The final report of the FDIC's investigation of a securitybreach at payments processor FIS found it worse than previouslythought, according to a security blog.
|BrianKrebs is a former Washington Post reporter whose blog,Krebs on Security, ishighly regarded in the information security community.
|Krebs reports that “the disclosure highlights a shocking lack ofbasic security protections throughout one of the nation's largestfinancial services providers.”
|When FDIC first brought the breach to light in the second quarter of 2011, theJacksonville, Fla.-based payments processor and core softwarevender said the breach had been limited to only its prepaid carddivision, and the NCUA warned credit unions to evaluate theirrelationship with the major cards processor.
|Krebs now quotes an FDIC investigators report that far more wasactually compromised.
|The fraudsters used the hacked information to clone prepaidcards and withdraw $13 million from ATMs in Europe, Krebs said, andmore exposure has now been reported.
|“'The initial findings have identified many additional serversexposed by the attackers; and many more instances of the malwareexploits utilized in the network intrusions of 2011, which werenever properly identified or assessed,” Krebs quoted the FDICexaminers writing in a report from October 2012.
|He said the FDIC sent the report to hundreds of banks lastweek.
|“As a result, FIS management now recognizes that the securitybreach events of 2011 were not just a pre-paid card fraud event, asoriginally maintained, but rather are that of a broader networkintrusion,” Krebs said the report said.
|Further, Krebs quoted the deposits insurer as documenting thatthe payments processor had spent $100 million to fix the securityweaknesses, but left some key security problems in place, at leastas long as one year later.
|“The FDIC noted that FIS routinely uses blank or defaultpasswords on numerous production systems and network devices, eventhough these were some of the same weaknesses that 'contributed tothe speed and ease with which attackers transgressed and exposedFIS systems during the 2011 network intrusion,'” Krebs quoted fromthe report.
|“Many FIS systems remain configured with default passwords, nopasswords, non-complex passwords, and non-expiring passwords,” andadding the quote “Enterprise vulnerability scans in November 2012,noted over 10,000 instances of default passwords in use within theFIS environment.”
|One possible bit of good news for credit unions comes in whatthe report may not say. Although Krebs reports that the FDIC foundbreaches to be widespread at the firm, he does not list cardservices as one of the parts of the firm that was breached.
|FDIC declined to comment or elaborate on the report, statinginitially that it had not been sent then allowing that a similarreport would have been shared with banks.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Critical CUTimes.com information including comprehensive product and service provider listings via the Marketplace Directory, CU Careers, resources from industry leaders, webcasts, and breaking news, analysis and more with our informative Newsletters.
- Exclusive discounts on ALM and CU Times events.
- Access to other award-winning ALM websites including Law.com and GlobeSt.com.
Already have an account? Sign In
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
