Have you ever swapped out a number or letter in a URL to skip to another page? Cybersecurity researcher and ethical hacker, Kristian Erik Hermansen, did just that with startling results.
Hermansen received an email alert from his bank and noticed an “event number” in the URL. By editing the event number in his browser, he was able to access other bank customers’ sensitive information, including their email, phone number, and full account number, KrebsOnSecurity reports.
The problem was the result of a security flaw in a Fiserv application that emails customers account activity alerts. The bad news was that it was not limited to one bank, a Krebs investigation uncovered.
Brian Krebs followed up on Hermansen’s research by opening an account at two other Fiserv banks and was able to see email addresses, phone numbers, alert parameters, and partial account numbers for other customers just by changing a single digit.
Fiserv has since fixed the problem, but it’s unclear how many banks were affected, how long this flaw has existed, and whether it was exploited in phishing or social engineering attacks.
The Good News
Once Fiserv heard about the problem from KrebsOnSecurity, the problem was promptly solved.
“Fiserv places a high priority on security, and we have responded accordingly,” Fiserv spokesperson Ann Cave said to KrebsOnSecurity. “After receiving your email, we promptly engaged appropriate resources and worked around the clock to research and remediate the situation. We developed a security patch within 24 hours of receiving notification and deployed the patch to clients that utilize a hosted version of the solution. We will be deploying the patch this evening to clients that utilize an in-house version of the solution.”
The Bad News
Krebs heard about the flaw from Hermansen one week before beginning his investigation. Then it took several days to conduct his own investigation. During this time the problem went uncorrected even though Hermansen says he informed his bank of the problem and “tried unsuccessfully to get the attention of different Fiserv employees, including the company’s CEO via LinkedIn.”
What went wrong? I couldn’t begin to say. Perhaps Hermansen told someone at his bank about the problem, but that person didn’t think to pass the information up the line. Perhaps it did go up the line, but got lost in the shuffle of an overstuffed email inbox. I’d like to think if the bank told Fiserv about it, the flaw would have been corrected just as quickly as it was when contacted by the media.
Vendor Risk Management Procedures
Regardless of what happened, your institution needs a plan so everyone knows what to do in the event a vendor issue develops. That includes:
A system for handling customer complaints. Being able to access other customer’s data is a serious complaint, one that should be promptly logged and corrected. Make sure your institution has policies and procedures in place for handling customer complaints. That’s not just a potential vendor management issue. It’s a regulatory expectation.
Clear in-house reporting requirements for vendor issues. In this case a customer uncovered a problem, but it could easily have been an employee who discovered an issue with a third-party product, system, or service. Make sure you have procedures for passing along information about vendor issues, and train staff on what to do. Make it clear who information should be reported to and how it should be reported. Include follow up procedures to ensure nothing gets lost.
Knowing which vendor, employee, or department to report issues to. If you encounter a security flaw or other issue, make sure you know exactly who to contact at the company. Don’t just send an email to a generic email box. Also ask for estimates for how long before the problem will be fixed, what will be done to solve the problem in the short term, and how you will be updated with developments.
Vendors make mistakes. We all do. Make sure you have plans in place to ensure that when mistakes are uncovered they are dealt with promptly and properly.
You can’t count on the media to pounce on the problem every time.