Security Experts:

Local Credit Union Sues Fiserv Over 'Amateurish Security Lapses'

Fortune 500 Fiserv Sued by Local Credit Union Over Security Vulnerabilities in Online Banking Platform

Fiserv, the leading bank core processor with 37% of the U.S. marketshare in 2018, is being sued by one of its own customers, the Bessemer System Federal Credit Union.

Court documents filed in a Mercer County, Pennsylvania court on April 26, 2019 show Bessemer claiming that, "Despite Fiserv's claimed expertise, Fiserv has misreported Bessemer's account records and information, while being plagued with security vulnerabilities that affect the privacy of thousands of Bessemer's members." It adds, "Bessemer's member information has been subject to several instances of critical security vulnerabilities while in Fiserv's custody -- each based on baffling and amateurish security lapses."

At one point, Bessemer conducted its own security review and discovered vulnerabilities in the online banking website provided to it by Fiserv. Fiserv responded with what Bessemer describes as "a purely cosmetic 'fix'" that did not solve the problems and was easily bypassed. Further, FISERV issued "an aggressive 'notice of claims' attempting to silence Bessemer by threatening civil and criminal prosecution if Bessemer discussed Fiserv's security problems with third parties", including other Fiserv customers. 

This is despite Fiserv's Forms 10-K filed with the SEC in recent years stating that Fiserv expects that its clients will "conduct ongoing monitoring and risk management for third-party relationships," and that "independent auditors annually review many of our operations to provide internal control evaluations for our clients."

The claim goes further to assert, "Upon information and belief, Fiserv has issued threats to others who have discovered vulnerabilities, as well as to members of the press, in an effort to conceal these problems from affected financial institutions and consumers."

In August 2018, researcher and blogger Brian Krebs reported a basic flaw on a small local bank using the Fiserv platform. The flaw is described as an aspect of the fifth most common website vulnerability -- broken access control. It is the first example of broken access described by OWASP: "Bypassing access control checks by modifying the URL."

In the Fiserv incident, a researcher had detected an 'event number' appended to the Fiserv URL delivered with an email alert. He guessed the event number was associated with his account. When he altered it, he was able to access and edit alerts associated with a different customer -- and could see that customer's email address, phone number and full bank account number.

The researcher attempted to report his finding to Fiserv, but could not get attention. It wasn't until Krebs took up the case, and concluded that hundreds of other Fiserv-affiliated banks would be just as vulnerable, that Fiserv responded and fixed the problem.

This is just one of the security problems and issues cited in the Bessemer complaint. Others include observed communications indicative of a malware infection (at least twice); use of products and services past their end-of-life or end-of-service deadlines and therefore more open to zero-day attacks; a patch process that goes beyond 30 days from release of a patch; failure to enforce https encryption exposing users to possible MitM attacks; failure to prevent credential stuffing by forcing multiple failed login blocks, and more.

Specifically, however, it claims that following a security breach in 2016, Fiserv "improperly and unlawfully provided Bessemer's confidential member information to an unauthorized third party. This information included members' names, tax identification numbers, and portions of account numbers."

Fiserv's standard position on legal matters is to not comment -- and it initally declined SecurityWeek's request for comment. After publication of this article, the company told SecurityWeek, "We believe the allegations have no merit and will respond to the claims as part of the legal process."

Bessemer's lawyer, Charles Nerko of law firm Vedder Price, emailed SecurityWeek, saying, "Bessemer System Federal Credit Union values its members and is committed to providing them with the highest levels of service. To protect the credit union's members, the credit union is replacing its core processing vendor and will be taking appropriate legal action against the vendor. I look forward to protecting the credit union's rights in court."

Bessemer System Federal Credit Union was formed in 1943 by employees of the Bessemer and Lake Erie Railroad, with headquarters in Greenville Pennsylvania. It is a small, local credit union with 4,311 members, and assets of just under $38 million. 

Fiserv is a Fortune 500 company with around 12,000 clients in more than 50 countries. It reported $5.82 billion in revenue for 2018, and provides core banking services to more than a third of all U.S. financial institutions. It administers 135 million deposit accounts, more than 80 million online banking end users, and approximately 28 million active bill payment end users. More than $75 trillion of transactions move through its servers each year.

*Updated with comment from Fiserv issues after this article was published

Related: The Unseen Security Dangers in Financial Web Sites 

Related: Credential Stuffing Attacks Are Reaching DDoS Proportions

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.