The Heartbleed Bug, Your Risk, and Online Banking

Rate information contained on this page may have changed. Please find latest savings rates.

Information on how much of a risk the Heartbleed bug is for online banking and financial transactions. Tips on what you can do to protect yourself.

By now you've probably read or heard about the Heartbleed bug. Discovered one week ago, the bug makes encrypted Internet communication vulnerable to being hacked and easily decrypted. It is a particularly insidious bug because it leaves no trace of being hacked, so if information is stolen, the theft is never detected. Still, it is important to remember that as of now, there is no known case of hackers using the bug to steal information.

So how much of a threat is it really, and what can you do to protect yourself?

Are You Impacted?

The general consensus from the media and security experts is that people should be concerned and vigilant about the bug. Mark Nunnikhoven, a security expert at Trend Micro said that about 17% of secured sites on the Internet are vulnerable to the Heartbleed bug. The website Mashable.com has done a nice job putting together a list of major sites that were impacted by the bug. Some large sites include: Netflix, Youtube, and Gmail. On any of these non-banking sites, your personal information and credit card could be compromised. So, although they are not banks per se, you might still conduct financial transactions on them.

Large Banks Not as Impacted

The list from Mashable also shows that large banks have been largely unaffected by the bug. Big banks have multiple layers of authentication and rely on more than just a secure certificate to keep their customer's information safe.

Smaller Banks May Be Vulnerable

What about smaller banks? I went to several smaller bank sites and used a Heartbleed Vulnerability testing tool. In five out of five cases, I received the message below.

Server software: Apache

Was vulnerable: Possibly (known use OpenSSL, but might be using a safe version)

SSL Certificate: Possibly Unsafe (created 8 months ago at Aug 16 00:00:00 2013 GMT) Additional checks SSL certificate history yielded no new information

Assessment: It's not clear if it was vulnerable so wait for the company to say something publicly, if you used the same password on any other sites, update it now.

You can test your own bank using the tool found here.

In contrast, this is the message I received when I tested Bank of America's website:

Site: www.bankofamerica.com

Server software: Not reported

Was vulnerable: No

SSL Certificate:SafeAssessment: This server was not vulnerable, no need to change your password unless you have used it on any other site!

This doesn't mean that smaller banks have the bug but if you receive the Possible message using the test, you should call your bank and ask if the bank was vulnerable to the bug and if they have fixed it.

Conclusion

While you shouldn't panic, it would be wise to change your passwords if you use any of the sites listed as vulnerable. While it's unclear if this vulnerability was ever exploited, it makes sense to change passwords on a regular basis anyway. So, use this opportunity to upgrade your own personal digital security. One caveat though. You might want to wait a few days or even a week to ensure that all of the vulnerable sites have upgraded their software. Otherwise, you could be giving out your new password to an insecure site. In the meantime, check your bank statements and credit card activity regularly to make sure you don't see anything out of the ordinary.

Sol Nasisi
Sol Nasisi: Sol Nasisi is the co-founder and a past president of BestCashCow, an online resource for comprehensive bank rate information. In this capacity, he closely followed rate trends for all savings-related and loan products and the impact of rate fluctuations on the economy. He specifically focused on how rates impact consumers' ability to borrow and save. He also has authored a wee


Comments

  • Phillip

    April 14, 2014

    Excellent article....a best practice for banks should be to use two factor identification.

  • «
  • Page 1 of 1
  • »
Add your Comment

or use your BestCashCow account

or