The company used the unregistered domain DefaultInstitution.com in banking software. It forgot to replace it with the real bank’s domain when it implemented it.
Internet security journalist Brian Krebs published a story today about banking technology company Fiserv (NASDAQ: FISV) and a default domain mistake.
Fiserv added defaultinstitution.com as a placeholder in software offered to its banking clients. The domain wasn’t updated to the client’s domain name for five of its clients when they started using the software, which led to lots of emails going to @defaultinstitution.com.
Security researcher Abraham Vegh noticed the bizarre domain name in an email. Noticing that the domain wasn’t registered, he registered the domain and started receiving emails. (Oddly, the domain points to a Dan.com lander.) That’s a bad security leak.
Fiserv made a big oversight. Perhaps next time, it should leave the domain blank or go with Example.com. Or at least a domain it owns.
Lynn says
Epic gaffe. Who’s responsible for tech security there?