MADISON, Wis. (4/11/14)--When the Heartbleed security flaw made news earlier this week, credit unions moved swiftly to inform members of the steps they had taken to protect their online banking credentials.
The Heartbleed bug--a flaw in the Open Secure Socket Layer (OpenSSL) technology used to establish secure links between servers and users--exposed millions of usernames, passwords and other information.
Undetected for more than two years, the bug affects two-thirds of encrypted websites.
Many credit unions reassured members via email or on their websites if their online systems did not use OpenSSL, if their third-party providers were up-to-date or if they had taken the appropriate measures to secure their sites.
Additionally, credit unions shared tips with their members to make their Internet use safer, encouraging them to check the security of other sites they use and to be proactive in password and virus protection.
Curtis Sutton, First Class American CU, Fort Worth, Texas, said it's important that credit unions make sure their anti-virus software is up-to-date and that they have intrusion detection on their network (Leaguer
April 10). The IT/network manager at the $45 million-asset credit union also said firewalls need to be up-to-date, and security certificates must be current and valid.
CUNA Mutual Group distributed a Risk Alert to its bond policyholders advising the following risk-mitigation steps:
Credit unions should take immediate steps to identify all critical systems that may be impacted by the Heartbleed security flaw. Security patches made available by vendors should be installed immediately.
If the online banking server is impacted, credit unions should notify members to change their username and password after the vulnerability has been patched.
Notify members to closely monitor their accounts and to alert the credit union immediately if unauthorized transactions are detected.
The Federal Financial Institutions Examination Council (FFIEC) announced Thursday that it expects financial institutions to incorporate patches on systems and services, applications and appliances using OpenSSL and upgrade systems as soon as possible to address the Heartbleed vulnerability.
Specifically, FFIEC pointed to replacing private keys and X.509 encryption certificates after applying the patch for each service that uses OpenSSL. It also suggested requiring users and administrators to change passwords after applying the patch.
Consumers may be weary of the constant drumbeat about their online security and why it's still a problem for companies and consumers. Steve Kirsch, founder/CEO of OneID, offered, "The real reason we keep having password breaches is because Internet companies don't care enough about consumers' security. They continue to use old practices that are continually being breached. Websites believe that the tools and technology they have in place are secure enough already."
Kirsch's company, which is a CUNA Strategic Services alliance provider, enables online transactions by linking individuals with their unique digital identity, eliminating usernames, passwords or site-specific accounts.