Heartbleed's Credit Union Impact: Threat of the Week
Early reports from credit unions regarding the Heartbleed data leak indicate they and their members are suffering few, if any, impacts. But investigations, in many cases, are in early stages.
The Heartbleed vulnerability, to recap, is a flaw in the popular OpenSSL tool that powers secure web sessions. Despite the SSL promise of heightened security, Heartbleed allowed hackers to get a clear, unencrypted view of data.
The flaw apparently was introduced to OpenSSL about two years ago. It was disclosed by researchers in early April.
A new wrinkle is that router company Cisco now has announced there may be Heartbleed flaws in its routers.The giant networking company, which powers much of the Internet’s traffic, is investigating how many, if any, of its routers are infected.
As for credit unions, most believe they are not significantly impacted by Heartbleed.
A spokesperson for $55 billion Vienna, Va.-based Navy Federal Credit Union said, "The security vulnerability called ‘Heartbleed’ only affects websites that use an OpenSSL, or open source encryption technology. Navy Federal continually evaluates its systems and potential vulnerabilities. We are not susceptible to this issue. Members can be assured that their accounts remain safe and secure."
At $2.2 billion Affinity Federal Credit Union in Basking Ridge, NJ CEO John Fenton wrote in an email to CU Times that so far, Heartbleed is a non-issue at Affinity.
“We are not getting a lot of member traffic regarding Heartbleed. We have heard from all of our vendors and they have tested everything and we are not affected at Affinity.”
A third perspective came from the security chief at a very large credit union who requested anonymity because he is not authorized to speak to the press. He indicated that his institution had tested its many systems and queried its vendors. The bill of health came back clean, except one minor component with the potential for Heartbleed was found. It was unplugged from the network and, although this credit union continues to investigate the matter, it presently believes that isolated flaw affected no members.
That case illustrates what makes Heartbleed so potentially worrisome: The OpenSSL tools show up in many, many components.
That means searches have to be comprehensive, and since the vast majority of credit unions rely on a great number of third party technology vendors, those vendors must also be interrogated.
As for why credit unions presently are reporting few or no hits, a theory is that most of the gear they use is operating on older OpenSSL versions that were not subject to Heartbleed.
More broadly, Mark Nunnikhoven, a vice president at security company Trend Micro, said that he has had contact with many financial institutions regarding Heartbleed, and most said they had no susceptibility. He added the few that did report susceptibility said problems were isolated and they already had initiated remediation.
Read more: What about credit union vendors?
Reports from leading vendors so far are encouraging.
Menlo Park, Calif.-based Digital Insight, which provides online banking platforms to hundreds of credit unions, provided this statement: “After performing a thorough investigation, our research indicates that this vulnerability does not impact Digital Insight Online Banking websites because the encryption libraries used for Digital Insight Online Banking do not use the OpenSSL library that is the source of the vulnerability. However, we continue to investigate. We are working with third party vendors on assessment of any vulnerability in their services we provide to our financial institution customers.”
At Brookfield, Wisc.-based Fiserv, chief risk officer Murray Walton, said in an email to CU Times his organization launched an immediate assessment when the OpenSSL vulnerability become public knowledge.
“We identified OpenSSL in one third party product used in a contained segment of our infrastructure, and in five other internal instances,” he said. “All were immediately patched. We are also installing new security certificates as a precaution, although our security monitoring tools indicate there have been no attempts to exploit this vulnerability with respect to any Fiserv system. We are confident that the steps we have taken to assess and remediate the OpenSSL vulnerability were effective, and that our clients and their members may continue to use online banking systems with full confidence in their safety and security.”
Florida based FIS, another leading financial technology company, did not respond to several requests for comment on Heartbleed.
Credit unions and their vendors may be comparatively safe from Heartbleed, but then there is the question of members. There, the skies darken with worries.
A possible member impact, even if their credit union credentials were never compromised, involves the dangers of password reuse, said many experts.
Although a member may have created a strong password, the problem begins when he or she proceeds to use that very same password at gaming sites, news sites or wherever passwords are required.
Criminals could exploit Heartbleed at one of those non-financial sites, nab the password, and program a robot to try that password at many financial institutions. When they try the member’s credit union, they hit paydirt.
That worry is prompting many security experts to advise consumers to reset passwords, especially if they are in the habit - as most of us are - of using a clever password at many sites.
The other big worry is that “this coming week we will see a huge spike in phishing emails, capitalizing on Heartbleed,” predicted Trend Micro’s Nunnikhoven.
His logic is that criminals will prey on the fears raised by the many Heartbleed stories in the past week. They will send emails telling people to reset their password, and will provide a convenient link that, of course, directs the traffic to a site controlled by the criminal.
Even worse, many of these emails, Nunnikhoven said, likely will masquerade as emails sent by credit unions and banks.
The upshot may be an epidemic of account takeovers.
The fears are real but are the Heartbleed engendered fears overblown?
Thus far, there are no proven cases of data stolen via Heartbleed used for criminal purposes. Experts canvassed by CU Times could not point to a single for example. That is not to say there are none, just that none are known.
Heartbleed is bad, but how bad is far from known. It could be more of a potential threat than an exploited one, or maybe it in fact already has been heavily exploited.
Nobody knows right now, and that is all that can be said with certainty.
For the record, in response to a query from this reporter, official word from this publication’s publisher is that “CUTimes.com servers and our subscriptions vendor are protected from Heartbleed.”