JPMorgan exec claims bank repels 45 billion cyberattack attempts per day – Source: go.theregister.com

The largest bank in the United States repels 45 billion – yes, with a B – cyberattack attempts per day, one of its leaders claimed at the World Economic Forum in Davos. 

Mary Callahan Erdoes, JPMorgan Chase’s CEO in charge of asset and wealth management, revealed the figure during a discussion of the future of banking at Davos yesterday, adding that the number is twice what the institution faced a year prior. 

JPMorgan Chase, the largest US bank by market cap, claims to have 62,000 technologists working to protect corporate assets – a figure Erdoes claims tops the engineer count at Google or Amazon.

“Why? Because we have to,” Erdoes said. 

OK, here’s where we bring this back down to Earth: 45 billion is a lot. That’s an average of 521,000 per second per day. But we all know that is going to be mostly port scans, automated checks for known vulnerable services, and similar chaff. It’s not going to be 45 billion fully formed attacks per day; it’s more of an indication of the amount of traffic being thrown at JPMC’s network boundaries.

We imagine the bank’s biggest worry, or one of them, isn’t the volume of poking it’s getting, it’s that the wave after wave of connections may be masking more sophisticated and tangible attempts to break into its networks. It’s a tactic crooks use: distract IT admins with loads of suspicious-looking traffic while sneaking in round the back via some quiet vulnerable service or a spear-phishing email. A big challenge will be determining out of all the scans and prodding the actual legit intrusion attempts.

And don’t forget to go tell the WEF all about your dropped packet count at the firewall.

That all said, it’s not a surprise that JPMorgan Chase, with its high profile in one of the sectors most targeted by cyber-crooks, faces so many probings and prodding: There’s a lot of money to be siphoned from the financial giant, which reported $3.9 trillion in assets as of Q4 [PDF] last year. 

A report from the Bank of England further solidifies the perceived risk of cyberattacks in the banking world, with such incidents topping the list of what bank executives see as their top threats and greatest challenges. 

• JPMorgan latest to pile into quantum upstart with $5B valuation
• Something nasty injected login-stealing JavaScript into 50K online banking sessions
• Now collapsed SVB’s parent files for bankruptcy as Biden calls for stiffer penalties
• Capital One: Convicted techie got in via ‘misconfigured’ AWS buckets

Even epic levels of investment in people and tech haven’t been enough for institutions like JPMorgan, however.

JPMC was ordered to face a lawsuit in January 2023 filed by a subsidiary of eyewear megafirm EssilorLuxottica, who alleged the bank was negligent in ignoring signs of fraud. That negligence, the complaint states, allowed cyber crooks to make off with $272 million in funds from Essilor’s manufacturing arm over the course of 243 fraudulent transactions. 

“Fraudsters [are getting] smarter, savvier, quicker, more devious and more mischievous,” Erdoes said at Davos yesterday.

“They go into the law firm that’s sending you an email, take over the email, and they send the bank a note saying ‘please send the money here,'” she added, almost as if addressing the Essilor matter. “That is happening everywhere in the world on a daily basis … staying one step ahead of it is the job of each and every one of us.” 

Beyond lapses of judgement that allow fraud to proliferate, JPMorgan Chase has also made internal technical mistakes that have cost it millions – an admittedly small number for a firm that had a net income of $9.3 billion in the fourth quarter of last year. The SEC in June fined the company $4 million for deleting millions of emails, meaning the bank was unable to hand over communications the SEC subpoenaed in a dozen regulatory investigations. 

Accidentally, of course. ®