Dedicated to Deposits: Deals, Data, and Discussion

Is Your Bank Vulnerable to the Heartbleed Internet Security Bug?

POSTED ON BY

A major security flaw in the internet may have allowed the personal information of millions of web users to be leaked. The security flaw has affected all types of websites including bank websites. It’s important to understand that there’s currently no indication that personal information has been stolen. The flaw has been out there for the last couple of years, and hackers could have used it to quietly steal personal information. The fix for the security flaw is available, and many websites have already applied the fix. However, it may take time before all websites implement the fix.

Many people don’t trust online banking, and this does support their concerns. It’s important to remember that federal regulation (Reg E) protects us from fraud if we quickly report unauthorized debits. Here’s a summary of Reg E as described in this NBC News article:

When an ATM card, PIN number, or online banking password is stolen, consumers must report the loss within two days of receiving their bank statement that reflects the fraud, according to Reg E. Consumers who do so are only liable for $50 in losses, much like credit cards. But waiting a third day can be costly; liability jumps to $500. And if a consumer waits more than 60 days, the liability is unlimited.

Some banks go above Reg E and guarantee to cover all losses if the fraud is reported quickly. Here’s Ally Bank’s guarantee:

We guarantee that you will not be liable for any unauthorized Online or Mobile Banking transaction as long as you report the unauthorized transaction by calling us at (877) 247-2559 within 60 days from when your statement is made available.

The most important thing for consumers to do is to regularly check their bank accounts and report unauthorized transactions as soon as possible.

Besides regularly monitoring your accounts, there’s not much that can be done for this Heartbleed bug. This CNET article, How to protect yourself from the 'Heartbleed' bug, has some recommendations. It advises that you confirm with your bank that it has applied the software fix before changing your password.

I’ve tested several bank and credit union websites using the web app LastPass Heartbleed checker. This was recommended by the CNET article. The web app shows if the website is vulnerable to this bug. Below is a list of bank and credit union websites that had no vulnerability according to this web app. For these cases there’s "no need to change your password unless you have used it on any other site."

Bank websites that are NOT vulnerable based on LastPass Heartbleed checker:

  • capitalone360.com
  • ftub.com (First Trade Union Bank)
  • incrediblebank.com
  • salliemae.com
  • unionfsb.com (Union Federal Savings Bank)
  • connexuscu.org
  • smartypig.com

Is your bank vulnerable? How does this incident affect your trust of online banking?

Thanks to DA member me1004 for first reporting on this news in this DA forum thread.



Related Posts

Comments
54 Comments.
Comment #1 by Anonymous posted on
Anonymous
Reg E only protects you against lost money, not against lost personal info that may result in id theft.

2
Comment #2 by benjamin bernanke (anonymous) posted on
benjamin bernanke
not enough protection.  Better not to use online banking.  And what happens with the rule if the statements are received online?   And WHEN is it considered to be received?  When it is opened or when it arrives at the inbox?

3
Comment #4 by me1004 posted on
me1004
And here is another Website that you can use to check the URL of any bank or other Website for the Heartbleed flaw:

http://filippo.io/Heartbleed

And you can find a list of various Websites, and whether they are vulnerable or not -- checked this past Tuesday, so by today they might have been patched -- at:

https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt

I have read that any Mac OS X user or any Mac OS servers should be immune to this security flaw, because the last version of SSL shipped and updated by Apple uses a different SSL branch:

"PSA: No versions of OS X or OS X Server are affected by the OpenSSL Heartbleed bug, because the last version of shipped by Apple in an OS was 0.9.8y, which is a branch not affected by this bug. So unless you've installed OpenSSL via MacPorts or Homebrew, your public-facing OS X servers/services should be immune to this bug."

That in an article at:

http://www.tuaw.com/2014/04/09/why-the-openssl-heartbleed-bug-doesnt-affect-os-x-or-os-x-serve/

6
Comment #13 by Anonymous posted on
Anonymous
All those tests are false security. The connection is never a straight line form your computer to the destination server. It usually take 6-12 hops before it reaches there, therefore, any or all of the intermediate server stops are potential hack sites.

9
Comment #5 by Shorebreak posted on
Shorebreak
Navy Federal Credit Union comes up as "vulnerable" utilizing LastPass Heartbleed Checker. However, using Test your server for Heartbleed (CVE-2014-0160) at http://filippo.io/Heartbleed/#yahoo.com “All good, navyfederal.org seems fixed or unaffected!”

Randolph Brooks Federal Credit Union comes back "Possibly" vulnerable utilizing LastPass Heartblee checker while comes back as "broken pipe" using Test your server for Heartbleed (CVE-2014-0160) test, which is also caused by an unaffected IIS server.

