If you're one of the 1700+ banks or credit unions currently using Fiserv, or are a customer of one, a flaw in the company's web platform may have exposed your personal and financial information to the masses.
The flaw was fist recognized by Kristian Erik Hermansen, when he received an email alert indicating a new transaction had posted to his own bank account. Noticing the alert was assigned with a specific "event number", Hermansen hypothesized the event numbers for similar trans]action would be assigned sequentially and then requested the same page again but first edited the site’s code in his browser so that his event number was decremented by one digit. This edit then allowed him to view and edit alerts created by other customers, as well as each customer's email address, phone number and full bank account number.
I shouldn’t be able to see this data. Anytime you spend money that should be a private transaction between you and your bank, not available for everyone else to see.
- Kristian Erik Hermansen
Since being notified of the security weakness, a Fiserv spokesperson gave the following response to KrebsonSecurity: "...we promptly engaged appropriate resources and worked around the clock to research and remediate the situation. We developed a security patch within 24 hours of receiving notification and deployed the patch to clients that utilize a hosted version of the solution. We will be deploying the patch this evening to clients that utilize an in-house version of the solution.”
For more info on the issue, and KrebonSecurity's own research into, and testing of the security flaw, check out the original story.