Fiserv flaw exposed customers’ banking data
A flaw in the web platform of Fiserv has exposed personal and financial account information on hundreds of bank websites.
According to KrebsonSecurity – the flaw is now fixed. It was tipped off by security researcher Kristian Erik Hermansen, who claimed to have found that, just by altering the site’s code through the browser, he could access other customers’ details, including transaction activity.
“I shouldn’t be able to see this data,” Hermansen told KrebsonSecurity. “Anytime you spend money that should be a private transaction between you and your bank, not available for everyone else to see.”
This vulnerability, discovered within its one-way messaging feature, was only possible to breach if a customer set up alerts on their bank account.
Fiserv didn’t specify the exact number of affected institutions, but there are reportedly over 1,700 using its system.
A Fiserv spokesperson assured that the patch would be released by that evening: “After receiving your email, we promptly engaged appropriate resources and worked around the clock to research and remediate the situation.
“We developed a security patch within 24 hours of receiving notification and deployed the patch to clients that utilise a hosted version of the solution. We will be deploying the patch this evening [28 August] to clients that utilise an in-house version of the solution.”