Fortune 500 company Fiserv is a major provider of core technology services to financial institutions, with its account and transaction processing systems powering the websites of hundreds of banking websites worldwide.
According to FedFis.com, Fiserv is the top bank core processor (37 percent market share), with its solutions commonly used by small community banks and credit unions.
But a few weeks ago, the start of a security nightmare began to unravel. Investigative security journalist Brian Krebs heard from security researcher Kristian Erik Hermansen, who said he’d discovered “something curious” while logged into an account at a tiny local bank. And that bank was using Fiserv’s platform.
Hermansen signed up for email alerts that would alert him each time a new transaction posted to his account, and the researcher found that the site would give this alert a designated ‘event number’.
He scrutinized these event numbers and realized they appeared in the code on the webpage, and that they appeared to be assigned sequentially, not randomly. So he began editing the webpage code in his web browser and reloading the page – lo and behold he could view and edit alerts set up by other bank customers. In one example, he could see that customer’s email address, phone number, and full bank account number.
So, how could a cybercriminal potentially abuse this security vulnerability? Hermansen said a cybercriminal could potentially abuse this access to enumerate all other accounts with activity alerts on file and to add or delete phone numbers or email addresses to receive alerts about account transactions. This would allow any customer of the bank to spy on the daily transaction activities of other customers, and do things like target customers who signed up for high minimum balance alerts.
Fiserv says they have fixed the problem with their e-banking platform and indicated that this only affected a “very small percentage” of its customers.
“Upon learning of the issue, we promptly developed a patch to update the feature, deployed the patch to clients and confirmed the patch resolves the issue,” said the company in a statement.
“Ongoing research and monitoring has not identified, nor have we received reports of, any adverse consumer impact related to this matter. Fiserv recognizes the importance of security and takes all security concerns seriously.”
On 28 August, Brian Krebs confirmed that Fiserv no longer shows a sequential event number in their banking sites and has replaced them with a pseudo-random string.
Are smaller banks too trusting when it comes to cybersecurity?
While this issue was discovered and remediated quickly, it does pose a question around the resilience of banks on their technology providers – specifically those smaller banks and credit unions who rely on providers like Fiserv to provide core banking services. An American Banker article last year touched this, with analysts at Aite saying that the U.S. market for core banking services – those that handle basic transactions and accounting for a bank – had come to be “overwhelmingly dominated” by only a few vendors. Furthermore, it was revealed that these smaller banks were typically selecting a vendor based on the perceived safety of choosing one of the incumbents rather than value being offered to their businesses. Also, switching isn’t easy so deciding to change vendors is also influenced by the complexity (and cost) of replacing core systems, as another analyst pointed out.
Small banks won’t be constrained by legacy tech
Despite this, there are signs banks are looking to new vendors for new opportunities; a recent McKinsey report suggested that core banking systems “dating back from the 1970s are compromising bank performance. However, updating them is becoming less costly and risky.”
The US National Cyber Security Alliance previously finding that 60 percent of small companies are unable to sustain their businesses over six months after a cyber-attack, indicating how the stakes have gone up. This is creating different mindsets within the banks and new, innovative vendors are taking advantage of the opportunity.
If you look at history, technology cycles are a fact of life and we’re seeing indicators of a big shift for banking security technology. While the old adage goes that “nobody ever got fired for buying IBM”, recent developments have shown that nimble and innovative security companies are far better at keeping up with the pace of cybercriminals’ innovation.
Products like our own Protector Air take a whole new view on security threats, protecting banks from client-side malware on customer systems, and protecting customers from fraud inflicted by that malware. While businesses might think the low-risk play is to go with the products of legacy vendors, they are actually introducing risk by deploying technologies that aren’t suited for defending against modern attacks.
To learn more about Protector Air, please click one of the links below.