Giant Web Vulnerability Brings Indirect Risk to Digital Banking

  • What's wrong with passwords? Plenty, if you ask almost anyone. The traditional user name and password is old and unsafe. The alternative is "bring your own ID" - voice, fingerprint and facial recognition technology that's emerging from tests into production.

    January 1

A devastating security flaw in the internet could bring added risks to banks' online and mobile apps.

The vulnerability, which was announced late Monday, has been uncovered in OpenSSL, open-source software that lets web sites encrypt communications with visitors.

The bug, nicknamed Heartbleed, has been around since 2012 and has opened up a window to let attackers steal information such as user names and passwords and the private keys sites use to encrypt and decrypt sensitive data.

"Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL," blogged researchers who discovered the flaw on Monday.

Indeed, Ars Technica estimates the bug has put two-thirds of web servers — including those running OKCupid and Yahoo — at risk to eavesdropping. 

There is an indirect risk for banks: Digital banking credentials could be compromised when consumers reuse their passwords, which they do.

"Most consumers use the same passwords for many different applications, including their online banking," says Shirley Inscoe, a senior analyst at Aite Group, in an email to BTN. "If, for example, they use Facebook, Yahoo email, or other systems, and their login credentials are compromised, fraudsters can use bots to test various bank sites with the credentials until they find one that works. At that point, the customer may be the victim of account takeover, and need to notify their bank concerning fraudulent activity."

Security experts urge consumers to change their passwords, after the websites they use have run the available patch.

"It is likely that a great many Internet users will be asked to change their passwords this week (I hope)," writes security blogger Brian Krebs. 

Some fintech vendors have already taking proactive steps to mitigate risks while banks may now need to ease broad customer concerns.

Wade Arnold, who works under Jack Henry's ProfitStars' division, said in a BTN LinkedIn discussion that the vendor has regenerated all SSL certificates, renewed all open authorization tokens for mobile users and forced the reset of all passwords.

A spokesperson for core banking provider Fiserv said in a statement that the company has been working since the OpenSSL issue was identified to assess and minimize any potential risk to clients. "We have no evidence that any of our systems have been improperly accessed due to this issue," he stated.

Online banking vendor Digital Insight reports that its websites are not affected because they do not use the OpenSSL library that is the source of the vulnerability. The company also says it will continue to investigate, with the help of third-party vendors.

Javelin industry analyst Al Pascual says most big banks should not be affected. PNC, for one, told BTN it has tested its online and mobile banking systems and confirmed they are not vulnerable to the Heartbleed bug.

Even so, financial institutions may need to calm their customers' fears.

"Overall, this diminishes confidence in the safety of online transacting, and the financial industry now needs to reassure consumers that their accounts are secure," says Pascual in an email to BTN. "Ultimately, a consumer can determine whether or not they can bank online without being impacted, but to be honest, they shouldn’t have to go through the trouble."

TD Bank could serve as a role model. It tweeted a message of reassurance to its customers:

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER