Advertising Disclosure

Featured Savings Rates

Popular Posts

Featured Accounts

Is Your Bank Vulnerable to the Heartbleed Internet Security Bug?


A major security flaw in the internet may have allowed the personal information of millions of web users to be leaked. The security flaw has affected all types of websites including bank websites. It’s important to understand that there’s currently no indication that personal information has been stolen. The flaw has been out there for the last couple of years, and hackers could have used it to quietly steal personal information. The fix for the security flaw is available, and many websites have already applied the fix. However, it may take time before all websites implement the fix.

Many people don’t trust online banking, and this does support their concerns. It’s important to remember that federal regulation (Reg E) protects us from fraud if we quickly report unauthorized debits. Here’s a summary of Reg E as described in this NBC News article:

When an ATM card, PIN number, or online banking password is stolen, consumers must report the loss within two days of receiving their bank statement that reflects the fraud, according to Reg E. Consumers who do so are only liable for $50 in losses, much like credit cards. But waiting a third day can be costly; liability jumps to $500. And if a consumer waits more than 60 days, the liability is unlimited.

Some banks go above Reg E and guarantee to cover all losses if the fraud is reported quickly. Here’s Ally Bank’s guarantee:

We guarantee that you will not be liable for any unauthorized Online or Mobile Banking transaction as long as you report the unauthorized transaction by calling us at (877) 247-2559 within 60 days from when your statement is made available.

The most important thing for consumers to do is to regularly check their bank accounts and report unauthorized transactions as soon as possible.

Besides regularly monitoring your accounts, there’s not much that can be done for this Heartbleed bug. This CNET article, How to protect yourself from the 'Heartbleed' bug, has some recommendations. It advises that you confirm with your bank that it has applied the software fix before changing your password.

I’ve tested several bank and credit union websites using the web app LastPass Heartbleed checker. This was recommended by the CNET article. The web app shows if the website is vulnerable to this bug. Below is a list of bank and credit union websites that had no vulnerability according to this web app. For these cases there’s "no need to change your password unless you have used it on any other site."

Bank websites that are NOT vulnerable based on LastPass Heartbleed checker:

  • (First Trade Union Bank)
  • (Union Federal Savings Bank)

Is your bank vulnerable? How does this incident affect your trust of online banking?

Thanks to DA member me1004 for first reporting on this news in this DA forum thread.

Related Posts

Anonymous   |     |   Comment #1
Reg E only protects you against lost money, not against lost personal info that may result in id theft.
benjamin bernanke
benjamin bernanke   |     |   Comment #2
not enough protection.  Better not to use online banking.  And what happens with the rule if the statements are received online?   And WHEN is it considered to be received?  When it is opened or when it arrives at the inbox?
me1004   |     |   Comment #4
And here is another Website that you can use to check the URL of any bank or other Website for the Heartbleed flaw:

And you can find a list of various Websites, and whether they are vulnerable or not -- checked this past Tuesday, so by today they might have been patched -- at:

I have read that any Mac OS X user or any Mac OS servers should be immune to this security flaw, because the last version of SSL shipped and updated by Apple uses a different SSL branch:

"PSA: No versions of OS X or OS X Server are affected by the OpenSSL Heartbleed bug, because the last version of shipped by Apple in an OS was 0.9.8y, which is a branch not affected by this bug. So unless you've installed OpenSSL via MacPorts or Homebrew, your public-facing OS X servers/services should be immune to this bug."

That in an article at:
Anonymous   |     |   Comment #13
All those tests are false security. The connection is never a straight line form your computer to the destination server. It usually take 6-12 hops before it reaches there, therefore, any or all of the intermediate server stops are potential hack sites.
Shorebreak   |     |   Comment #5
Navy Federal Credit Union comes up as "vulnerable" utilizing LastPass Heartbleed Checker. However, using Test your server for Heartbleed (CVE-2014-0160) at “All good, seems fixed or unaffected!”

Randolph Brooks Federal Credit Union comes back "Possibly" vulnerable utilizing LastPass Heartblee checker while comes back as "broken pipe" using Test your server for Heartbleed (CVE-2014-0160) test, which is also caused by an unaffected IIS server.

Texas Bank comes back "Possibly" utilizing LastPass Heartbleed checker while comes back "All good" with the Test your server for Heartbleed (CVE-2014-0160) test.

