Fiserv, Shore Bank and Bank of Sandy Springs

Topics: Compliance, Cybersecurity, Managed IT Services, Security

What does Shore Bank on the Eastern Shore of Virginia have to do with Bank of Sandy Springs down in a suburb of Atlanta? Nothing, except they both use Fiserv as their website hosting provider. We can tell this because Fiserv is using the same SSL certificate for both banks, along with a bunch of other banks.

The result creates confusion when looking at any of these banks’ websites on a mobile device. Try it for yourself, first on a PC browser, and then on an iPad or iPhone. Notice the title says Fiserv on the mobile device? Even on a PC browser, you see that Fiserv’s name is listed first in front of the bank’s name on the URL bar.

Why does this happen? Because Fiserv is using the “Subject Alternative Name” field within the X.509 certificate. So that one cert that covers also covers a slew of other Fiserv hosted domains, as you can see here (illustration below). What Fiserv is doing is perfectly OK, but the result is that you see “Fiserv” in the title bar instead of the bank’s name. But it seems like Fiserv could do better by using distinct SSL certificates for each of their clients. But SSL certs cost money, so maybe they are just cutting corners to save a few bucks.