The Federal Financial Institutions Examination Council told financial institutions Thursday to figure out fixes to a devastating security flaw that could put online and mobile banking applications at risk.
The FFIEC expects "financial institutions to incorporate patches on systems and services, applications, and appliances using OpenSSL and upgrade systems as soon as possible to address the vulnerability," the council said in a statement.
OpenSSL is a cryptographic software library used to authenticate services and encrypt sensitive information. A significant vulnerability has been found in OpenSSL that could allow an attacker to decrypt, spoof or perform attacks on network communications that would otherwise be protected by encryption.
The bug, nicknamed Heartbleed, has been around since 2012 and has opened up a window to let attackers steal information such as user names and passwords and the private keys sites use to encrypt and decrypt sensitive data.
"Financial institutions should consider replacing private keys and X.509 encryption certificates after applying the patch for each service that uses OpenSSL and consider requiring users and administrators to change passwords after applying the patch," the FFIEC said. "Financial institutions relying upon third-party service providers should ensure those providers are aware of the vulnerability and are taking appropriate mitigation action."
The vulnerability, which was announced late Monday, has been uncovered in OpenSSL, open-source software that lets web sites encrypt communications with visitors.
"Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL," blogged researchers who discovered the flaw earlier this week.
Indeed, industry experts estimate that the bug has put two-thirds of web servers — including those running OKCupid and Yahoo — at risk to eavesdropping.
That also means digital financial credentials could be compromised when consumers reuse their passwords, which many do.
"Most consumers use the same passwords for many different applications, including their online banking," noted Shirley Inscoe, a senior analyst at Aite Group. "If, for example, they use Facebook, Yahoo email, or other systems, and their login credentials are compromised, fraudsters can use bots to test various bank sites with the credentials until they find one that works. At that point, the customer may be the victim of account takeover, and need to notify their bank concerning fraudulent activity."
Security experts urge consumers to change their passwords, after the websites they use have run the available patch.
"It is likely that a great many Internet users will be asked to change their passwords this week (I hope)," wrote security blogger Brian Krebs.
Some vendors have already taking proactive steps to mitigate risks while credit unions and banks may now need to ease broad customer concerns.
Wade Arnold, who works under Jack Henry's ProfitStars' division, said in a BTN LinkedIn discussion that the vendor has regenerated all SSL certificates, renewed all open authorization tokens for mobile users and forced the reset of all passwords. (BTN is an affiliate publication of Credit Union Journal.)
A spokesperson for core banking provider Fiserv said in a statement that the company has been working since the OpenSSL issue was identified to assess and minimize any potential risk to clients. "We have no evidence that any of our systems have been improperly accessed due to this issue," he stated.
Online banking vendor Digital Insight reports that its websites are not affected because they do not use the OpenSSL library that is the source of the vulnerability. The company also says it will continue to investigate, with the help of third-party vendors.
The FFIEC was established in March 1979 to prescribe uniform principles, standards and report forms, and to promote uniformity in the supervision of financial institutions.
NCUA chairman Debbie Matz is among the council's six voting members. The other five are: the chairman of the Federal Deposit Insurance Corp; the Comptroller of the Currency; the Director of the Consumer Financial Protection Bureau; the Chairman of the State Liaison Committee, and a governor of the Board of Governors of the Federal Reserve System, designated by the chairman of the board.
The FFIEC's activities are also supported by interagency task forces and by an advisory State Liaison Committee, comprised of five representatives of state agencies that supervise FIs.
