This Could Be the End of User Name and Password - TIME

http://time.com/3700203/anthem-identity-theft-hacking/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+timeblogs%2Fcurious_capitalist+%28TIME%3A+Business%29

• Massimo Calabresi @calabresim

Feb. 9, 2015

Anthem, J.P. Morgan hacks could lead to tougher online security.

A top New York State regulator is “very likely” to impose new cyber-security rules on much of the banking and insurance industries after high profile cyber-intrusions at Anthem and JP Morgan Chase, law enforcement officials tell TIME.
The move could spell the beginning of the end for a decade-long debate among state and federal regulators over whether to require companies to go beyond the simple user name and password identity checks required to access many computer networks at the heart of America’s financial system and could affect everyone from employees at those firms to the consumers they serve.
Early investigations in the Anthem case suggest foreign hackers used the user name and password of a company executive to get inside Anthem’s system and make off with personal data for 80 million people, including names, addresses and Social Security numbers, the law enforcement officials tell TIME. Anthem had invested in extensive cyber defenses in recent years, but the officials say initial investigations suggest the theft could have been averted if the company had embraced tougher methods for verifying the identity of those trying to access its systems.
That shortcoming reflects systemic weaknesses found throughout the industry in an upcoming study by the New York State Department of Financial Services, a version of which was reviewed by TIME. Among the most worrying findings was a marked level of over-confidence among insurance industry officials regarding the security of their systems. “Anthem is a wake-up call to the insurance sector really showing that there is a huge potential vulnerability here,” says Benjamin Lawsky, the department’s superintendent.
While many big health, life and property insurers boast robust cyber-defenses, including encryption for data transfers, firewalls, and anti-virus software, many still rely on relatively weak verification methods for employees and consumers, and have lax controls over third-party vendors that have access to their systems and the personal data contained there, according to the report. The study follows a similar review by Lawsky’s office of the banking sector late last year that led to tighter cyber-examinations for banks doing business in New York.