As the attackers were able to use their own accounts to access other customer accounts, it is clear that there are security misconfigurations in Fidelity's customer-facing web applications. This attack vector is so well known and understood that it is ranked number one in OWASP's Top 10 Web Application Security Risks. Termed 'Broken Access Control' by OWASP, one of the risks associated with this is permitting the viewing or editing of someone else's account by providing its unique identifier. Attackers may have exploited this vulnerability to create new accounts at Fidelity and access other accounts.
The Fidelity data breach highlights the persistent threat faced by financial institutions and their customers. While the attackers' specific motives remain unclear, it's likely that information gathering was a primary objective. This information could be used for future attacks, such as identity theft, phishing campaigns, or even ransomware demands. The 'beachhead' theory, where attackers establish a foothold to launch further attacks, is a common tactic in such incidents. Although Fidelity assures customers that their accounts and funds were not directly accessed, the breach raises concerns about the security of personal information, increasing the risk of identity theft, fraud, or other malicious activities.
Collection
[
|
...
]