Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Thursday May 23 2019, @11:34AM   Printer-friendly
from the see-no-evil-speak-no-evil dept.

Submitted via IRC for AnonymousLuser

Credit Union Sues Fintech Giant Fiserv Over Security Claims

In late April 2019, Fiserv was sued by Bessemer System Federal Credit Union, a comparatively tiny financial institution with just $38 million in assets. Bessemer said it was moved by that story to launch its own investigation into Fiserv’s systems, and it found a startlingly simple flaw: Firsev’s platform would let anyone reset the online banking password for a customer just by knowing their account number and the last four digits of their Social Security number.

[...] Bessemer further alleges Fiserv’s systems had no checks in place to prevent automated attacks that might let thieves rapidly guess the last four digits of the customer’s SSN — such as limiting the number of times a user can submit a login request, or imposing a waiting period after a certain number of failed login attempts.

[...] Bessemer says instead of fixing these security problems and providing the requested assurances that information was being adequately safeguarded, Fiserv issued it a “notice of claims,” alleging the credit union’s security review of its own online banking system gave rise to civil and criminal claims.

The credit union says Fiserv demanded it not disclose information relating to the security review to any third parties, “including Fiserv’s other clients (who presumably were affected with the same security problems at their financial institutions) as well as media sources.”


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 4, Insightful) by VLM on Thursday May 23 2019, @12:09PM (1 child)

    by VLM (445) Subscriber Badge on Thursday May 23 2019, @12:09PM (#846608)

    Security thru obscurity is the mirror image of privacy.

    Privacy to end users means my neighbor can't trivially read my facebook data although every government and corporation and criminal on the planet most certainly can. Unfortunately I really don't care if my neighbor reads my FB and the only people I want to block from access, are the groups FB is making a profit off selling the data to.

    Likewise Security thru Obscurity is keeping security holes hidden from everyone except the criminals. It must be secure, because its illegal for non-criminals to discuss any theoretical problems...

    • (Score: 2, Funny) by Anonymous Coward on Thursday May 23 2019, @12:55PM

      by Anonymous Coward on Thursday May 23 2019, @12:55PM (#846622)

      Facebook would never share your data with those people. The CEO has said he holds his users privacy in a high regard.

  • (Score: 3, Insightful) by Booga1 on Thursday May 23 2019, @12:16PM (3 children)

    by Booga1 (6333) on Thursday May 23 2019, @12:16PM (#846609)

    There have been so many big data breaches that nobody should be using commonly leaked bits of data for security information/password reset options. No social security number, no mother's maiden name, no birthdays, etc...

    Plus, how classy of Fiserv to do the usual thing when notified of a flaw in their security checks: deny, blame, sue!

    • (Score: 2) by VLM on Thursday May 23 2019, @12:26PM (2 children)

      by VLM (445) Subscriber Badge on Thursday May 23 2019, @12:26PM (#846610)

      Not disagreeing, but embrace and extend with some info isn't leaked, its public as per social media, like birthdays and moms maiden name.

      The linked article mentions a band aid of requiring street address, as if thats secret, LOL.

      • (Score: 3, Insightful) by Booga1 on Thursday May 23 2019, @12:40PM (1 child)

        by Booga1 (6333) on Thursday May 23 2019, @12:40PM (#846616)

        Fair point. Lots of data that used to be considered "secret" was truly just "not widely known." Now it's outright public and publicized, which is exactly why it's a problem when companies still use it for security questions. Sarah Palin's Yahoo email [wikipedia.org] was a perfect example of it.

        As for the addresses, yeah that shows up in background checks, so you're right. That's not secret data either. Especially after the Equifax breach! LOL, indeed. :)

        • (Score: 2, Insightful) by Anonymous Coward on Thursday May 23 2019, @12:45PM

          by Anonymous Coward on Thursday May 23 2019, @12:45PM (#846619)

          The problem is, if that is all you are changing, then the new data will soon become "commonly known" after the next data breach. The only thing that might make a difference, not counting some sort of huge change in secure systems, is to add strictly liability to all these warehouses of information. Will probably make everybody's lives less convinient, but I would rather have secure finances than a banking "app" on my spyphone.

  • (Score: 2, Insightful) by Anonymous Coward on Thursday May 23 2019, @05:50PM (1 child)

    by Anonymous Coward on Thursday May 23 2019, @05:50PM (#846727)

    American banks successfully trained the public to wrongly believe that SSID is a financial password and to wrongly accept responsibility ("identity theft") when a criminal uses this "password" - SSID is an ID and it should be safe to publicly display and not used as a password to open accounts - the criminals have it many times anyway -- in my opinion, banks should be sued for libel if they falsely accuse a person of opening an account - they didn't do their due diligence and should not get away with it by calling it "identity theft"

    • (Score: 0) by Anonymous Coward on Friday May 24 2019, @12:25AM

      by Anonymous Coward on Friday May 24 2019, @12:25AM (#846850)

      I thought that SSID was required by banks so they could report interest income to the IRS?

(1)