An August 28, 2018 article from leading IT security flaw-finder and reporter Brian Krebs (https://krebsonsecurity.com) has disclosed evidence that a misconfiguration in Fiserv’s online banking platform exposes customer information to other bank customers.
In summary, when a bank customer creates an account alert through their online banking account, the alert is assigned a sequential Event ID which is displayed in the URL. When the user (or potential bad guy) views the alert through the online banking portal, the Event ID in the URL can be amended to different Event ID, exposing alerts for other bank customers. Data identified to be included the customer’s email address, phone number and either full or partial bank account number, depending on the institution’s account number masking configuration.
Some key items to note from the Kreb’s article: First, the information disclosure appears to be limited to accounts within that bank. That is to say, a customer at one bank could not view the alerts and data of a customer at another bank.
Second, the vulnerability requires the user to be a legitimate bank customer with access to an online banking account. This significantly reduces pool of threat actors that could leverage the vulnerability into something more nefarious.
However a risk that is not public-facing is still a risk that should be addressed. The deTECH readership includes a significant number of community banks that use Fiserv core banking platforms and its online banking products. Steps should be immediately taken to verify your platforms have been updated with the patch developed by Fiserv. Internal testing should be performed to validate the fix has remediated the issue.
In the world of cybersecurity, the good guys have to be correct 100% of the time; the bad guys only have to be right once. It is critically important to stay on the front end of security flaws, share information as timely as possible, and to always be looking for weaknesses.
View Source Article Here
Bryan is a Partner at YHB and serves on the Risk Advisory Services Team. Bryan focuses on assisting organizations in a variety of industries with internal audits and IT-related audit and consulting services.