hngopher.com

       [HN Gopher] Fintech Giant Fiserv Used Unclaimed Domain
       ___________________________________________________________________
        
       Fintech Giant Fiserv Used Unclaimed Domain
        
       Author : todsacerdoti
       Score  : 99 points
       Date   : 2021-03-17 14:37 UTC (8 hours ago)
        
 (HTM) web link (krebsonsecurity.com)
 (TXT) w3m dump (krebsonsecurity.com)
        
       | sumedh wrote:
       | So what are the legal aspects of this scenario. If a bad guy
       | keeps on holding the domain can Fiserv take that guy to court and
       | get back the domain?
        
       | dastx wrote:
       | Used to work for a company that was their client. Loads of
       | outages and just bad in general. I don't understand how they've
       | become a fintech giant considering how bad they are.
        
         | cosmodisk wrote:
         | I think we all know at least one company that is completely
         | useless yet bigger than life.
        
           | stevewodil wrote:
           | It's Oracle and Accenture for me
        
             | cosmodisk wrote:
             | Oracle's product is good,shame they sell it using the legal
             | team instead of the sales department. Do agree about
             | Accenture though.
        
             | [deleted]
        
             | meepmorp wrote:
             | Accidenture, because it's always a complete train wreck.
        
       | smcl wrote:
       | The all-caps rant was a little bit funny, but it's maybe a little
       | bit unprofessional to actually show it in the article even if the
       | sender name was obscured.
        
         | pfiwxruxta wrote:
         | Email was funny. Reminded me of Steve Martin's rental car scene
         | from 'Planes, Trains and Automobiles' [1]
         | 
         | https://www.youtube.com/watch?v=cmg3nlAPVK8
        
       | 1cvmask wrote:
       | Placeholder attacks...
       | 
       | https://krebsonsecurity.com/2020/04/microsoft-buys-corp-com-...
        
         | scrose wrote:
         | A bug in AD causes sensitive internal information to be sent to
         | a random internet domain. The domain is purchased by the
         | company that introduced that bug. What could go wrong?
        
           | teddyh wrote:
           | It's an information exfiltration vector with built-in
           | plausible deniability.
        
       | ancarda wrote:
       | I don't understand the root cause... Did nobody at Fiserv know
       | about example.com or the .invalid TLD?
       | 
       | I see this sort of thing ALL the time - documentation referring
       | to completely made up domains like "newcustomer.com", and it soon
       | makes its way into software becoming real world DNS lookups for
       | these placeholder domains. Nobody ever goes back and changes them
       | and there's no monitoring or awareness that it's an issue.
       | 
       | Please take a moment to read BCP 32 -
       | https://tools.ietf.org/html/bcp32 if you do not know about
       | example.com or the .invalid TLD.
        
       | HomeDeLaPot wrote:
       | I have a friend who worked at Fiserv. He was a junior dev who
       | didn't know better; he now describes his treatment there as
       | abusive. (Very low pay, verbal abuse, many extra hours on call.)
        
       | floatingatoll wrote:
       | Unusually, make sure to read the first comment at the end: "I am
       | the CEO of the consumer owned credit union mentioned in this
       | article"
        
       | datavirtue wrote:
       | Any company that has a relationship with a bank that holds money
       | for consumers has to clear every single email template (any
       | customer communication) with the bank before being sent to
       | customers. So, netspend for instance has to clear any content
       | with their bank previous to sending it to customers. This
       | incident likely caused numerous TOS and regulatory violations
       | which open up all of those financial service providers to fines
       | from the CFPB, and perhaps law suits from customers.
        
         | ajcp wrote:
         | I'm not sure that is correct in this case.
         | 
         | It appears Netspend was interacting with their own customer in
         | the context of one of it's own processes. They weren't doing so
         | as a TPV working on behalf of the banking institution that the
         | customer would be using Netspend to transfer money from/to.
         | 
         | -Example- Netspend: Thanks for signing up for Netspend. We need
         | to verifying your real. Please go to netspend.com/validate and
         | provide y.
         | 
         | If Netspend was asking or directing the customer to provide
         | information on, or interact with the banking institutions own
         | properties then yes, I can see how you'd be correct.
         | 
         | -Example- Netspend: You've indicated you use Example Bank. In
         | order for us to link to your EB account please go to
         | example.com/myaccount and do x, y, and z.
        
       | coachtrotz wrote:
       | Worth pointing out that Fiserv's Market Cap is $82 billion, not
       | the $15 billion listed in the article.
       | 
       | https://www.nasdaq.com/market-activity/stocks/fisv
       | 
       | edit:
       | 
       | Update, 12:44 p.m. ET: The lead paragraph has been updated to
       | reflect Fiserv's 2020 revenues, which were nearly $15 billion.
        
       ___________________________________________________________________
       (page generated 2021-03-17 23:01 UTC)