Heartbleed Malware Impact Still Yet to Be Known, Felt
Early reports from credit unions regarding the Heartbleed data leak indicate they and their members are suffering few, if any, impacts. But investigations, in many cases, are in early stages.
The Heartbleed vulnerability, to recap, is a flaw in the popular OpenSSL tool that powers secure web sessions. Despite the SSL promise of heightened security, Heartbleed allowed hackers to get a clear, unencrypted view of data.
The flaw apparently was introduced to OpenSSL about two years ago. It was disclosed by researchers in early April and the NCUA and other regulators issued warnings.
A new wrinkle is that router company Cisco now has announced there may be Heartbleed flaws in its routers. The giant networking company, which powers much of the Internet's traffic, is investigating how many, if any, of its routers are infected.
As for credit unions, most believe they are not significantly impacted by Heartbleed.
A spokesperson for $55 billion Vienna, Va.-based Navy Federal Credit Union said, “The security vulnerability called ‘Heartbleed’ only affects websites that use an OpenSSL, or open source encryption technology. Navy Federal continually evaluates its systems and potential vulnerabilities. We are not susceptible to this issue. Members can be assured that their accounts remain safe and secure.”
At $2.2 billion Affinity Federal Credit Union in Basking Ridge, N.J., CEO John Fenton wrote in an email to CU Times that so far, Heartbleed is a non-issue at Affinity.
“We are not getting a lot of member traffic regarding Heartbleed. We have heard from all of our vendors and they have tested everything and we are not affected at Affinity.”
A third perspective came from the security chief at a very large credit union who requested anonymity because he is not authorized to speak to the press. He indicated that his institution had tested its many systems and queried its vendors. The bill of health came back clean, except one minor component with the potential for Heartbleed was found. It was unplugged from the network and, although this credit union continues to investigate the matter, it presently believes that isolated flaw affected no members.
That case illustrates what makes Heartbleed so potentially worrisome: The OpenSSL tools show up in many, many components.
That means searches have to be comprehensive, and since the vast majority of credit unions rely on a great number of third-party technology vendors, those vendors must also be interrogated.
Reports from leading vendors so far are encouraging.
Menlo Park, Calif.-based Digital Insight, which provides online banking platforms to hundreds of credit unions, provided this statement: “After performing a thorough investigation, our research indicates that this vulnerability does not impact Digital Insight Online Banking websites because the encryption libraries used for Digital Insight Online Banking do not use the OpenSSL library that is the source of the vulnerability. However, we continue to investigate.”
At Brookfield, Wis.-based Fiserv, Chief Risk Officer Murray Walton said in an email to CU Times his organization launched an immediate assessment when the OpenSSL vulnerability became public knowledge.
“We are confident that the steps we have taken to assess and remediate the OpenSSL vulnerability were effective, and that our clients and their members may continue to use online banking systems with full confidence in their safety and security.”
Florida-based FIS, another leading financial technology company, did not respond to several requests for comment on Heartbleed.
Credit unions and their vendors may be comparatively safe from Heartbleed, but then there is the question of members. There, the skies darken with worries.
Thus far, there are no proven cases of data stolen via Heartbleed used for criminal purposes. Experts canvassed by CU Times could not point to a single example. That is not to say there are none, just that none are known.
Heartbleed is bad, but how bad is far from known. It could be more of a potential threat than an exploited one, or maybe it in fact already has been heavily exploited.