SECURITY NOTICE: MAJOR ONLINE BANKING PLATFORM VULNERABILITY - FISERV

Businesses that utilize Fiserv eBanking platforms should take note of an online banking information disclosure vulnerability that was made public. Fiserv is a top provider for internet banking solutions for banks of various sizes. In a recent Brian Krebs article, it was verified that an information disclosure vulnerability was discovered by security researcher Kristian Erik Hermansen that allowed one e-banking customer to view certain details of other customers, effectively bypassing authentication. Here are some more details:

  • The eBanking platform allows a customer to set up email based alerts when new transactions are applied to their account and certain other conditions that are customizable (e.g., dollar thresholds).
  • This alerting process assigns the alert a specific event ID number within the web address. According to the analysis performed, these event numbers appeared to be sequential.
  • If a customer has an alert generated, the customer can modify the event ID within the sites’ code and obtain access to alert setup pages for other customers.
  • After gaining access to another customers’ alerts, you can view and edit the alerts, see the customers’ email address, phone number and full bank account number.

The above situation refers to a common type of secure coding issue known as Exposed Session Variables. This issue involves an attacker modifying session tokens to impersonate another individual to gain access to the details and gain the permissions of that individual. There are many times where it may seem that the session variables used in an application are random, but attackers are able to use special tools to try to guess the next variable and gain unauthorized access. The issue is associated with the OWASP Top 10 security issues (A3 – Broken Authentication and Session Management). Testing for these types of errors should be common practice for development shops, and it should also be a routine manual check in a web application penetration test. Checking for this type of vulnerability is part of Schneider Downs’ comprehensive web application penetration test.

Fiserv has researched the issue to determine that it stems from a messaging solution available to a subset of online banking clients.  Additionally, since then, the company has applied a hot fix to all Fiserv hosted platforms which modifies the alert to use randomly generated event ID strings as opposed to a sequential event ID.  Per Fiserv, the hotfix will be made available shortly to users who have local installations of the Fiserv eBanking platform.

IMMEDIATE ACTION:  We recommend that you verify that the hotfix has been applied to your environment by performing a test against an alert if possible

We can assist you with the next steps to take.

NEXT STEPS:

  • Independent penetration testing of your online banking environments should be performed to check for potential misconfigurations. This testing should occur at both the network and web-application level.
  • If the application is vendor-hosted, ensure that the vendor is hiring an independent party to perform penetration testing against their products and systems. Ensure that your contracts with your software hosting vendors allow you the ability to review the results of these types of tests with your vendors in more detail. Our cybersecurity experts can guide you through this process.
  • Ensure that your vendors maintain secure coding practices; and ensure that they validate that the releases do not contain vulnerabilities. Similarly, our cybersecurity experts and IT auditors can help assess your vendor’s coding practices.

Contact Schneider Downs’ cybersecurity advisory team for assistance or clarification on how to achieve these security steps.

For more information, please refer to the following sources:

our thoughts on

array(3) { [0]=> string(2) "11" [1]=> string(2) "49" [2]=> string(2) "56" }
Artificial Intelligence in Higher Education
Why Higher Education Institutions Must Comply with GDPR
The Dichotomy of Cybersecurity in Higher Education
Minimizing Higher Ed Risks - Utilizing Internal Audit and Data Analytics
Enterprise Risk Management in Higher Education, and How Internal Audit Can Help
Financial Institutions - Regs on Regs on Regs

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062