31 Aug 2018

Fortune 500 company exposes account numbers

The Fortune 500 company Fiserv [NASDAQ:FISV] which provides community banks and credit union financial institutions with technology capabilities has recently plugged a whole in its web service.  Fiserv, Inc enjoyed $5.7B in earnings last year and according to FedFis.com in 2017 had approximately 37.1% of the market share in bank core processing.

The first week of August, it was discovered that account holders who signed up for email alerts on their transactions had been assigned sequentially thus allowing the URL to be changed to a lesser number thus exposing other account holders’ transaction alerts.  That exposure provided the ability to edit others’ alerts including visibility to that persons’ bank account numbers (in some cases only the last 4 digits), email address, and phone number.  Other banks using Fiserv’s front-end alert system could also be susceptible.  Those banks would be indicative by having the domain name “secureinternetbank.com” in the URL of the alert module.

]]>