A Pennsylvania credit union is suing financial industry technology giant Fiserv, alleging that “baffling” security vulnerabilities in the company’s software are “wreaking havoc” on its customers. The credit union said the investigation that fueled the lawsuit was prompted by a 2018 KrebsOnSecurity report about glaring security weaknesses in a Fiserv platform that exposed personal and financial details of customers across hundreds of bank Web sites.
Brookfield, Wisc.-based Fiserv [NASDAQ:FISV] is a Fortune 500 company with 24,000 employees and $5.8 billion in earnings last year. Its account and transaction processing systems power the Web sites for hundreds of financial institutions — mostly small community banks and credit unions.
In August 2018, in response to inquiries by KrebsOnSecurity, Fiserv fixed a pervasive security and privacy hole in its online banking platform. The authentication weakness allowed bank customers to view account data for other customers, including account number, balance, phone numbers and email addresses.
In late April 2019, Fiserv was sued by Bessemer System Federal Credit Union, a comparatively tiny financial institution with just $38 million in assets. Bessemer said it was moved by that story to launch its own investigation into Fiserv’s systems, and it found a startlingly simple flaw: Firsev’s platform would let anyone reset the online banking password for a customer just by knowing their account number and the last four digits of their Social Security number.
Recall that in my Aug 2018 report, Fiserv’s own systems were exposing online banking account numbers for its customers. Thus, an attacker would only need to know the last four digits of a target’s SSN to reset that customer’s password, according to Bessemer. And that information is for sale in multiple places online and in the cybercrime underground for a few bucks per person.
Bessemer further alleges Fiserv’s systems had no checks in place to prevent automated attacks that might let thieves rapidly guess the last four digits of the customer’s SSN — such as limiting the number of times a user can submit a login request, or imposing a waiting period after a certain number of failed login attempts.
The lawsuit says the fix Fiserv scrambled to put in place after Bessemer complained was “pitifully deficient and ineffective:”
“Fiserv attempted to fortify Bessemer’s online banking website by requiring users registering for an account to supply a member’s house number. This was ineffective because residential street addresses can be readily found on the internet and through other public sources. Moreover, this information can be guessed through a trial-and-error process. Most alarmingly, this security control was purely illusory. Because some servers were not enforcing this security check, it could be readily bypassed.”
Bessemer says instead of fixing these security problems and providing the requested assurances that information was being adequately safeguarded, Fiserv issued it a “notice of claims,” alleging the credit union’s security review of its own online banking system gave rise to civil and criminal claims.
The credit union says Fiserv demanded it not disclose information relating to the security review to any third parties, “including Fiserv’s other clients (who presumably were affected with the same security problems at their financial institutions) as well as media sources.”
Fiserv did not immediately respond to requests for comment. But Fiserv spokesperson Ann Cave was quoted in several publications saying, “We believe the allegations have no merit and will respond to the claims as part of the legal process.”
Charles Nerko, the attorney representing Bessemer in the lawsuit, said to protect the credit union’s members, the credit union is replacing its core processing vendor, although Nerko would not specify where the credit union might be taking its business.
According to FedFis.com, Fiserv is by far the top bank core processor, with more than 37 percent market share. And it’s poised to soon get much bigger.
In January 2019, Fiserv announced it was acquiring payment processing giant First Data in a $22 billion all-stock deal. The deal is expected to close in the second half of 2019, pending an antitrust review by the U.S. Justice Department.
That merger, should it go through, may not bode well for Fiserv’s customers, argues Paul Schaus of American Banker.
“Banks should take this trend as a warning sign,” Schaus wrote. “Rather than delivering new innovations that banks and their customers crave, legacy vendors are looking to remain relevant by acquiring existing products and services that expand their portfolios into new areas of financial services. As emerging technologies grow more critical to everyday business, these legacy vendors, which banks have deep longstanding relationships with, likely won’t be on the leading edge in every product or channel. Instead, financial institutions will need to seek out newer vendors that have deeper commitments and focus in cutting-edge technologies that will drive industry change.”
Amazing how low priority real security is for companies like Fiserv.
This lawsuit could become the basis for a well-deserved class action suit by all of Fiserv’s customers.
I hope it will. That may be the only catalyst to get Fiserv to make a serious effort to upgrade their security.