Texas Bank http://www.txbank.com/index.html comes back "Possibly" utilizing LastPass Heartbleed checker while comes back "All good" with the Test your server for Heartbleed (CVE-2014-0160) test.

Conclusion: None of these so-called "tests" are 100% reliable. Thus I'm not changing passwords at this time unless instructed by my financial institutions.

5
Comment #6 by Shorebreak posted on
Shorebreak
Penfed is not vulnerable according to LastPass Heartbleed Checker. However, is classified as: "connection reset by peer as they are probably using counter-measures, firewalls and IPS closing the connection or sink-holing it when they detect a heartbeat." when using the Test your server for Heartbleed (CVE-2014-0160) test.

Another case of not changing a password unless instructed to do so by the financial institution.

4
Comment #7 by Shorebreak posted on
Shorebreak
From Navy Federal Credit Union:Heartbleed Bug InformationThe security vulnerability called "Heartbleed" only affects websites that use an OpenSSL, or open source encryption technology. Navy Federal continually evaluates its systems and potential vulnerabilities. We are not susceptible to this issue. You can be assured that your accounts remain safe and secure. To make sure that you're doing all you can to protect your personal information, take a moment and review these tips.

https://www.navyfederal.org/life-money/managing-your-money/ten-tips-for-online-security.php?intcmp=h...

3
Comment #10 by cumulus posted on
cumulus
From First Trade Union Bank this afternoon:

    "As a valued First Trade Union Bank client, we want to inform you
     that despite recent news of the "Heartbleed" internet security bug,
     your FTUB account information remains safe. You may continue to
     bank with confidence as our Online and Mobile Banking systems do
     not use OpenSSL, which was the source of this vulnerability."

     [...]

4
Comment #12 by Anonymous posted on
Anonymous
To answer your question with simple YES. Every web site is potential hack site, even yours Ken. It is a server software bug that can not be remedied with patches, it must be replaced from the root directory at every server connected to your server and all servers to the destination server. In that chain of connections even your DNS and NAS servers must be replaced.
We as users can not do anything, changing your passwords is just a false sense of security, it does not work unless all of your destination and intermediate servers relaying your message are updated. It may take a while and then if only one rogue server is left in the chain of connections, you will not be safe.

13
Comment #22 by Anonymous posted on
Anonymous
People like to vote up uninformed nonesense on this website.

2
Comment #14 by me1004 posted on
me1004
Alliant CU says its servers are not subject to this vulnerability, no password changes needed:

<quoteblock>Rest assured that Alliant Credit Union’s website was not affected by the Heartbleed vulnerability. As such, Alliant did not need to update its SSL certificate; only vulnerable sites were required to make an update. Member security is our top priority! If you have further questions please feel free to message us or reach out via phone at 800-328-1935.</quoteblock>

5
Comment #15 by me1004 posted on
me1004
I don't know how SSL works, but if what I read and posted above is true, it sounds like if EITHER your computer or the server computer thwarts Heartbleed, then you are safe, as it says that neither Mac OS nor Mac OS server is affected by it -- that is, suggesting that if you have Mac OS, you are safe. Like I said, I don't know how SSL works, but perhaps either side of the connection can thwart this Heartbleed. Again:

"PSA: No versions of OS X or OS X Server are affected by the OpenSSL Heartbleed bug, because the last version of shipped by Apple in an OS was 0.9.8y, which is a branch not affected by this bug. So unless you've installed OpenSSL via MacPorts or Homebrew, your public-facing OS X servers/services should be immune to this bug."

That in an article at:

http://www.tuaw.com/2014/04/09/why-the-openssl-heartbleed-bug-doesnt-affect-os-x-or-os-x-serve/

SECOND: Anonymous 12, I think you're wrong about a patch not fixing it. The patch will be designed to fix the software at the root or in the firmware. The server doesn't need to be replaced. Of course, the password concern is that your password might already have been lifted before the server was patched.

5
Comment #16 by Anonymous posted on
Anonymous
It's about a vulnerability in the server that can trick it to disclose any piece of data on the server, including things like personal information and the secret key that the server uses to generate the proof to your web browser that the site is genuine and not an imposter.  The software on your computer is irrelevant.
Apple's comment is a bit humerus, because they're using unnecessary terminology like "branch" rather than just saying they're still using the older 0.9.8 version of OpenSSL rather than the newer 1.x version that was vulnerable.
Stangely this is a case where using older software, or Microsoft's software, was an advantage.  No company in their right mind would run their public website (or any server for that matter) on a Mac because the hardware is too expensive and the software was mostly designed with end users in mind.

