Bank Closes Web Security Hole
Fleet fixes credit card site flaw after customer discovers, reports breach.
Lucas Mearian, Computerworld online
A flaw in the Fleet Credit Card Services online site that could have exposed hundreds of thousands of customer transactions to other Fleet cardholders was repaired over the weekend after a customer went public with the problem.
Jonathan Bryce, a 20-year-old Web site developer at Rackspace Managed Hosting in San Antonio, said he discovered the problem Friday after logging in to Fleet's Mycard.fleet.com Web site. After making a credit card payment, Bryce said, he noticed his payment history had serial numbers attached to it.
When he found out he could view his payment history by typing the serial number related to it into a browser bar, he tried other random numbers and came up with other customers' accounts.
"I tried IDs from number 15 to an ID of 587,600 and got in," he said. "Most of the transactions I could view didn't contain sensitive data. I looked at 40 of them, and some of them contained Social Security numbers, birthdays, phone numbers, and addresses. For some of them, you could view card numbers too.
"It was so simple to figure out that I couldn't believe I was the only one to discover it," Bryce said.
Caught Quickly?
Horsham, Pennsylvania-based Fleet Credit Card Services is a division of FleetBoston Financial. Steven Lubetkin, a spokesman for the division, said today that the company shut down the Web site for six hours beginning late Friday night in order to fix the problem.
"A review of the log files indicated something less than 75 records were accessed using this vulnerability," Lubetkin said. "Even though potentially the number was in the hundreds of thousands, the only person to exploit [it] was this customer."
Of the records that were compromised by Bryce, Lubetkin said, fewer than five contained information "remotely identifying of the customer."
Lubetkin said the hole was caused by an error in the application provided by a vendor who hosts the site whom he refused to identify.
"I can't say who the vendor was. It's just not appropriate. It's been corrected," he said.
Response Criticized
But Bryce said he was most worried about the lack of concern over the problem. After contacting three Fleet customer services representatives, he still had received no response. When he did finally get a response, Bryce said, he was told that a manager would get back to him Monday.
"It especially worried me that they weren't concerned enough to fix it until after the weekend," Bryce said. It wasn't until he began contacting media organizations that Fleet responded, he added.
Theodore Iacobuzio, an analyst at TowerGroup research and consulting firm, said security holes that open financial services companies to identity fraud are fairly common. But Fleet's error sounded particularly egregious.
"If you can walk in the front door, it's obvious that they didn't think everything about security through," Iacobuzio said. "Every piece of primary research I've seen has shown security is the primary inhibiting factor in the growth of e-commerce."

For more enterprise computing news, visit Computerworld. Story copyright © 2007 Computerworld Inc. All rights reserved.
Save on Printing Costs
Microsoft Office Home and Student 2007
- Great year-end deals for small business!

-
Get 24/7 live remote AT&T Tech Support 360* service along with select Lenovo* PCs (with Intel® Core™ 2 Duo processors and save up to 200!
-
HP EliteBook* 6930p Notebook with Intel® vPro™ technology and a free HP Basic Docking Station - $641 instant savings!
- *Other names and brands may be claimed as the property of others. ©2009 Intel Corporation. Intel, the Intel logo, vPro and Core trademarks of Intel Corporation in the United States and other countries. All rights reserved.
People who read this also read:
Best Prices on Antivirus Software
Norton Antivirus 2010 (Full Product, 1 User)Price: $17.90
Anti-virus 2010 (OEM Product, 1 User)Price: $20.99
AntiVirus 2010 (Full Product)Price: $24.95
Norton AntiVirus 2009 (Full Product)Price: $16.89
AntiVirus Plus 2010 - 3 Users (Full Product)Price: $11.95
Anti-Virus 2009 (Full Product)Price: $15.04
- 15 Minutes to a Secure Business Get the Secure in 15 toolkit starting with the "15 Minutes Month-at-a-Glance" calendar. McAfee will send you additional tools and tricks to stay protected around the clock.
- A Buyer's Guide to Data Protection Implementing data protection products and processes can be daunting. Make the right decisions by exploring what is available and what makes sense for your organization. Use this simple guide to evaluate different vendor offerings.
Cameras
Camcorders
Cell Phones
Components
Desktops
HDTV
Home Theater
GPS
Laptops
Monitors
MP3 Players
Networking &
Printers
Storage