Conclusion: None of these so-called "tests" are 100% reliable. Thus I'm not changing passwords at this time unless instructed by my financial institutions.
Shorebreak   |     |   Comment #6
Penfed is not vulnerable according to LastPass Heartbleed Checker. However, is classified as: "connection reset by peer as they are probably using counter-measures, firewalls and IPS closing the connection or sink-holing it when they detect a heartbeat." when using the Test your server for Heartbleed (CVE-2014-0160) test.

Another case of not changing a password unless instructed to do so by the financial institution.
Shorebreak   |     |   Comment #7
From Navy Federal Credit Union:Heartbleed Bug InformationThe security vulnerability called "Heartbleed" only affects websites that use an OpenSSL, or open source encryption technology. Navy Federal continually evaluates its systems and potential vulnerabilities. We are not susceptible to this issue. You can be assured that your accounts remain safe and secure. To make sure that you're doing all you can to protect your personal information, take a moment and review these tips.
cumulus   |     |   Comment #10
From First Trade Union Bank this afternoon:

    "As a valued First Trade Union Bank client, we want to inform you
     that despite recent news of the "Heartbleed" internet security bug,
     your FTUB account information remains safe. You may continue to
     bank with confidence as our Online and Mobile Banking systems do
     not use OpenSSL, which was the source of this vulnerability."

Anonymous   |     |   Comment #12
To answer your question with simple YES. Every web site is potential hack site, even yours Ken. It is a server software bug that can not be remedied with patches, it must be replaced from the root directory at every server connected to your server and all servers to the destination server. In that chain of connections even your DNS and NAS servers must be replaced.
We as users can not do anything, changing your passwords is just a false sense of security, it does not work unless all of your destination and intermediate servers relaying your message are updated. It may take a while and then if only one rogue server is left in the chain of connections, you will not be safe.
Anonymous   |     |   Comment #22
People like to vote up uninformed nonesense on this website.
me1004   |     |   Comment #14
Alliant CU says its servers are not subject to this vulnerability, no password changes needed:

<quoteblock>Rest assured that Alliant Credit Union’s website was not affected by the Heartbleed vulnerability. As such, Alliant did not need to update its SSL certificate; only vulnerable sites were required to make an update. Member security is our top priority! If you have further questions please feel free to message us or reach out via phone at 800-328-1935.</quoteblock>
me1004   |     |   Comment #15
I don't know how SSL works, but if what I read and posted above is true, it sounds like if EITHER your computer or the server computer thwarts Heartbleed, then you are safe, as it says that neither Mac OS nor Mac OS server is affected by it -- that is, suggesting that if you have Mac OS, you are safe. Like I said, I don't know how SSL works, but perhaps either side of the connection can thwart this Heartbleed. Again:

"PSA: No versions of OS X or OS X Server are affected by the OpenSSL Heartbleed bug, because the last version of shipped by Apple in an OS was 0.9.8y, which is a branch not affected by this bug. So unless you've installed OpenSSL via MacPorts or Homebrew, your public-facing OS X servers/services should be immune to this bug."

That in an article at:

SECOND: Anonymous 12, I think you're wrong about a patch not fixing it. The patch will be designed to fix the software at the root or in the firmware. The server doesn't need to be replaced. Of course, the password concern is that your password might already have been lifted before the server was patched.
Anonymous   |     |   Comment #16
It's about a vulnerability in the server that can trick it to disclose any piece of data on the server, including things like personal information and the secret key that the server uses to generate the proof to your web browser that the site is genuine and not an imposter.  The software on your computer is irrelevant.
Apple's comment is a bit humerus, because they're using unnecessary terminology like "branch" rather than just saying they're still using the older 0.9.8 version of OpenSSL rather than the newer 1.x version that was vulnerable.
Stangely this is a case where using older software, or Microsoft's software, was an advantage.  No company in their right mind would run their public website (or any server for that matter) on a Mac because the hardware is too expensive and the software was mostly designed with end users in mind.
me1004   |     |   Comment #18
But your explanation conflicts with itself. One minute you say it is hardware (no one else is saying that, not even the security companies!), and the next you say the issue is whether the computer is using the newer, problem version of SSL or not. That is, one minute you say it is hardware, the next you say it is software. 

