28 comments

[ 0.18 ms ] story [ 449 ms ] thread
The all-caps rant was a little bit funny, but it's maybe a little bit unprofessional to actually show it in the article even if the sender name was obscured.
Unusually, make sure to read the first comment at the end: "I am the CEO of the consumer owned credit union mentioned in this article"
Any company that has a relationship with a bank that holds money for consumers has to clear every single email template (any customer communication) with the bank before being sent to customers. So, netspend for instance has to clear any content with their bank previous to sending it to customers. This incident likely caused numerous TOS and regulatory violations which open up all of those financial service providers to fines from the CFPB, and perhaps law suits from customers.
I'm not sure that is correct in this case.

It appears Netspend was interacting with their own customer in the context of one of it's own processes. They weren't doing so as a TPV working on behalf of the banking institution that the customer would be using Netspend to transfer money from/to.

-Example- Netspend: Thanks for signing up for Netspend. We need to verifying your real. Please go to netspend.com/validate and provide y.

If Netspend was asking or directing the customer to provide information on, or interact with the banking institutions own properties then yes, I can see how you'd be correct.

-Example- Netspend: You've indicated you use Example Bank. In order for us to link to your EB account please go to example.com/myaccount and do x, y, and z.

They don't technically have to. Responsible banks will carry out risk and compliance audits of all customer communication to avoid liability but the alternative is to publish whatever and then deal with lawsuits later. These audits typically only for "claims" language (ie "we offer the lowest rates" would be axed) and maybe accessibility but not technical QA.
I was referring to the prepaid companies like netspend mostly. In my experience every bank required this of each of the prepaid companies I was at. At one prepaid company we went through three banks. The business is considered high risk...for very good reason.
I don't understand the root cause... Did nobody at Fiserv know about example.com or the .invalid TLD?

I see this sort of thing ALL the time - documentation referring to completely made up domains like "newcustomer.com", and it soon makes its way into software becoming real world DNS lookups for these placeholder domains. Nobody ever goes back and changes them and there's no monitoring or awareness that it's an issue.

Please take a moment to read BCP 32 - https://tools.ietf.org/html/bcp32 if you do not know about example.com or the .invalid TLD.

I can envisage the explanation of the root cause. "example.com." is seen as for examples in documentation, and what is the case here appears, rather, to be placeholder values in softwares that have not been fully installed and configured with the correct information for the company. This might not be the case, but it seems likely. And yes, the "invalid." top-level domain might have been suitable, although one might equally question the wisdom of an application that is sending mail (rather than complaining loudly) when its mail settings have not yet been configured.
isn't a placeholder a certain case of an example?
Used to work for a company that was their client. Loads of outages and just bad in general. I don't understand how they've become a fintech giant considering how bad they are.
I think we all know at least one company that is completely useless yet bigger than life.
It's Oracle and Accenture for me
Oracle's product is good,shame they sell it using the legal team instead of the sales department. Do agree about Accenture though.
(comment deleted)
Accidenture, because it's always a complete train wreck.
I have a friend who worked at Fiserv. He was a junior dev who didn't know better; he now describes his treatment there as abusive. (Very low pay, verbal abuse, many extra hours on call.)
I worked for Fiserv for a couple of years. Ended up there through an acquisition. I think experiences at Fiserv would vary considerably. Fiserv is the product of 600 acquisitions. Outside of sales and finance, there really is no company culture to speak of. Its basically very aggressive sales and finance teams trying to squeeze everything they can out the businesses they buy. Not a place for great engineering talent, and it shows.
So what are the legal aspects of this scenario. If a bad guy keeps on holding the domain can Fiserv take that guy to court and get back the domain?
> get back the domain

They never had the domain.

As a former fiserv software victim/user I’m not the least bit surprised. If anything I’m surprised I don’t hear about similar oversights of theirs more often.