Hours after credit unions and other financial institutions were told by the Federal Financial Institutions Examination Council that they needed to
On Thursday, the FFIEC said a significant vulnerability had been found in OpenSSL, cryptographic software library used to authenticate services and encrypt sensitive information that could allow an attacker to decrypt, spoof or perform attacks on network communications would otherwise be protected by encryption.
The Heartbleed bug, which has been around since 2012, has opened a window to let attackers steal information such as user names and passwords and the private keys sites use to encrypt and decrypt sensitive data, industry experts say.
At $5.8 billion America First Credit Union, Rex Rollo, EVP and chief financial officer, told Credit Union Journal the Riverdale, Utah-based institution's systems and members are safe.
"We have taken the necessary measures and have assured our members that the latest security risk, known as 'Heartbleed,' will not affect or cause risk when accessing accounts with America First Credit Union," Rollo said. "We have validated that americafirst.com is not vulnerable through SSL labs."
Rollo said America First CU is encouraging its members to take advantage of a free service it provides as additional protection for their computers when logging in online. That software, Rapport, is
No OpenSSL At One Nevada CU, Patelco CU
Greg Barnes, SVP of marketing for $698 million One Nevada CU in Las Vegas, said its IT team evaluated potential vulnerabilities to the Heartbleed bug.
"All One Nevada Credit Union domains accessible through the web were evaluated and reported not vulnerable to the Heartbleed attack," Barnes said. "Further evaluation of the Heartbleed bug indicates that vulnerabilities occur when OpenSSL is deployed. One Nevada Credit Union does not run OpenSSL on any of our servers or desktops."
Kevin Landel, SVP and chief information officer for $4 billion Patelco Credit Union, Pleasanton, Calif., said simply, "Patelco's websites are not affected by Heartbleed because they do not use OpenSSL that is the source of the vulnerability."
In Longview, Wash., $581 million-asset Red Canoe CU posted a statement on its website: "Red Canoe has conducted tests and reviews of our systems, including conversations with key 3rd party vendors, to ensure that Red Canoe is not at risk. To date, we have uncovered no evidence that any of our systems are likely to be affected by this vulnerability and our member's data has never been at risk."
Technology CU, a $1.7-billion credit union in San Jose, Calif., the heart of the Silicon Valley, also communicated with its members via its website:
"Technology Credit Union is aware of the Heartbleed vulnerability that is potentially affecting many websites and systems globally. Your account security continues to be our highest priority. Based upon our review, Online Banking and Mobile services are NOT impacted by the OpenSSL vulnerability. At this time, there's no need to reset your password. As a best practice, Tech CU recommends changing your passwords periodically.
"Our security team is continuing our evaluation of this vulnerability as it relates to all systems," Tech CU said. "We continue to work diligently with our vendors and security partners to address issues, if any, as quickly as possible."
Proactive Steps
Michael Florea, chief information officer for $943 million Columbia Credit Union, Vancouver, Wash., said the FFIEC's statement "validated our actions to safeguard Columbia CU's website."
"Columbia Credit Union immediately secured all impacted servers and installed security certificates to ensure safe access to the company's website and online banking servers," said Florea.
Teresa Freeborn, president and CEO of $806 million Xceed Financial FCU in El Segundo, Calif., said her credit union's IT security was also safe.
"A proactive approach in our members' security is one of the ongoing strategic pillars of Xceed's overall technology services," Freeborn said. "When the vulnerability was first disclosed we began investigating our exposure and that of our partners. As a result of our own testing and responses from our partners, at this time we have no indication that any of our Internet applications have been vulnerable to compromising member usernames or passwords. Our members can be confident that it is perfectly safe to use Xceed Financial's infrastructure for all the services that we provide."
Freeborn said Xceed will continue to "closely monitor the situation and act accordingly to implement any and all precautionary measures available to ensure our members are fully protected."