I also would not presume what any particular company is using for a server. Apple DOES sell plenty of servers, and Mac, deserved or not, is even known for greater security.
Anonymous   |     |   Comment #21
There was no mention of hardware. 
saverinCA   |     |   Comment #17
Thank you very much for this information and summary, Ken.  I noticed yesterday that HSA Bank has an alert on their website indicating that they are aware of the Heartbleed issue and that HSA Bank accounts are not affected.
Anonymous   |     |   Comment #19
No bank or CU will admit in public that their computer systems are vulnerable to hacks and all those tests referred to are false and they can not predict which computer can be safe and which is not.
None of the test software above can penetrate a fire wall and see what is in the DRAMs in the server at any particular time.
You are wasting time rating the banks and CU for such malfunction.
#12 is close to the truth, there are so many intermediate servers between your computer and the destination server, that nobody can predict the outcome of such traces.
me1004   |     |   Comment #20
Latest info today is that this problem extends way beyond Websites. Even your home networking equipment, like routers and WiFi modems, are at risk, even WiFi enabled devices like Blu Ray players and TVs:

Also, it seems the NSA learned about this problem TWO YEAR AGO, said nothing, and now is trying to deny it exploited the problem in order to spy. 
Anonymous   |     |   Comment #23
And, the basis for the "Also, it seems..." statement is?
me1004   |     |   Comment #25
News reports on the NSA learning about this two years ago are all over the news as of yesterday. NSA denies they knew about it. But the "knowledgeable sources" the news organizations have been using say otherwise. In fact, it is no secret that the NSA has been looking for and stockpiling software vulnerabilities. One of the many reports you can see is at:
Anonymous   |     |   Comment #26
Thank you ...I also saw references in todays' papers...interesting
Anonymous   |     |   Comment #27
I think NSA introduced the virus to snoop around and when discovered, now they are playing dumb,
Shorebreak   |     |   Comment #28
Potential good news in the Heartbleed security saga
Anonymous   |     |   Comment #29
To the people who think a virus patch will cure the problem, well it will not work. Only the creators of Heartbleed can write an effective patch because you need to know how the virus is attached and to what part of the software became embedded. Replacing server software is a temporary fix or until the evil creator(s) can figure out how to attach it to the new software.
In my opinion the only way to fix it is thought firmware on the motherboards of the servers not to allow storage of the user info in the memory and not to allow pre-fetched data segments to be stored. That will slow down the servers quite a bit but for now I don't see how else can be stopped Heartbleed.
me1004   |     |   Comment #30
What? Of course the patch writer needs to know what he or she is doing. But why ever do you think that is not known and not being done as needed -- they have it, they have identified it and know what it is and how it works. Its no longer a secret, it has been found. They now are blocking the entry point and eradicating any malware -- and why do you think they are not addresseing it at all levels, including firmware and the root? In fact, a warning was put out a couple days ago that everyone even needs to have the firmware on any WiFi devices patched as well.
Anonymous   |     |   Comment #31
#30, The bad guys already know what you are patching with and where and are already one or two steps ahead of the patchwork of software. I have seen hacks attach virus on the patch itself, so be careful of your pragmatic knowledge.
me1004   |     |   Comment #32
Well, from your theory, no virus or other malware can ever be stopped no matter what -- and that problem is nothing unique about Heartbleed. 

Hey, its software. If there is a mistake in a line of code, that mistake can be fixed. If there is malware to be found, it can be eliminated. 

