The final report of the FDIC’s investigation of a security breach at payments processor FIS found it worse than previously thought, according to a security blog.
Krebs reports that “the disclosure highlights a shocking lack of basic security protections throughout one of the nation’s largest financial services providers.”
When FDIC first brought the breach to light in the second quarter of 2011, the Jacksonville, Fla.-based payments processor and core software vender said the breach had been limited to only its prepaid card division, and the NCUA warned credit unions to evaluate their relationship with the major cards processor.
Krebs now quotes an FDIC investigators report that far more was actually compromised.
The fraudsters used the hacked information to clone prepaid cards and withdraw $13 million from ATMs in Europe, Krebs said, and more exposure has now been reported.
“‘The initial findings have identified many additional servers exposed by the attackers; and many more instances of the malware exploits utilized in the network intrusions of 2011, which were never properly identified or assessed,” Krebs quoted the FDIC examiners writing in a report from October 2012.
He said the FDIC sent the report to hundreds of banks last week.
“As a result, FIS management now recognizes that the security breach events of 2011 were not just a pre-paid card fraud event, as originally maintained, but rather are that of a broader network intrusion,” Krebs said the report said.
Further, Krebs quoted the deposits insurer as documenting that the payments processor had spent $100 million to fix the security weaknesses, but left some key security problems in place, at least as long as one year later.
“The FDIC noted that FIS routinely uses blank or default passwords on numerous production systems and network devices, even though these were some of the same weaknesses that ‘contributed to the speed and ease with which attackers transgressed and exposed FIS systems during the 2011 network intrusion,’” Krebs quoted from the report.
“Many FIS systems remain configured with default passwords, no passwords, non-complex passwords, and non-expiring passwords,” and adding the quote “Enterprise vulnerability scans in November 2012, noted over 10,000 instances of default passwords in use within the FIS environment.”
One possible bit of good news for credit unions comes in what the report may not say. Although Krebs reports that the FDIC found breaches to be widespread at the firm, he does not list card services as one of the parts of the firm that was breached.
FDIC declined to comment or elaborate on the report, stating initially that it had not been sent then allowing that a similar report would have been shared with banks.