3
Comment #18 by me1004 posted on
me1004
But your explanation conflicts with itself. One minute you say it is hardware (no one else is saying that, not even the security companies!), and the next you say the issue is whether the computer is using the newer, problem version of SSL or not. That is, one minute you say it is hardware, the next you say it is software. 

I also would not presume what any particular company is using for a server. Apple DOES sell plenty of servers, and Mac, deserved or not, is even known for greater security.

5
Comment #21 by Anonymous posted on
Anonymous
There was no mention of hardware. 

1
Comment #17 by saverinCA posted on
saverinCA
Thank you very much for this information and summary, Ken.  I noticed yesterday that HSA Bank has an alert on their website indicating that they are aware of the Heartbleed issue and that HSA Bank accounts are not affected.

4
Comment #19 by Anonymous posted on
Anonymous
No bank or CU will admit in public that their computer systems are vulnerable to hacks and all those tests referred to are false and they can not predict which computer can be safe and which is not.
None of the test software above can penetrate a fire wall and see what is in the DRAMs in the server at any particular time.
You are wasting time rating the banks and CU for such malfunction.
#12 is close to the truth, there are so many intermediate servers between your computer and the destination server, that nobody can predict the outcome of such traces.

15
Comment #20 by me1004 posted on
me1004
Latest info today is that this problem extends way beyond Websites. Even your home networking equipment, like routers and WiFi modems, are at risk, even WiFi enabled devices like Blu Ray players and TVs:

http://www.washingtonpost.com/national/heartbleed-could-harm-a-variety-of-systems/2014/04/11/e47a08fc-c1b3-11e3-9ee7-02c1e10a03f0_story.html

Also, it seems the NSA learned about this problem TWO YEAR AGO, said nothing, and now is trying to deny it exploited the problem in order to spy. 

4
Comment #23 by Anonymous posted on
Anonymous
And, the basis for the "Also, it seems..." statement is?

1
Comment #25 by me1004 posted on
me1004
News reports on the NSA learning about this two years ago are all over the news as of yesterday. NSA denies they knew about it. But the "knowledgeable sources" the news organizations have been using say otherwise. In fact, it is no secret that the NSA has been looking for and stockpiling software vulnerabilities. One of the many reports you can see is at:

http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html

2
Comment #26 by Anonymous posted on
Anonymous
Thank you ...I also saw references in todays' papers...interesting

2
Comment #27 by Anonymous posted on
Anonymous
I think NSA introduced the virus to snoop around and when discovered, now they are playing dumb,

8
Comment #29 by Anonymous posted on
Anonymous
To the people who think a virus patch will cure the problem, well it will not work. Only the creators of Heartbleed can write an effective patch because you need to know how the virus is attached and to what part of the software became embedded. Replacing server software is a temporary fix or until the evil creator(s) can figure out how to attach it to the new software.
In my opinion the only way to fix it is thought firmware on the motherboards of the servers not to allow storage of the user info in the memory and not to allow pre-fetched data segments to be stored. That will slow down the servers quite a bit but for now I don't see how else can be stopped Heartbleed.

7
Comment #30 by me1004 posted on
me1004
What? Of course the patch writer needs to know what he or she is doing. But why ever do you think that is not known and not being done as needed -- they have it, they have identified it and know what it is and how it works. Its no longer a secret, it has been found. They now are blocking the entry point and eradicating any malware -- and why do you think they are not addresseing it at all levels, including firmware and the root? In fact, a warning was put out a couple days ago that everyone even needs to have the firmware on any WiFi devices patched as well.

1
Comment #31 by Anonymous posted on
Anonymous
#30, The bad guys already know what you are patching with and where and are already one or two steps ahead of the patchwork of software. I have seen hacks attach virus on the patch itself, so be careful of your pragmatic knowledge.

6
Comment #32 by me1004 posted on
me1004
Well, from your theory, no virus or other malware can ever be stopped no matter what -- and that problem is nothing unique about Heartbleed. 

Hey, its software. If there is a mistake in a line of code, that mistake can be fixed. If there is malware to be found, it can be eliminated. 

Yes, if a NEW hack comes along to somehow target the patch in a completely new way, no differently than targeting ANYTHING, then you could have a NEW exploit. That doesn't mean the error that led to Heartbleed can't be fixed. It just means that fixing it does not stop all hacks of anything forever.

