Published: May 14, 2021 on our newsletter Security Fraud News & Alerts Newsletter.
Some things are easy to forget, it happens all the time. But when a multi-billion-dollar technology provider forgets to purchase and register its default email domain name, well, that’s different. And when that provider’s clients are giants in the financial industry, it’s even more troublesome. Just ask Fiserv, one of the largest, global providers of financial services technology for government agencies, banks, credit unions, investment management firms, and more. Fiserv did the unthinkable – doing business with an unregistered default domain name. Unbeknownst to Fiserv at the time, they inadvertently provided tremendous opportunities for harm to their clients as a result of its oversight.
A report by KrebsOnSecurity finds a security researcher discovered the blunder and immediately purchased the domain to stop any further damage by hackers. He came across the scenario after he received an email from his bank that included “defaultinstitution.com” as the domain name and knew something wasn’t right.
The researcher began receiving bounced messages from Fiserv customers and watched the emails roll in. The emails included an avalanche of PII (personally identifiable information) including IDs, the last four digits of account numbers, transfer amounts and dates, and the recipients email address. In the wrong hands, this information could prove very costly to Fiserv and its clients as they were chock-full of customer PII.
We’re Working n It…
A mistake such as this, as simple as it is, creates countless opportunities for socially engineered email phishing scams and a host of other cybercrimes. With the potential victims all in the financial industry, that sector has proven time and again an irresistible target for bad actors. The only finger pointing was directly at Fiserv, who found they had some explaining to do. The company quickly purchased the domain from the researcher, saying in a statement “We will no longer use placeholder domain names that include non-Fiserv owned domains.” Fiserv also maintains it’s in the process of notifying the affected customers.
How Not to be Another Fiserv
A global VP at New Net Technologies warns about this mishap “Fiserv has screwed up on a basic cyber security requirement for financial institutions” adding “this was a wide-open door for disaster and financial loss for Fiserv’s customers.” Every business, no matter the size or type, must secure any domain name having anything to do with the company and its customers. Because of typosquatting (aka domain jacking), it’s also not a bad idea to purchase domain names that are similar or may result in typos from someone intending to go to the legitimate business domain.
Lucky for Fiserv, an honest researcher found, acted on and reported the incident. There are also domain assurance products and services that secure domains and protect them from being spoofed by hackers, and block fraudulent emails before they reach a consumer’s inbox. Domain due diligence is part of running a business responsibly and safely. It may also keep a company from becoming the next Fiserv.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at email@example.com