August 29, 2018

Flaw in Fiserv's platform reveals customers' data at hundreds of FIs

securityFiserv Inc., a provider of technology services to financial institutions – including credit unions – recently fixed a web platform weakness that exposed personal and financial details of customers across hundreds of financial institutions' websites.

KrebsOnSecurity reported the news yesterday. The flaw was found when a security researcher began playing with transaction alerts he received from his bank that uses Fiserv's platform in his web browser. By changing the specific "event numbers" he received on his transactions in the web browser, the researcher could then view and edit alerts set up by another bank customer, allowing him to see that customer's email address, phone number and the last four digits of their bank account number.

This flaw could have potentially allowed a cybercriminal to target those customers who have signed up for such banking alerts.

KrebsOnSecurity reported that Fiserv said in a statement that the problem came from an issue with "a messaging solution available to a subset of online banking clients." While Fiserv did not release the impact of this flaw, KrebsOnSecurity was told by experts that roughly 1,700 banks currently use its retail banking platform.

Fiserv has since fixed the issue. KrebsOnSecurity points out that this kind of flaw "can be just as damaging to a company's brand as other more severe types of security errors," such as the incident that exposed a weakness in Panera Bread's site that made visible tens of millions of customer records, and a bug in LifeLock's site that showed email addresses for millions of customers.

NAFCU has been active with lawmakers since the massive 2013 Target data breach stressing the need for a legislative solution to reform the nation's data security system. The association has also shared with Congress principles credit unions would like to see addressed in any comprehensive cyber and data security legislation.

NAFCU remains a leading advocate on this issue and is working to ensure that all entities that hold or collect consumers' personal financial information are held to similar standards as credit unions.