1
Comment #33 by Anonymous posted on
Anonymous
#32, there is a virus that gets in through software and there is a virus that gets in through hardware (firmware), this is a hibrid virus, uses the software to get in the computers and then settles in the firmware and sends pockets of data on the network, either local or Internet using P2P protocols or tunneling or proxy IPs. There is no software patch to be able to know what pockets are sending what to where on-line and that is the problem.
Software patch is just a temporary fix and can be breeched again.

6
Comment #39 by me1004 posted on
me1004
As I have said many times at this  point, they are fixing the firmware. And all your devices that use WiFi need to have the firmware fixed. You talk as if firmware is immune to fixing -- no, it is upgraded and fixed often. Viruses can be eliminated there as well as in the OS. Bottom line is that anything a virus can access, so too can a fix.

2
Comment #34 by Anonymous posted on
Anonymous
#30,#32, you sure throw some dust without any substance, are you a computer expert?

7
Comment #35 by Anonymous posted on
Anonymous
It appears we have some so-proclaimed computer experts on this thread.  All their really doing is using google to find their knowledge and transfer it to this thread.  And yes, I've been been working in IT for over 20 years.

3
Comment #36 by Anonymous posted on
Anonymous
#35, you can not stand competition, so it seams, but you never said anything that sounded is coming from and expert who worked for 20 years in IT. Your take is bellow basic level and yes there are millions of IT specialist who have no knowledge of server software, low level language programming or how the server actually works and why this virus is unique and why it may re-appear after all fixing is done.

5
Comment #37 by Anonymous posted on
Anonymous
To the guy (30,32,35) who knows it all about the computers and does not believe other people are more knowledgeable than him, well, I have to add something, hackers have stolen encryption keys from past and present and they can not be patched with anything, The patches that have been installed, failed to stop heartbleed and now what you gonna do as an IT expert.
The other people here have claimed it can not be stopped with patches and so far they are right, it seems to me they are bigger experts than you are.

4
Comment #38 by Anonymous posted on
Anonymous
To #37,  I don't believe poster #35 made any statements about his knowledge.  He just state he has experience in IT.

1
Comment #44 by Anonymous posted on
Anonymous
38, if that is irrelevant, why dwell on it?

3
Comment #40 by me1004 posted on
me1004
Well, the security firm experts say the patch fixes it. You can prefer to listen to Anonymous by whatever number if you prefer. 

1
Comment #41 by Anonymous posted on
Anonymous
Do you trust these security firm experts who exist to proactively forsee these threats and make patches available before major damage is done?  They repetitively get caught with their pants down!

1
Comment #47 by Anonymous posted on
Anonymous
#40, you are to naive if you think it is fixed, I don't and I know why SSL can not be fixed by software patch, it is a temporary PR stunt to calm the masses.

3
Comment #45 by Anonymous posted on
Anonymous
Look people, lets make few things straight. Heartbleed is not a normal virus, second, once embeded in a server it can not be purged out by a software patch and third, once SSL private server key is sent out by heartbleed, that server must be junked or put out of service for good.
And finally if the private keys in SSL layer are compromised, you can not change the password to protect you.
Who ever hold the keys, private and public keys from SSL server, can replicate a new parallel server and trick you to go there and enter your ID and passwords without ever suspecting something is wrong.
Once that info is in hackers possession, you are exposed to fraud and wipe out of your money.

3
Comment #46 by Anonymous posted on
Anonymous
How can it be justified that companies are using free open source software to protect OUR data?  We as consumers are paying for secure and reliable access to our data.  Needless to say there was a 2 year cover-up also.

3
Comment #48 by Anonymous posted on
Anonymous
Mr/Ms #45/47 -
You seem to think you are knowledgable about the internet .  Please disclose your credentials.  Then maybe, just maybe, we can even begin to evaluate you know anything about what your talking about.

3
Comment #49 by Anonymous posted on
Anonymous
me1004, stop pretending you are someone else.

2
Comment #50 by paoli2 posted on
paoli2
#48  Is that a new criteria for DA?  We have to know what we are talking about!!  :)  If I want to make sure a poster is stating correct info, I research it myself.  Otherwise, how can we be certain that anyone who posts is giving accurate info except maybe a certain couple of tried and tested posters who have been here for quite some time?

1
Comment #51 by Anonymous posted on
Anonymous
#50  You said exactly what I did.  All you do is re-phase the wording.

5
Comment #54 by paoli2 posted on
paoli2
#51  Maybe you posted your reply using a different avatar anonymously because I cannot find a post with your particular avatar posting what I posted.  I was giving my personal opinion of the subject, not trying to repeat yours.  But you know what they say:"If it is worth saying, it is worth saying twice" or something to that affect.

1