JPMorgan Chase and other financial institutions hacked

The FBI is working with the US Secret Service to investigate reports that JPMorgan Chase, and other financial institutions have been breached by hackers. Preliminary information suggests that the attacks are sophisticated, but details are still sketchy.

It seems that the attackers were able to exfiltrate gigabytes of sensitive customer banking information. Consumers have more or less gotten used to credit card data breaches, but a breach of actual checking and savings account details has much graver consequences.

“With correct account information criminals can initiate wire transfers that completely clean out accounts; the bad news is that wire transfer consumer protection is not as favorable for consumers as credit card protections,” stressed Lamar Bailer, director of security research and development for Tripwire. “For example, financial institutions can take up to 90 days to investigate and rule on wire transfer disputes.”

Craig Young, a security researcher with Tripwire, explained, “Traditional checking accounts are perhaps the weakest link in the American banking system. Consumer need to use far more caution when paying by check or storing images of checks because the routing (ABA) and account numbers are all a thief needs to start stealing money. Web checks make these problems even worse because then thieves don’t even need to print fake checks or venture to a store in person.”

Bailey cautioned that the only way to protect against fraudulent checks if hackers have the account information is to change the account number. Even then, most banks will still honor checks from the old account for some time during a grace period.

Early evidence points to Russia. Bloomberg reports that sources believe it was possibly a state-sponsored attack in retaliation for US sanctions against Russia. The attack was reportedly sophisticated, and “beyond the capability of ordinary criminal hackers” according to the Bloomberg story.

“I think it is early to be jumping to conclusions about the attribution for an attack like this,” warned Bob Stratton, general partner with cybersecurity accelerator Mach37. “The trickiest part of defending networks in the modern age is determining the actual, rather than the apparent source of an attack. It will take time to forensically sort this out. While undoubtedly frustrating to those trying to cover the story in the present moment, network attacks, like airplane crashes, can take a while for proper investigation and attribution.”

That is for the FBI, Secret Service, and financial institutions to figure out. In the meantime, what can you do?

Bailey suggests that all consumers should setup alerts (emails, text messages, etc.) for checking, savings, and credit accounts to alert them of transactions so that they can respond quickly to any fraudulent activity on their accounts.