back to article JPMorgan exec claims bank repels '45 billion' cyberattack attempts per day

The largest bank in the United States repels 45 billion cyberattack attempts per day, one of its leaders claimed at the World Economic Forum in Davos.  Mary Callahan Erdoes, JPMorgan Chase's CEO in charge of asset and wealth management, revealed the figure during a discussion of the future of banking yesterday, adding that the …

  1. Tom Chiverton 1

    They presumably count a connection attempt or port scan in that number. Which is why is so lubricous

    1. Yet Another Anonymous coward Silver badge

      No, they count each separate byte in each portscan packet as an attack

      1. garwhale Bronze badge

        No, each bit is counted.

  2. Maventi

    WEF in a nutshell. Hyperbole to justify hubris.

    1. teknopaul

      Agreed.

      This is key.

      "They go into the law firm that's sending you an email, take over the email, and they send the bank a note saying 'please send the money here,'"

      And the point is, after receiving an email they do actually send the money there!

      I worked at 3 major banks in London. 80% was automated, and 20% we via paper and emails and phone calls. All of that was considered "risk", I.e. No attempt at security auth or validation. Just put it as risk and write it off if it was fraud.

      I would guess Jp has 60000 wide boy brogrammers as staff. Never seen worse code than in banks. High staff turnover. It's all about the money, naturally. No-one in the building has any high-level goals like clean code or solid architecture. It's just hack for money. Security is an afterthought at best. At worst it's just a building full of disconnected workers getting paid top dollar to handle shit code without any input to the code.

      I also know people are that hack banks. It's I high risk game in the long run, but easy money in the short run.

      I knew people that can open a bank account, put 5 grand credit in it, and have a card sent where ever with what ever name you wanted. That's high street banks who seem to be just as bad.

      I am pretty sure it's an induswide problem.

  3. Anonymous Coward
    Anonymous Coward

    Innumeracy

    I suspect that the executive is misreading a report. It makes for a good headline though.

  4. Yorick Hunt Silver badge
    FAIL

    Such is the quality of those appointed to executive positions.

    Messrs Dunning and Krüger would be proud.

  5. Anonymous Coward
    Anonymous Coward

    Bloated headcount

    The 62k Cybersecurity technologists is also a very inflated number. That's the tally of drones on the bank's cyber's line of business, and counts everything from your RBAC auditor to your scrum master and your bean counter. A very small fraction of those is dedicated to engineer protection against external threats.

    I heard this from a friend of a friend, who's uncle may or may not be employed by this firm...

    1. Roo
      Windows

      Re: Bloated headcount

      According to JPMorgan's website they employ "~290,000" worldwide... So that would be at least 1 in 5 are "Cybersecurity Technologists" which does strain my credulity to breaking point. If pushed I'd guess that Mary doesn't expect held accountable for her pronouncements, and that could well be a reasonable expectation given her role in JPMorgan settling to the tune of $290m in an Epstein related lawsuit.

      1. doublelayer Silver badge

        Re: Bloated headcount

        Part of the count is probably the employees of subsidiary companies that have some connection to them. If they have a contract with company X which provides a product to do vulnerability detection and tailors it for their big clients, then why not count every employee of that company. And if there's a contract with company Y to provide emergency technical assistance if an important system goes down, then theoretically anybody employed by company Y could be assigned, so count all of them as well.

  6. RJX

    The one thing I was certain of before I retired from bank cybersecurity was that the numbers reported publicly were woefully low. For people who pooh-pooh things like port scans, let's do an analogy to your home. A port scan is the same thing as an unauthorized person walking up to your home and trying every door to see if it's unlocked and pushing on every window to see if it opens.

    If you looked out the window at night and saw an endless stream of people walking up to your home and trying to get in how good would you sleep?

    Familiarity breeds contempt and that's how that article and some of the comments read. We'll be reading about your organizations over at www.databreaches.net if we have not already done so, multiple times.

    1. doublelayer Silver badge

      It's not that portscans are completely safe, but that they're common. Every public IP receives them constantly, so if you're trying to make a point about volume, it doesn't make that point very well.

      Consider how you would feel if I told you that I live in an environment where I face the risk of death by disease every day, subject to billions of viruses alone trying to infect me. It makes me sound like I'm an Ebola researcher or something like that, when what I'm really saying is that I live on a world where there are tons of viruses on everything, even though many of them cannot infect me and will be killed before they get a chance to do any damage at all. Some of those viruses are indeed quite dangerous, and one of them might eventually kill me, but I'm making reality sound more exciting than it is. My personal servers face scans at all hours. There is virtually always someone trying to log into public services with brute force password attacks who will be banned by the automatic rules soon. That's work you have to do, but it's not the interesting thing. I don't have people specifically targeting my systems. They do. That's where they have a more complex security situation than I do.

  7. Bitsminer Silver badge

    Banks and Money

    Bank robber Willie Sutton, who, when asked by a reporter about why he stole from banks, answered: “Because that's where the money is.”

  8. Kevin McMurtrie Silver badge

    Firewalls

    This is why sane companies use a mixture of dynamic and static rules for blocking abuse. Most attacks come from well known hostile and mismanaged networks.

    1. R Soul Silver badge

      Re: Firewalls

      Most attacks come from well known hostile and mismanaged networks.

      So, they're coming from the internal network?

    2. Yorick Hunt Silver badge
      Pirate

      Re: Firewalls

      Amazon, Azure, Google Cloud, OVH, CloudFlare, and several other behemoths.

      Why exactly would anyone, let alone a bank, actually need to accept incoming connections from these hosts? Their netspace will never be used by (legitimate) remote workers for connection, and if they're being used by other businesses for B2B transactions, surely there'd be strictly defined protocols which can explicitly be catered to.

  9. Mike 137 Silver badge

    "62,000 technologists working to protect corporate assets"

    How many staff manage security? In my (rather too) long consulting experience, I've found that very often competent technologists are prevent from delivering by lousy uninformed management that makes guesswork their basis for 'risk assessment' and consequently fails to adequately resource what's needed to counter real threats.

    1. midwestMan

      Re: "62,000 technologists working to protect corporate assets"

      She didn't say, nor do they have, 62k technologists in infosec. They have 62k technologists. i.e. 62k they consider to be in "technology" roles.

  10. midwestMan

    Claims to have 50k "technologists" in 2018. https://www.jpmorganchase.com/news-stories/tech-investment-could-disrupt-banking

    Claims to have 62k technologists in 2023 WEF discussion.

    Reportedly hired 9k in India since 2021: https://economictimes.indiatimes.com/jobs/jp-morgan-to-hire-over-5000-technologists-in-cy22/articleshow/93437500.cms

    outsourcing jobs to the lowest bidder. And proud of it. Call me xenophobic if you want, but leaders in India are exactly the sort that would turn on every possible alerting rule and use a metric like "how many IPS alerts did my UTM platform log today" and count that as actual attacks blocked. Then submit that to the clueless leader stateside (because they let all the competent engineers go) who would eat it up.

  11. Anonymous Coward
    Anonymous Coward

    I'll bet $5 most of of those scans come from

    Changway and Stark Industries (ISPs). Two of the most prolific port scanners/failed VPN connections for the last 3 years.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like