Fiserv Web Weakness Exposes Account Information
The flaw sits in an email alert system that assigned a specific event number any time a new transaction posted to an account.
Brookfield, Wis.-based fintech powerhouse Fiserv, repaired a Web platform weakness that exposed personal and financial details of an unknown number of customers across perhaps hundreds of bank web sites, per KrebsOnSecurity.
Security blogger Brian Krebs wrote that two weeks ago he learned from another security researcher Kristian Erik Hermansen of a hole in the Fiserv system.
Fiserv, a Fortune 500 company that serves over 12,000 clients worldwide, including credit unions, banks, savings banks, investment management firms, leasing and finance companies, billers, retailers, merchants, and building societies, earned $5.7 billion last year. The company features account and transaction processing systems powering websites for what is estimated at hundreds of financial institutions. According to FedFis.com, Fiserv is the top bank core processor, with more than 37% market share, more than double its closest competitor.
The flaw was in an email alert system that assigned a specific event number any time a new transaction posted to an account. Hermansen discovered that if he edited the site’s code in his browser he could view and edit alerts previously set up by another bank customer, and could see that customer’s email address, phone number and full bank account number.
“Hermansen said a cybercriminal could abuse this access to enumerate all other accounts with activity alerts on file, and to add or delete phone numbers or email addresses to receive alerts about account transactions,” according to Krebs. This would allow any customer of the financial institution to spy on the daily transaction activity of other customers, and perhaps even target accountholders who signed up for high minimum balance alerts.
Krebs said he replicated Hermansen’s findings and viewed email addresses, phone numbers, partial account numbers and alert details for other customers of each financial institution just by editing a single digit in a web page request. “I was relieved to find I could not use my online account access at one bank to view transaction alerts I’d set up at a different Fiserv affiliated bank.” Krebs said it was not difficult to find hundreds of other Fiserv-affiliated banks that would be just as vulnerable.
Krebs alerted Fiserv of the flaw. “Fiserv places a high priority on security, and we have responded accordingly,” Ann Cave, director, public relations, global brand, Fiserv, said in response. “After receiving your email, we promptly engaged appropriate resources and worked around the clock to research and remediate the situation. We developed a security patch within 24 hours of receiving notification and deployed the patch to clients that utilize a hosted version of the solution. We will be deploying the patch this evening to clients that utilize an in-house version of the solution.”
Cave provided a bit more context. “This is related to a one-way messaging feature on a limited number of bank websites. Upon notification, we promptly developed a patch to update the feature, deployed the patch to clients using the feature and completed testing to confirm the issue has been fully resolved. Our ongoing research and continued monitoring have not identified, and we have not received reports of, any adverse consumer impact.”
Krebs confirmed Fiserv no longer shows a sequential event number in their banking sites and has replaced them with a pseudo-random string.