The Heartbleed security flaw, characterized by its cool logo, has been almost impossible to ignore for the past two weeks, as traditional and social media have breathlessly reported that it could infect as many as two-thirds of all web sites.
Most banks have checked their web sites to make sure they're not using a type of server security software that's vulnerable to hackers. Many have confirmed that they don't use the particular software, OpenSSL, on their websites, and may have breathed a huge sigh of relief as a result.
But Heartbleed may be lurking in other parts of banks' infrastructures. Network devices, servers not serving websites, mobile apps and mobile devices all could be vulnerable. Cisco and Juniper, for instance, have both acknowledged that some of their network equipment use the versions of OpenSSL in question.
"Everyone is thinking of Heartbleed in the context of websites," says Chris Novak, global managing principal of the risk team at Verizon. "While that is probably the most obvious place, it's also the place most people are remediating. You've got firewalls, routers, switches, and VPN endpoints that a lot of organizations are forgetting about."
Bank security executives declined to comment on this aspect of the Heartbleed risk, but observers say it's conceivable that hackers could break into other devices, servers and apps and steal customers' online and mobile banking credentials, which they could then use to commit financial fraud.
Experts say it's imperative that financial institutions go beyond inspecting web servers and thoroughly check for the bug throughout their IT infrastructure.
Clients have told Novak that their organizations are secure because they've patched all web servers that were vulnerable to OpenSSL issues. His response, he says, is "What kind of VPN do you use?" OpenSSL is commonly used to protect virtual private network sessions, which companies commonly use to let telecommuters and business partners connect to the software they use.
OpenSSL is a free piece of code that many web servers use to secure interactions with other computers. In some versions of OpenSSL, a component called a "heartbeat" because its job is to ping the communicating server to keep a web session alive contains a coding mistake that cybercriminals could use to steal small amounts (64 kilobytes) of data from a web session. If a hacker was able to break into a web session just at the moment an online banking customer was providing his user name and password, for instance, he would be able to steal that information. However, except for one case in Canada, researchers have yet to find a case of a hacker successfully stealing information with the use of Heartbleed. The potential still exists that such theft may have happened undetected, and researchers have found evidence that hackers are trolling for old and unamended versions of OpenSSL.
In addition to network devices and non-website servers, some Android devices are also vulnerable to OpenSSL. Google said in an April 9 blog post that Heartbleed affects devices running version 4.1.1 of its Android mobile operating system, released in July 2012, and that the company is distributing patches for the affected version to Android partners.
Network devices in customers' homes could also be a concern for online banking security. "Consumers don't often update them and the manufacturers are often slow to update the software," says Jim Koenig, principal at Booz Allen who leads the firm's cross-industry privacy and identity theft practice.
However, the value to hacking one individual is slight what are the odds of tapping into a consumer's home network at the very moment he is paying bills online? - so this is an unlikely avenue for cybercrime. Nonetheless, observers say banks should encourage their customers to change their online banking passwords assuming their websites have been patched and encryption keys and certificates changed.
Mobile apps, including mobile banking apps, can also be vulnerable to Heartbleed. It's not that the apps themselves use Heartbleed, but they communicate to back-office servers that provide information such as transaction history that might not have been included in a Heartbleed scan.
In addition, other types of servers throughout a bank's data center could be susceptible.
"The back office infrastructure this is calling into question is not only web servers, it could be FTP servers," observes JD Sherry, vice president of technology and solutions at Internet security software company Trend Micro. Banks often use FTP servers to transmit large batch transaction files and ACH files, and some of these use OpenSSL.
Banks need to do a better job of evaluating the risk of their servers, understanding the roles they perform and the data they transfer, and determining any vulnerabilities, Sherry says, as well as communicate this work internally and externally.
"The get-well plan associated with that goes a tremendously long way in ensuring consumer confidence in an event like this," Sherry says.
How long would all this take?
"This is the equivalent of an Internet oil spill," Sherry says. "We don't know the breadth or depth of this yet, it will take weeks and months to get people's arms around this, and quite frankly some people are never going to get to patch all their systems, which is the scary thing. Maybe they don't even know what they have."
Companies also have to balance security efforts with business practicalities.
"Any CIO or CISO in these banks will be having conversations around balancing the risk with maintaining business operations and service continuity," Sherry says. "There can't be this mad rush to patch systems if it's going to bring systems down and disrupt business."
Ongoing maintenance and protection against Heartbleed will be critical, some say.
"There's an incredible amount of opportunities [for hackers] to exploit this issue," Novak says. "Like any other vulnerability or large bug, there's a wave of people who run out to patch everything they can think of. After the patching is done, they forget about it. I worked a case the other day where there was a vulnerability that was probably two years old. It was probably patchable but for some reason they just never got around to patching that system and didn't realize it had a bug."
On the other hand, hackers may be put off by all the press attention Heartbleed has received, Novak points out.
"If you're on the hacker side, you go, man, how come the media had to go ruin this great opportunity?" Novak says. "Now everybody knows about it."