Sometimes even if you try to be safe, it doesn’t work the way you want.
Fiserv provides banking software to over a third of all banks. They have 24,000 employees and almost $6 billion in revenue. Many of its client banks are smaller banks and credit unions, but some large banks use Fiserv too.
Apparently, if you signed up for alerts, they sent you an email with a link to the alert, but they violated one of the most basic security rules. The link contained a pointer to the alert and those alerts were numbered serially as in 1, 2, 3, 4. What this means is that if you change the alert number in the link the bank sends, you can look at someone else’s alert.
The guy who found it tried to get Fiserv’s attention (one more time a company’s incident response process failed). He reached out to Brian Krebs. Brian, who’s web site attracts almost a million unique visitors a month, tested the flaw by opening bank accounts at a couple of small banks and trying it out.
While he could not cross banks to get data from other banks, he was able to see data from other customers of the same bank.
After Krebs reached out to Fiserv – it is amazing what happens when you tell a company’s PR department that you are going to tell a million people that their security sucks -, Fiserv developed a patch within 24 hours. They deployed the patch to their cloud customers that day and their non-cloud customers that night.
So what does that mean for you?
First, Fiserv does get some brownie points because once Brian (Krebs) contacted them, they developed a patch basically instantly.
On the other hand, they lose points because the search “report a security bug to Fiserv” returns a lot of hits on this problem, but nothing that tells you who or how to contact in case of a security issue.
For your company, how would a security researcher or a user know how to report a security problem?
If it isn’t very simple, you need to fix that. It could be as simple as a link on the contact us page or something else.
Next, how come when the guy who found it reported it, it did not get escalated to the right group? Is this a training problem? How would that work in your company? Train people. Report it to the incident response team. Do not over think it. JUST REPORT IT. This is shades of the DNC hack. We don’t want people to over think it. Just give the incident response team whatever information you got and let them handle it from there.
Web sites will have bugs. How you deal with them and how quickly is what can distinguish you from the next guy.
Source: Krebs On Security .