A major security flaw in the internet may have allowed the personal information of millions of web users to be leaked. The security flaw has affected all types of websites including bank websites. It’s important to understand that there’s currently no indication that personal information has been stolen. The flaw has been out there for the last couple of years, and hackers could have used it to quietly steal personal information. The fix for the security flaw is available, and many websites have already applied the fix. However, it may take time before all websites implement the fix.
Many people don’t trust online banking, and this does support their concerns. It’s important to remember that federal regulation (Reg E) protects us from fraud if we quickly report unauthorized debits. Here’s a summary of Reg E as described in this NBC News article:
When an ATM card, PIN number, or online banking password is stolen, consumers must report the loss within two days of receiving their bank statement that reflects the fraud, according to Reg E. Consumers who do so are only liable for $50 in losses, much like credit cards. But waiting a third day can be costly; liability jumps to $500. And if a consumer waits more than 60 days, the liability is unlimited.
Some banks go above Reg E and guarantee to cover all losses if the fraud is reported quickly. Here’s Ally Bank’s guarantee:
We guarantee that you will not be liable for any unauthorized Online or Mobile Banking transaction as long as you report the unauthorized transaction by calling us at (877) 247-2559 within 60 days from when your statement is made available.
The most important thing for consumers to do is to regularly check their bank accounts and report unauthorized transactions as soon as possible.
Besides regularly monitoring your accounts, there’s not much that can be done for this Heartbleed bug. This CNET article, How to protect yourself from the 'Heartbleed' bug, has some recommendations. It advises that you confirm with your bank that it has applied the software fix before changing your password.
I’ve tested several bank and credit union websites using the web app LastPass Heartbleed checker. This was recommended by the CNET article. The web app shows if the website is vulnerable to this bug. Below is a list of bank and credit union websites that had no vulnerability according to this web app. For these cases there’s "no need to change your password unless you have used it on any other site."
Bank websites that are NOT vulnerable based on LastPass Heartbleed checker:
- ftub.com (First Trade Union Bank)
- unionfsb.com (Union Federal Savings Bank)
Is your bank vulnerable? How does this incident affect your trust of online banking?
Thanks to DA member me1004 for first reporting on this news in this DA forum thread.