Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Thursday May 23 2019, @11:34AM   Printer-friendly
from the see-no-evil-speak-no-evil dept.

Submitted via IRC for AnonymousLuser

Credit Union Sues Fintech Giant Fiserv Over Security Claims

In late April 2019, Fiserv was sued by Bessemer System Federal Credit Union, a comparatively tiny financial institution with just $38 million in assets. Bessemer said it was moved by that story to launch its own investigation into Fiserv’s systems, and it found a startlingly simple flaw: Firsev’s platform would let anyone reset the online banking password for a customer just by knowing their account number and the last four digits of their Social Security number.

[...] Bessemer further alleges Fiserv’s systems had no checks in place to prevent automated attacks that might let thieves rapidly guess the last four digits of the customer’s SSN — such as limiting the number of times a user can submit a login request, or imposing a waiting period after a certain number of failed login attempts.

[...] Bessemer says instead of fixing these security problems and providing the requested assurances that information was being adequately safeguarded, Fiserv issued it a “notice of claims,” alleging the credit union’s security review of its own online banking system gave rise to civil and criminal claims.

The credit union says Fiserv demanded it not disclose information relating to the security review to any third parties, “including Fiserv’s other clients (who presumably were affected with the same security problems at their financial institutions) as well as media sources.”


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by Booga1 on Thursday May 23 2019, @12:40PM (1 child)

    by Booga1 (6333) on Thursday May 23 2019, @12:40PM (#846616)

    Fair point. Lots of data that used to be considered "secret" was truly just "not widely known." Now it's outright public and publicized, which is exactly why it's a problem when companies still use it for security questions. Sarah Palin's Yahoo email [wikipedia.org] was a perfect example of it.

    As for the addresses, yeah that shows up in background checks, so you're right. That's not secret data either. Especially after the Equifax breach! LOL, indeed. :)

    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 2, Insightful) by Anonymous Coward on Thursday May 23 2019, @12:45PM

    by Anonymous Coward on Thursday May 23 2019, @12:45PM (#846619)

    The problem is, if that is all you are changing, then the new data will soon become "commonly known" after the next data breach. The only thing that might make a difference, not counting some sort of huge change in secure systems, is to add strictly liability to all these warehouses of information. Will probably make everybody's lives less convinient, but I would rather have secure finances than a banking "app" on my spyphone.