Tag Archives: Fiserv

Be Careful What Contracts You Sign

While the details of this are interesting, what is more important is thinking about all of the contracts that you sign.

This is a legal battle that goes back several years.

In one corner is Fiserv, the Fortune 200 +/- financial services software behemouth.

In the other corner is Bessemer System Federal Credit Union, a small community credit union in Pennsylvania.

In 2018 Brian Krebs reported bugs in Fiserv’s platform that allowed one customer to see another customer’s name, address, bank account number and phone number.

So Bessemer FCU did some more testing and found more bugs – security holes.

According to the credit union, Fiserv responded with an aggressive notice of claims, attempting to silence Bessemer if they discussed these security bugs with third parties, including other Fiserv customers.

In the end Bessemer sued Fiserv and Fiserv counterclaimed.

Fiserv said Bessemer breached its contract, among other things, and wanted attorney fees.

Much of the argument seems to be around the security review, which, if accurate, shows that Fiserv’s software is not secure, something other Fiserv customers might want to know about.

Fiserv says that Bessemer just wants to embarrass Fiserv and get out of paying some bills.

Without spending a lot of time reviewing legal documents, it appears that Bessemer was not happy with Fiserv’s response to being notified about the bugs (like in fixing them, soon) and wants to terminate the contract.

Fiserv, appears to want to silence a critic (boy is that failing) and doesn’t want to let the customer out of its contract.

So what does that mean for you if you sign a contract with a vendor? Here are some thoughts.

  • The vendor is going to want you to sign as long a contract as possible and will usually offer you a price incentive to do so. If this is a new vendor, that is likely not a good deal for you. Shorter might make more sense.
  • You should review the reasons that you can terminate the contract and what that termination will cost you.
  • You should look for any clauses that stop you from talking about the vendor’s product quality. This is different than disclosing secrets. While bugs and security flaws may be secret, they should not be covered by these types of contract restrictions.
  • Vendors should have a fixed amount of time to fix serious bugs or you should be able to terminate your contract.
  • The contract should spell out that the vendor is liable for your losses as a result of security bugs. Software vendors will resist this like the plague, but why should you be responsible for their bad software.

The lawsuit is ongoing. It will be interesting to see how this works out. Given this is now in the news, Fiserv might be smart to try and make it go away. Quietly. A trial could be ugly. On the other hand, Fiserv has a lot more money than Bessemer does.

Stay tuned.

But think about those contracts you signed and how you would fare in a similar situation.

On the other side, if you are a software vendor, how would you handle this situation.

Credit: Security Week

Fiserv Security Flaw Exposes Your Banking Data – Even if You Don’t Bank Online

Sometimes even if you try to be safe, it doesn’t work the way you want.

Fiserv provides banking software to over a third of all banks.  They have 24,000 employees and almost $6 billion in revenue.  Many of its client banks are smaller banks and credit unions, but some large banks use Fiserv too.

Apparently, if you signed up for alerts, they sent you an email with a link to the alert, but they violated one of the most basic security rules.  The link contained a pointer to the alert and those alerts were numbered serially as in 1, 2, 3, 4.  What this means is that if you change the alert number in the link the bank sends, you can look at someone else’s alert.

The guy who found it tried to get Fiserv’s attention (one more time a company’s incident response process failed).  He reached out to Brian Krebs.  Brian, who’s web site attracts almost a million unique visitors a month, tested the flaw by opening bank accounts at a couple of small banks and trying it out.

While he could not cross banks to get data from other banks, he was able to see data from other customers of the same bank.

After Krebs reached out to Fiserv – it is amazing what happens when you tell a company’s PR department that you are going to tell a million people that their security sucks -, Fiserv developed a patch within 24 hours.  They deployed the patch to their cloud customers that day and their non-cloud customers that night.

So what does that mean for you?

First, Fiserv does get some brownie points because once Brian (Krebs) contacted them, they developed a patch basically instantly.  

On the other hand, they lose points because the search “report a security bug to Fiserv” returns a lot of hits on this problem, but nothing that tells you who or how to contact in case of a security issue.

For your company, how would a security researcher or a user know how to report a security problem?

If it isn’t very simple, you need to fix that.  It could be as simple as a link on the contact us page or something else.

Next, how come when the guy who found it reported it, it did not get escalated to the right group?  Is this a training problem?  How would that work in your company?  Train people.  Report it to the incident response team.  Do not over think it.  JUST REPORT IT.  This is shades of the DNC hack.  We don’t want people to over think it.  Just give the incident response team whatever information you got and let them handle it from there.

Web sites will have bugs.  How you deal with them and how quickly is what can distinguish you from the next guy.

Source: Krebs On Security .