Flaw in Fiserv banking platform exposed personal data

The exploit, which has now been patched, affected customers banking with hundreds of financial institutions

Credit cards close up

US-based financial services firm Fiserv has just fixed a flaw in its web platform that exposed the personal and financial details of a vast number of banking customers.

With more than 12,000 clients across the world using the company's services, it is hard to establish how many customers' details were exposed in the 'information disclosure vulnerability' found by security researcher Kristian Erik Hermansen.

When logging into his local bank, which uses Fiserv's platform, Hermansen learned email alerts for financial transactions were assigned an 'event number', which he successfully predicted were distributed in sequence, according to KrebsOnSecurity.

Using this knowledge, the researcher was able to directly view alerts set up by another customer by rewriting the site's code in his browser and sending a request for an altered event number. He was able to view the customer's email address, phone number and bank account number - as well as view and edit alerts they had previously set up.

"I shouldn't be able to see this data," he said. "Anytime you spend money that should be a private transaction between you and your bank, not available for everyone else to see." He added a criminal could have exploited the flaw to steal information from customers.

Together with KrebsOnSeceurity author Brian Krebs, Hermansen worked to verify whether or not the flaw was exclusive to his own bank's installation of the platform. They soon discovered hundreds of other Fiserv-affiliated banks may have been just as vulnerable as those they had tested.

IT Pro approached Fiserv for comment, and to establish how many institutions in the UK may have been affected, if any, but the company did not respond at the time of writing. A spokesperson told Krebs that Fiserv had responded accordingly, and corrected the issue.

"After receiving your email, we promptly engaged appropriate resources and worked around the clock to research and remediate the situation," the spokesperson said.

"We developed a security patch within 24 hours of receiving notification and deployed the patch to clients that utilise a hosted version of the solution. We will be deploying the patch this evening to clients that utilise an in-house version of the solution."

While information disclosure vulnerabilities are among the most common types of website security issues, according to Krebs, they are also the most preventable and easy to fix. But they can also cause just as much damage to a company's brand as more severe security risks.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021
Weekly threat roundup: SAP, Windows 10, Chrome
vulnerability

Weekly threat roundup: SAP, Windows 10, Chrome

21 Jan 2021
Biden nominees highlight tough cyber security challenges
cyber security

Biden nominees highlight tough cyber security challenges

20 Jan 2021

Most Popular

SolarWinds hackers hit Malwarebytes through Microsoft exploit
hacking

SolarWinds hackers hit Malwarebytes through Microsoft exploit

20 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

12 Jan 2021