Stories
Slash Boxes
Comments

SoylentNews is people

Credit Union Sues Fintech Giant Fiserv Over Security Claims

posted by Fnord666 on Thursday May 23 2019, @11:34AM   Printer-friendly
from the see-no-evil-speak-no-evil dept.

upstart writes:

Submitted via IRC for AnonymousLuser

Credit Union Sues Fintech Giant Fiserv Over Security Claims

In late April 2019, Fiserv was sued by Bessemer System Federal Credit Union, a comparatively tiny financial institution with just $38 million in assets. Bessemer said it was moved by that story to launch its own investigation into Fiserv’s systems, and it found a startlingly simple flaw: Firsev’s platform would let anyone reset the online banking password for a customer just by knowing their account number and the last four digits of their Social Security number.

[...] Bessemer further alleges Fiserv’s systems had no checks in place to prevent automated attacks that might let thieves rapidly guess the last four digits of the customer’s SSN — such as limiting the number of times a user can submit a login request, or imposing a waiting period after a certain number of failed login attempts.

[...] Bessemer says instead of fixing these security problems and providing the requested assurances that information was being adequately safeguarded, Fiserv issued it a “notice of claims,” alleging the credit union’s security review of its own online banking system gave rise to civil and criminal claims.

The credit union says Fiserv demanded it not disclose information relating to the security review to any third parties, “including Fiserv’s other clients (who presumably were affected with the same security problems at their financial institutions) as well as media sources.”

Original Submission

 
This discussion has been archived. No new comments can be posted.
Credit Union Sues Fintech Giant Fiserv Over Security Claims | Log In/Create an Account | Top | 8 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2, Insightful) by Anonymous Coward on Thursday May 23 2019, @05:50PM (1 child)

    by Anonymous Coward on Thursday May 23 2019, @05:50PM (#846727)

    American banks successfully trained the public to wrongly believe that SSID is a financial password and to wrongly accept responsibility ("identity theft") when a criminal uses this "password" - SSID is an ID and it should be safe to publicly display and not used as a password to open accounts - the criminals have it many times anyway -- in my opinion, banks should be sued for libel if they falsely accuse a person of opening an account - they didn't do their due diligence and should not get away with it by calling it "identity theft"

    Starting Score:    0  points
    Moderation   +2  
       Insightful=1, Interesting=1, Total=2
    Extra 'Insightful' Modifier   0  
    Total Score:   2  

  • (Score: 0) by Anonymous Coward on Friday May 24 2019, @12:25AM

    by Anonymous Coward on Friday May 24 2019, @12:25AM (#846850)

    I thought that SSID was required by banks so they could report interest income to the IRS?