Skip to main content

Resources

What Fiserv’s Internet Banking Flaw Means for You

What Fiserv’s Internet Banking Flaw Means for You

Fiserv, Inc., is one of the largest Financial Services technology providers in the world. They serve more than 12,000 clients in over 80 countries, including around 1,700 banks in the United States. Fiserv also recently fixed an issue with their web-based Internet Banking Platform to which all banks should pay attention.

 


A Vulnerability Discovered

According to an article from Brian Krebs, a security researcher named Kristian Erik Hermansen discovered a way to view another customer’s alerts set up in the Internet Banking Platform. Hermansen noticed that his alerts were assigned a sequential number in the URL. Hermansen edited the URL by decreasing the alert number one at a time. He was then able to view other customer’s alerts, full account numbers, email addresses, phone numbers, and transaction information.


Krebs opened checking accounts at small local banks that use Fiserv and was able to replicate the same issue, confirming Fiserv had a flaw. Fortunately, the issue was limited to each instance of the platform, meaning that account information for customers of the same institution could be viewed, but access to other institution’s customers was not possible. Krebs reached out to Fiserv, who got their security team on the issue immediately. Within 24 hours, they had released a patch to all hosted Internet Banking customers, and a patch is being deployed to locally hosted instances of the Fiserv retail online banking platform as quickly as possible.

 


How Could This Flaw Be Exploited?

From an attack-perspective, a flaw such as this would only be useful after an existing account has already been compromised or if an attacker has an account at an individual financial institution. Once an attacker has access to an account – via compromise or creation – the benefits would be two-fold:

  1. An attacker can enumerate the account information from other bank customers.
  2. An attacker would gain the ability to edit, add, or delete phone numbers or email addresses for these accounts, which would bypass the alerts on a compromised account; the very reason these alerts exist in the first place.

 


How’s Your Vendor Management?

At its core, this is a vendor management issue. Small and Medium Sized-Financial institutions (SMFIs) around the world trust Fiserv to provide them with secure products and services that protect customer information while also allowing customers to perform regular banking transactions conveniently. Some things to think about:

  • When an issue of this nature arises, the operational, reputational, and often financial risk falls upon the SMFIs
  • Fiserv and similar vendors have gotten extremely large while the software they provide customers often runs on outdated legacy systems
  • Your institution is ultimately responsible for ensuring your customer data is secure when transmitted, stored, or processed, not a vendor
  • This type of vulnerability would not have been found on a SOC report or similar audit

 


How Would You Discover an Issue Like This?

As noted above, an issue of this nature would likely not have been discovered by a traditional SSAE-18 or SOC assessment. SMFIs need to continually evolve their vendor management to look for concerns outside the scope of basic vendor management review practices. Here are some additional questions to consider asking your critical service provider as a part of your vendor management practices:

  • How can you be sure that the vendor is protecting your information?
  • How is this vendor assessing the security of their networks and the products/applications provided to your institution?
    • Has the vendor contracted for or performed a secure code audit?
    • Has the vendor had their web applications tested for a standard like the OWASP Security Knowledge Framework?
  • How old is the product/application you are using?
    • Has it been updated to a new version?
    • How old is the base code?
  • How does the vendor update these products/applications and how regularly do they update?
  • Does the vendor perform regular security assessments, and are they willing to share the results?


A vendor who is open and transparent about how your information (governance, controls) is protected, as well as how they are testing themselves, is significantly more likely to have a strong security posture. A vendor who refuses to discuss security testing or hides their results is a vendor that should throw up red flags during your vendor management process.

 


Written by: Jeff Dice
Information Security Consultant
SBS CyberSecurity, LLC


SBS Resources:

  • {Solution} TRAC: Risk Management Software: One of the core modules of SBS’ TRAC software is our 3PM (3rd Party Management) module, which can help you easily and more efficiently perform vendor risk assessment, vendor selection, and ongoing vendor management. TRAC 3PM provides you with a consistent, pre-defined vendor management process, including vendor types, question sets, the ability to categorize different levels of vendor, and customizable, one-click reporting.
  • {Consulting} Full Service Vendor ManagementSBS also offers Full-Service Vendor Management to perform vendor management around your critical vendors, saving you the time and effort to gather information from these vendors, review and analyze the vendor’s documentation, and create reports around your findings. SBS can streamline your process by doing all that work for you, then providing you the results in an easy-to-understand format.

 

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Vendor Manager 

 


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Friday, August 31, 2018
Categories: Blog, In the News