to it.”