By: Michael Jervis
KrebsOnSecurity recently reported a vulnerability found in perhaps little-known but widely used financial services software which powers the websites of thousands of banks. The exposure allowed even a mildly clever user to view financial account details for accounts that did not belong to the user.
The vulnerability existed in a system for sending alerts to bank customers concerning transactions or other events occurring on their accounts. Each time an alert was sent to a customer, it was assigned a particular event number. Assuming correctly that the event number was simply incremented by one each time an alert was sent, the security researcher who discovered the security gap tried sending a request to his bank’s website with an event number that was one less than the one he had actually received. Lo and behold, he received the alert information for another customer’s account, which he was not authorized to see. The information he was able to see included the customer’s email address, phone number and full account number. Of course, in the hands of a criminal this information can cause devastating losses to accountholders.
The software which included this vulnerability is a product of a company called Fiserv. Though that may not be a household name to many retail bank customers, its software platform is used by over 1,700 banks. The company enjoys a market share of over 37 percent with $5.7 billion in earnings last year and 24,000 employees. In short, the potential reach of such a security gap is not limited to a handful of banks. Krebs tested two additional banks and found it was able to exploit the vulnerability at both. Fiserv was made aware of the issue and has now patched the software to repair the hole.
The discovery of this vulnerability is yet another reminder that companies cannot rely on simply making sure their own software and systems are secure, and also complicates third-party management efforts of banks, in particular. Some of the biggest weaknesses may come from third-party systems, especially those which are considered “plug and play” and may be in used across a number of different companies or locations. After all, a criminal is likely to focus more time on finding an entry point in a system which would allow access to many different victims, rather than just one organization.
The importance of careful contract drafting cannot be underestimated. When negotiating the purchase of a third-party software system or platform, buyers should ensure they protect themselves from a legal standpoint. If a vulnerability in a third-party system results in a breach, will the software provider be required to deal with the consequences? Or will the buyer be left on its own? Organizations should always keep counsel involved in negotiations to ensure adequate protection is in place.