The really screwed up part is the fact that banks are doing nothing about it knowing full well that FIServe is getting hacked and sued left and right. People like First Bank in New Jersey knew about the law suit and the security flaws but still went ahead and went with FiServe. Banks dont care about your security, they push mobile apps and everything else. They figure that they’d save 5 cents by putting your private information at risk. Their position is we wont worry about it or do anything about it until we’re caught! You find out if your bank uses FiServe, they will do nothing about it, and give you the BS cut and paste responses.
Banks dont care about your security, they know exactly what is going on and pretend like there’s nothing wrong. They have the attitude that we’ll do nothing, know about it, and still do anything until they are caught. They dont care about your security, just lining their pockets with as much money as they can. Banks blamed everyone else for the crash in 2008 and they are doing the same with your personal information.
And as Paul Schaus said the path forward for companies such as Fiserv is to acquire new and different technologies and other companies.
Fiserv apparently does not have the talent on hand to run their one critical business. Woe to their customers as they try to juggle additional responsibilities with the same limited capabilities.
Roger, they may have the talent, but not the will. They have to WANT to make their systems more secure. But gee, it might lower their profits!
(“We’re committed to security.” Oh yeah? Actions speak louder than words.)
Actually he said “Instead, financial institutions will need to seek out newer vendors that have deeper commitments and focus in cutting-edge technologies that will drive industry change.”
There is actually a very simple fix for companies like Fiserv who do not take the security of their customers serious. Instead of (or even in addition to) allowing them to reap the rewards of bloated salaries and share buybacks, make the company executives criminally liable for their negligence. If they had to face hard time for criminally negligent practices, and it was a real and no paper threat, the problem would be solved yesterday.
Agreed. I was at a company during the first round of Sarbanes-Oxley (SOX). Their non-standard fiscal year-end date got them on that list.
I’d never before or since seen such intense, personal participation by a CEO and CFO solely because of the threatened jail time for them. While it never really happened, execs today still sweat over a SOX audit finding “material weaknesses” that prevent them from filing with the SEC on schedule.
The SEC is still the weak link because they rely on that sloppy “material” definition and for really large corporations almost nothing can materially hurt them, just their customers.
Non-public companies have no such worries so their customers are at a higher risk.
My credit union just “updated” its online system. Today I’m supposed to log in by using…my account number and the last four digits of my SSN.
Haha.. upgrade or downgrade? 🙂
“Rather than delivering new innovations that banks and their customers crave”
You’ve *got* to be kidding. I have never “craved” an innovation from a bank. I had, for a while, an account with the 190-or-so year old Washington Mutual… but knew it was in trouble when its advertising went to “a Woohoo moment”.
ROI for the company is all, anything for end users isn’t even an afterthought (unless a lawyer is involved, and then it’s “not admitting any guilt”).
I applaud this lawsuit. In most hardware industries companies are responsible for their products. Faulty products will result in lawsuits. It’s about time the software industry was held to the same liability standards.
This is the industry I work in. We recently moved core providers as well away from Fiserv. The problem is that there really are not any good options out there. Everything in the American banking world is ancient including Fed systems. Legislators want to put all this regulation on the shoulders of banks, which large FIs might be able to handle, but small fry’s have no way of complying properly with the options given. There needs to be room for Silicon Valley players to come in and actually transform things without getting bullied by the big providers.
The other issue is that there is no such thing as “Fiserv” or “FIS” they are companies that own other companies that own other companies. Everything is segmented and everyone lives in these high towers where no one has to take responsibility for anything. None of the development is done in house. It’s all outsourced to the lowest bidder. They just buy up products and then pay the cheapest developers to try and band-aid everything together with ancient mainframes and core applications written in COBAL sitting as the foundation for everything. It’s all just a house of cards just waiting to crumble.
I honestly think if the Fed created a replacement for the ACH system that had blockchain and RESTful API’s at it’s core and allowed Silicon Valley to come in and experiment with banking minus all the unnecessary regulation, we would have a secure/functioning banking system again.
COBOL, sonny.
He said “ancient mainframes”, he probably meant BAL. COBOL is a third-generation language.
Yes, I’m old.
Oh, you naive young’uns… everybody knows it’s RPG for the win! And tabulating machines! And yes… I’ve been there and done those.
So much this.
Yep, me too… sigh.
Yeah, other options are less secure, like Nicola Banking lol. NBS is bottom of the barrel security. Working in financial IT for years i have seen numerous pretty concerning things from them.
As a long-term Fiserv client, I share some of the frustration about their attitude about certain aspects of cybersecurity.
Fiserv runs multiple (like maybe 7?) different online banking platforms. Do we know which one is involved in the Bessemer matter?
The court filing references “Charlotte”. This brochure is dated November 2014…
https://www.fiserv.com/resources/charlotte-brochure.aspx
Hi Wade.
My CU is moving to a Fiserv platform and would like to know what “frustrations” you’ve experienced with them throughout the years.
Thank you,
J anon, be careful of what you wish for. What we have now is a balance of risk and insurabilty. Without regs, risk (and costs) goes way up.
This issue doesn’t surprise me. I’d imagine their whole banking environment is littered with holes and bad practices. I used to work for a small banking core provider right out of college prior to moving into the Security world and it’s amazing how atrocious their practices and standards were. If you’d like a more detailed expose Mr. Krebs just let me know.
Not all cores have security issues.
I worked at Fiserv. None of their banking/financial software is on the mainframe.
Every piece of financial information is in the hands of a kid at a PC named ‘Skippy.’
Wouldn’t you prefer it be in the hands of old guys who measure career time in years instead of months?
Who names their PC “Skippy”…?
Fiserv, like other huge, companies has a communication problem internally. No one within the company knows what the person sitting next to them does or is responsible for. I have been on a call with over 22 Fiserv people and still not had the person I needed on the phone.
They just don’t know who does what within their own company. When you ha e one team making changes and they don’t know what changes the other team is making, how are you supposed to coordinate those changes. That is how these things happen. Employee A made change, e. Ployee B made change B, those two changes turned off security feature C and now we ha e a breach.
It’s time for those credit unions to band together and create their own open source solutions.
I’m no longer positive where you’re getting your info, but good topic.
I must spend a while finding out much more or figuring out more.
Thank you for magnificent info I used to be on the lookout for this information for my mission.
Hello Mr. Krebs,
Do you think, say, possibly in the next 12-24 months a “big one”—an event that causes panic in both companies & consumers belief in the security of their overall financial assets in the United States—is going to hit?
I personally do. This “event” will make things like major data breaches (i.e. Equifax) and/or minor financial breaches seem pale by comparison.
No one inside this company you are reporting about has anything near a grasp across their many varied systems of how vulnerable they are. It’s beyond frustrating. And they remain deaf when you point it out to them, and actually show them how vulnerable they currently are, and how their products/services are, that they are pedaling in the financial services/payments processing industry.
Alas, at present there’s not much else that can be done except to wait…..hope for the best.
Credit Unions have over $1.3 trillion in assets (as of 2018) across the U.S……..not something that brings peace of mind when one considers, for their overall digital security in today’s world, near 60% of these credit unions rely on this very company you are reporting about.
And, imho, from the research I’ve seen and people I’ve talked to, this company will be the main player if, or rather when, the “event” hits the proverbial fan.
Just my personal opinion.
Very sad to see the increase of frequency of such incidents and moreover good development and consulting companies are not following best coding practices.
Security is always on the right side of the development process which needs a shift. It’s high time that development firms induce security at every stage of the SDLC and transform it to Secure SDLC or DevSecOps.
I hope the migrated to First Data.
Now a Fiserv company…
My guess is that this shows us that such a big percentage of all human beings is honest enough that you can leave a bank basically open and there is a chance that no-one will start to steal.
First Data isn’t much better. I can tell you FD still uses outdated Mainframe systems. Another nice tidbit is they are still relying on outdated Win2003, operating systems for processing, they have too much FUD to make the changes so they put band-aids on them.
The merger isn’t going to help anything except some higher C level guys fatten their bank accounts and portfolios.
It’s time for those credit unions to band together and create their own open source solutions. Totally agree!
Not surprised. I have so many thoughts on this subject.
As a former employee, I forwarded the article to another former colleague with intimate knowledge.
That person said, there are more internal controls and restrictions inside preventing authorized employees from working on the products than there are outside where anyone can gain access to the products.
Meanwhile, the annual Fiserv Fourm and Fornication 2019 went on like there was not a care in the world.
I hope First Data does their due diligence and realizes that if word gets out, Fiserv’s stock is going to nose dive, making their all-stock deal worth far less than they are expecting. Maybe if that falls through, Fiserv will take notice and start dealing with this.
Outside of a breach that totally shuts down a company, news of security weaknesses is not going to do anything to the players in this tightly knit industry.
And, due to the nature of the financial industry, a massive breach will have greater implications on downstream customers — including you and I — than on the B-to-B players.