Following news of an extended DDoS attack on Bank of Spain, separate news surfaced of a system flaw with a company that serves the banking industry. Personal and financial details of customers across hundreds of banks were exposed.
KrebsOnSecurity reports that Fiserv, a technology provider for banks, just patched a flaw in its web platform that left customer data compromised. Fiserv’s processing systems are relied on by mostly small banks and credit unions that can’t afford to build out their own infrastructure. The issue was discovered by researcher Kristian Erik Hermansen.
Hermansen had signed up for alerts from a local bank, to let him know when new transactions posted to his account. While logged in, he noticed the bank’s site identified his specific alert with a number. Guessing that the numbers might be sequentially assigned, he then tried to change the site’s code in his browser and alter his assigned number by one digit. Doing so served up the email address, phone number, and last four digits of another person’s bank account number–along with whatever alerts they had signed up for.
The issue resembles a similar situation that we reported on recently, involving LifeLock. Numeric subscriber keys were assigned to customers, which left data at risk of being exposed.
Regarding the Fiserv incident, Krebs writes, “Hermansen said a cybercriminal could abuse this access to enumerate all other accounts with activity alerts on file, and to add or delete phone numbers or email addresses to receive alerts about account transactions.
This would allow any customer of the bank to spy on the daily transaction activity of other customers, and perhaps even target customers who signed up for high minimum balance alerts (e.g., ‘alert me when the available balance goes below $5,000’).”
Fortunately, when Krebs was testing the premise, he saw that when he was logged into one bank, he could not access customer records from a different bank.
Krebs notes that this kind of flaw, known as an information disclosure issue, is a common website security concern. But, it is also preventable and easily fixed.
Get the full story at KrebsOnSecurity.