The final report of the FDIC's investigation of a security breach at payments processor FIS found it worse than previously thought, according to a security blog.

Brian Krebs is a former Washington Post reporter whose blog, Krebs on Security, is highly regarded in the information security community.

Krebs reports that “the disclosure highlights a shocking lack of basic security protections throughout one of the nation's largest financial services providers.”

When FDIC first brought the breach to light in the second quarter of 2011, the Jacksonville, Fla.-based payments processor and core software vender said the breach had been limited to only its prepaid card division, and the NCUA warned credit unions to evaluate their relationship with the major cards processor.

Krebs now quotes an FDIC investigators report that far more was actually compromised.

The fraudsters used the hacked information to clone prepaid cards and withdraw $13 million from ATMs in Europe, Krebs said, and more exposure has now been reported.

“'The initial findings have identified many additional servers exposed by the attackers; and many more instances of the malware exploits utilized in the network intrusions of 2011, which were never properly identified or assessed,” Krebs quoted the FDIC examiners writing in a report from October 2012.

He said the FDIC sent the report to hundreds of banks last week.

“As a result, FIS management now recognizes that the security breach events of 2011 were not just a pre-paid card fraud event, as originally maintained, but rather are that of a broader network ­intrusion,” Krebs said the report said.

Further, Krebs quoted the deposits insurer as documenting that the payments processor had spent $100 million to fix the security weaknesses, but left some key security problems in place, at least as long as one year later.

“The FDIC noted that FIS routinely uses blank or default passwords on numerous production systems and network devices, even though these were some of the same weaknesses that 'contributed to the speed and ease with which attackers transgressed and exposed FIS systems during the 2011 network intrusion,'” Krebs quoted from the report.

“Many FIS systems remain configured with default passwords, no passwords, non-complex passwords, and non-expiring passwords,” and adding the quote “Enterprise vulnerability scans in November 2012, noted over 10,000 instances of default passwords in use within the FIS environment.”

One possible bit of good news for credit unions comes in what the report may not say. Although Krebs reports that the FDIC found breaches to be widespread at the firm, he does not list card services as one of the parts of the firm that was breached.

FDIC declined to comment or elaborate on the report, stating initially that it had not been sent then allowing that a similar report would have been shared with banks.

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Payments/Credit/Debit