The Heartbleed security flaw, characterized by its cool logo, has been almost impossible to ignore for the past two weeks, as traditional and social media have breathlessly reported that it could infect as many as two-thirds of all web sites.
Most banks have checked their web sites to make sure they're not using a type of server security software that's vulnerable to hackers. Many have confirmed that they don't use the particular software, OpenSSL, on their websites, and may have breathed a huge sigh of relief as a result.
But Heartbleed may be lurking in other parts of banks' infrastructures. Network devices, servers not serving websites, mobile apps and mobile devices all could be vulnerable. Cisco and Juniper, for instance, have both acknowledged that some of their network equipment use the versions of OpenSSL in question.
"Everyone is thinking of Heartbleed in the context of websites," says Chris Novak, global managing principal of the risk team at Verizon. "While that is probably the most obvious place, it's also the place most people are remediating. You've got firewalls, routers, switches, and VPN endpoints that a lot of organizations are forgetting about."
Bank security executives declined to comment on this aspect of the Heartbleed risk, but observers say it's conceivable that hackers could break into other devices, servers and apps and steal customers' online and mobile banking credentials, which they could then use to commit financial fraud.
Experts say it's imperative that financial institutions go beyond inspecting web servers and thoroughly check for the bug throughout their IT infrastructure.
Clients have told Novak that their organizations are secure because they've patched all web servers that were vulnerable to OpenSSL issues. His response, he says, is "What kind of VPN do you use?" OpenSSL is commonly used to protect virtual private network sessions, which companies commonly use to let telecommuters and business partners connect to the software they use.
OpenSSL is a free piece of code that many web servers use to secure interactions with other computers. In some versions of OpenSSL, a component called a "heartbeat" — because its job is to ping the communicating server to keep a web session alive — contains a coding mistake that cybercriminals could use to steal small amounts (64 kilobytes) of data from a web session. If a hacker was able to break into a web session just at the moment an online banking customer was providing his user name and password, for instance, he would be able to steal that information. However, except for one case in Canada, researchers have yet to find a case of a hacker successfully stealing information with the use of Heartbleed. The potential still exists that such theft may have happened undetected, and researchers have found evidence that hackers are trolling for old and unamended versions of OpenSSL.
In addition to network devices and non-website servers, some Android devices are also vulnerable to OpenSSL. Google said in an April 9 blog post that Heartbleed affects devices running version 4.1.1 of its Android mobile operating system, released in July 2012, and that the company is distributing patches for the affected version to Android partners.
Network devices in customers' homes could also be a concern for online banking security. "Consumers don't often update them and the manufacturers are often slow to update the software," says Jim Koenig, principal at Booz Allen who leads the firm's cross-industry privacy and identity theft practice.
However, the value to hacking one individual is slight — what are the odds of tapping into a consumer's home network at the very moment he is paying bills online? - so this is an unlikely avenue for cybercrime. Nonetheless, observers say banks should encourage their customers to change their online banking passwords — assuming their websites have been patched and encryption keys and certificates changed.
Mobile apps, including mobile banking apps, can also be vulnerable to Heartbleed. It's not that the apps themselves use Heartbleed, but they communicate to back-office servers that provide information such as transaction history that might not have been included in a Heartbleed scan.
In addition, other types of servers throughout a bank's data center could be susceptible.
"The back office infrastructure this is calling into question is not only web servers, it could be FTP servers," observes JD Sherry, vice president of technology and solutions at Internet security software company Trend Micro. Banks often use FTP servers to transmit large batch transaction files and ACH files, and some of these use OpenSSL.
Banks need to do a better job of evaluating the risk of their servers, understanding the roles they perform and the data they transfer, and determining any vulnerabilities, Sherry says, as well as communicate this work internally and externally.
"The get-well plan associated with that goes a tremendously long way in ensuring consumer confidence in an event like this," Sherry says.
How long would all this take?