Fiserv, Inc., a major provider of technology services to financial institution exposed personal and financial details of countless customers across hundreds of bank Web sites.
Two weeks ago it was discovered something curious while logged in to an account at a tiny local bank that uses.
Hermansen had signed up to get email alerts any time a new transaction posted to his account, and he noticed the site assigned his alert a specific “event number.”
He could view and edit alerts previously set up by another bank customer, and could see that customer’s email address, phone number and full bank account number.
Hermansen said a cybercriminal could abuse this access to enumerate all other accounts with activity alerts on file, and to add or delete phone numbers or email addresses to receive alerts about account transactions.
It would allow any customer of the bank to spy on the daily transaction activity of other customers, and perhaps even target customers who signed up for high minimum balance alerts.
Fiserv declined to say exactly how many financial institutions may have been impacted overall.
The weaknesses in Fiserv’s platform is what’s known as an “information disclosure” vulnerability.
Source: https://krebsonsecurity.com/2018/08/fiserv-flaw-exposed-customer-data-at-hundreds-of-banks/
"id": "FIS21197922",
"linkid": "fiserv",
"type": "Vulnerability",
"date": "08/2018",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of a geographical region"