JPMorgan, the second largest bank in America, said that the outage was due to a, "third party database company's software." They also stated that the problems were due to a failure in their authentication process. The bank claims that no customers' information has been compromised.
Although no sensitive information was leaked during the outage, the fact that accessibility was compromised is important. The exact cause of the break down is not exactly clear, but blaming a third party company for a authentication problem seems odd. I agree with Mr. Monash in the article when he says, "It's hard to imagine that they would outsource authentication - it's too core." Authentication is a very important step in access controls, especially for online banking.
JPMorgan needs to take action with respect to this event. Although the precise source of the outage is not clear, if this third party company has anything to do with it, I would strongly reconsider the relationship with them. If I were in charge of JPMorgan I would attempt to change the authentication process to our control. Then, if for some reason there were another outage, we would be able to get the system back online faster than 2 days.
JPMorgan's clients expect 100% accessibility of their own accounts, whether it is online, at an ATM, or even in the bank. If I were a customer, and this happened again, I would definitely be worried about the security of my bank and most likely change banks.
http://www.computerworld.com/s/article/9186238/JPMorgan_Chase_deposits_blame_sort_of_for_outage_?taxonomyId=17
http://www.computerworld.com/s/article/9185420/JPMorgan_Chase_s_online_banking_site_crashes?taxonomyId=17
Posts
I don't know if I agree with Mr. Monash's idea about the oddness of outsourcing authentication software development. JPMorgan is a financial company, after all, not a software company. It's probably a lot cheaper to use 3rd party software than to contract someone to design a unique system just for your company.
ReplyDeleteAlso, database software fails sometimes. However, this isn't an excuse for JPMorgan to have such poor emergency planning procedures; I mean, what amounts to about 2 days where users can't access crucial information is a large chunk of time.
I'd like to see an example of an online bank that has their own software and see why they decided to do so.
I agree that since JP Morgan is a financial company, it is a lot cheaper for them to use third party software instead of having someone design software specifically for JP Morgan. However, the fact that it is JP Morgan and that they are one of the wealthiest companies in the world, worth approximately 160 billion dollars, I think it would be rather inexpensive for them to have someone develop a software specifically for them and their users.
ReplyDeleteSince it is obvious that JPMorgan cannot trust this third party companies software, it makes perfect sense that they would spend the money to develop their own and reenstill the trust of all of their customers. When it comes to security, money really shouldn't be an issue, especially when one can easily afford it.
I agree with Casey in that money should not be an issue when it comes to information security. Customer's depend on the companies and banks that they use to keep their information safe and accessible for their own personal use. When a breakdown in security occurs, a breakdown in trust follows.
ReplyDeleteI liked this post because it touched on a lot of things we have talked about in class. Just recently we discussed authentication and how complex of a process it can be. Because of this, I am not surprised that the task of authentication is outsourced to a third party. In fact, I would doubt that most companies don't leave the job of authentication to third parties.
I also liked how the article talked about the compromise of accessibility. To me, this seems to be one of the least addressed threats to security. At the same time, it is still a significant issue. As Cristin pointed out, customer's being denied access to their accounts, even for two days, can be crippling to the customer.
Overall, it was interesting to see how practically everything has been outsourced in the American business society. However, I believe that this outsourcing is not to blame for problems like the one JPMorgan experienced.