Yes, if a NEW hack comes along to somehow target the patch in a completely new way, no differently than targeting ANYTHING, then you could have a NEW exploit. That doesn't mean the error that led to Heartbleed can't be fixed. It just means that fixing it does not stop all hacks of anything forever.
Anonymous   |     |   Comment #33
#32, there is a virus that gets in through software and there is a virus that gets in through hardware (firmware), this is a hibrid virus, uses the software to get in the computers and then settles in the firmware and sends pockets of data on the network, either local or Internet using P2P protocols or tunneling or proxy IPs. There is no software patch to be able to know what pockets are sending what to where on-line and that is the problem.
Software patch is just a temporary fix and can be breeched again.
me1004   |     |   Comment #39
As I have said many times at this  point, they are fixing the firmware. And all your devices that use WiFi need to have the firmware fixed. You talk as if firmware is immune to fixing -- no, it is upgraded and fixed often. Viruses can be eliminated there as well as in the OS. Bottom line is that anything a virus can access, so too can a fix.
Anonymous   |     |   Comment #34
#30,#32, you sure throw some dust without any substance, are you a computer expert?
Anonymous   |     |   Comment #35
It appears we have some so-proclaimed computer experts on this thread.  All their really doing is using google to find their knowledge and transfer it to this thread.  And yes, I've been been working in IT for over 20 years.
Anonymous   |     |   Comment #36
#35, you can not stand competition, so it seams, but you never said anything that sounded is coming from and expert who worked for 20 years in IT. Your take is bellow basic level and yes there are millions of IT specialist who have no knowledge of server software, low level language programming or how the server actually works and why this virus is unique and why it may re-appear after all fixing is done.
Anonymous   |     |   Comment #37
To the guy (30,32,35) who knows it all about the computers and does not believe other people are more knowledgeable than him, well, I have to add something, hackers have stolen encryption keys from past and present and they can not be patched with anything, The patches that have been installed, failed to stop heartbleed and now what you gonna do as an IT expert.
The other people here have claimed it can not be stopped with patches and so far they are right, it seems to me they are bigger experts than you are.
Anonymous   |     |   Comment #38
To #37,  I don't believe poster #35 made any statements about his knowledge.  He just state he has experience in IT.
Anonymous   |     |   Comment #44
38, if that is irrelevant, why dwell on it?
me1004   |     |   Comment #40
Well, the security firm experts say the patch fixes it. You can prefer to listen to Anonymous by whatever number if you prefer. 
Anonymous   |     |   Comment #41
Do you trust these security firm experts who exist to proactively forsee these threats and make patches available before major damage is done?  They repetitively get caught with their pants down!
Anonymous   |     |   Comment #47
#40, you are to naive if you think it is fixed, I don't and I know why SSL can not be fixed by software patch, it is a temporary PR stunt to calm the masses.
Anonymous   |     |   Comment #45
Look people, lets make few things straight. Heartbleed is not a normal virus, second, once embeded in a server it can not be purged out by a software patch and third, once SSL private server key is sent out by heartbleed, that server must be junked or put out of service for good.
And finally if the private keys in SSL layer are compromised, you can not change the password to protect you.
Who ever hold the keys, private and public keys from SSL server, can replicate a new parallel server and trick you to go there and enter your ID and passwords without ever suspecting something is wrong.
Once that info is in hackers possession, you are exposed to fraud and wipe out of your money.
Anonymous   |     |   Comment #46
How can it be justified that companies are using free open source software to protect OUR data?  We as consumers are paying for secure and reliable access to our data.  Needless to say there was a 2 year cover-up also.
Anonymous   |     |   Comment #48
Mr/Ms #45/47 -
You seem to think you are knowledgable about the internet .  Please disclose your credentials.  Then maybe, just maybe, we can even begin to evaluate you know anything about what your talking about.
Anonymous   |     |   Comment #49
me1004, stop pretending you are someone else.
paoli2   |     |   Comment #50
#48  Is that a new criteria for DA?  We have to know what we are talking about!!  :)  If I want to make sure a poster is stating correct info, I research it myself.  Otherwise, how can we be certain that anyone who posts is giving accurate info except maybe a certain couple of tried and tested posters who have been here for quite some time?
Anonymous   |     |   Comment #51
#50  You said exactly what I did.  All you do is re-phase the wording.
paoli2   |     |   Comment #54
#51  Maybe you posted your reply using a different avatar anonymously because I cannot find a post with your particular avatar posting what I posted.  I was giving my personal opinion of the subject, not trying to repeat yours.  But you know what they say:"If it is worth saying, it is worth saying twice" or something to that affect.

The financial institution, product, and APY (Annual Percentage Yield) data displayed on this website is gathered from various sources and may not reflect all of the offers available in your region. Although we strive to provide the most accurate data possible, we cannot guarantee its accuracy. The content displayed is for general information purposes only; always verify account details and availability with the financial institution before opening an account. Contact to report inaccurate info or to request offers be included in this website. We are not affiliated with the financial institutions included in this website.