A
Pennsylvania credit union is suing financial industry technology giant Fiserv, alleging that
“baffling” security vulnerabilities in the company’s software are “wreaking
havoc” on its customers. The credit union said the investigation that fueled
the lawsuit was prompted by a 2018 KrebsOnSecurity report about glaring
security weaknesses in a Fiserv platform that exposed personal and financial
details of customers across hundreds of bank Web sites.
Brookfield,
Wisc.-based Fiserv [NASDAQ:FISV] is a Fortune 500 company with
24,000 employees and $5.8 billion in earnings last year. Its account and
transaction processing systems power the Web sites for hundreds of financial
institutions — mostly small community banks and credit unions.
In
August 2018, in response to inquiries by KrebsOnSecurity,
Fiserv fixed a pervasive security and privacy hole in its online banking
platform. The authentication weakness allowed bank customers to view account
data for other customers, including account number, balance, phone numbers and
email addresses.
In
late April 2019, Fiserv was sued by Bessemer
System Federal Credit Union, a comparatively tiny financial
institution with just $38 million in assets. Bessemer said it was moved by that
story to launch its own investigation into Fiserv’s systems, and it found a
startlingly simple flaw: Firsev’s platform would let anyone reset the online
banking password for a customer just
by knowing their account number and the last four digits of their Social
Security number.
Recall
that in my Aug 2018 report, Fiserv’s
own systems were exposing online banking account numbers for its customers.
Thus, an attacker would only need to know the last four digits of a target’s
SSN to reset that customer’s password, according to Bessemer. And that
information is for sale in multiple places online and in the cybercrime
underground for a few bucks per person.
Bessemer
further alleges Fiserv’s systems had no checks in place to prevent automated
attacks that might let thieves rapidly guess the last four digits of the
customer’s SSN — such as limiting the number of times a user can submit a login
request, or imposing a waiting period after a certain number of failed login
attempts.
The
lawsuit says the fix Fiserv scrambled to put in place after Bessemer complained
was “pitifully deficient and ineffective:”
“Fiserv
attempted to fortify Bessemer’s online banking website by requiring users
registering for an account to supply a member’s house number. This was
ineffective because residential street addresses can be readily found on the
internet and through other public sources. Moreover, this information can be
guessed through a trial-and-error process. Most alarmingly, this security
control was purely illusory. Because some servers were not enforcing this
security check, it could be readily bypassed.”
Bessemer
says instead of fixing these security problems and providing the requested
assurances that information was being adequately safeguarded, Fiserv issued it
a “notice of claims,” alleging the credit union’s security review of its own online banking system
gave rise to civil and criminal claims.
The
credit union says Fiserv demanded it not disclose information relating to the
security review to any third parties, “including Fiserv’s other clients (who
presumably were affected with the same security problems at their financial
institutions) as well as media sources.”
Fiserv
did not immediately respond to requests for comment. But Fiserv spokesperson Ann Cave was quoted in several
publications saying, “We believe the allegations have no merit and will respond
to the claims as part of the legal process.”
Charles Nerko,
the attorney representing Bessemer in the lawsuit, said to protect the credit
union’s members, the credit union is replacing its core processing vendor,
although Nerko would not specify where the credit union might be taking its
business.
According
to FedFis.com, Fiserv is by far the top bank core processor,
with more than 37 percent market share. And it’s poised to soon get much
bigger.
In
January 2019, Fiserv announced it was acquiring payment processing giant First
Data in a $22 billion all-stock deal. The deal is expected to close in
the second half of 2019, pending an antitrust review by the U.S. Justice
Department.
That
merger, should it go through, may not bode well for Fiserv’s customers, arguesPaul Schaus of American Banker.
“Banks
should take this trend as a warning sign,” Schaus wrote. “Rather than
delivering new innovations that banks and their customers crave, legacy vendors
are looking to remain relevant by acquiring existing products and services that
expand their portfolios into new areas of financial services. As emerging
technologies grow more critical to everyday business, these legacy vendors,
which banks have deep longstanding relationships with, likely won’t be on the
leading edge in every product or channel. Instead, financial institutions will
need to seek out newer vendors that have deeper commitments and focus in
cutting-edge technologies that will drive industry change.”
Click here for the original article.