My guess is that you feel pretty comfortable banking online, at least from your computer, if not yet on your mobile device. I do too, despite all of the hackers out there trying to intercept our bank account numbers and passwords. Most of us are at ease because of the little lock symbol that appears before the URL when we visit our bank (or Gmail, Yahoo, and so forth). That lock symbol means that our communication is encrypted (digitally scrambled) by a standard called OpenSSL. Over time, SSL has proven to be relatively safe.
Just this week, however, it was discovered that OpenSSL was hacked using a vulnerability known as the Heartbleed Bug. Jeremy Bowers, as interviewed on NPR, put eloquently (emphasis mine):
On March 14, 2012, someone introduced a bug that would allow an attacker to get the “crown jewels,” the encryption keys used to protect your communications directly from the companies themselves. With those keys, an attacker could eavesdrop on your communications with that company and/or impersonate that company, making it possible for them to harvest things like credit card numbers or passwords with relative ease.
This attack isn’t theoretical, it’s already been proven to work on Yahoo. In other words, this is a successful attack on one of the most trusted, previously secure aspects of the internet. It’s like finding out that the combination for the vault at your bank has been available to everyone on the internet for the past two years.
For more background on the problem, listen to the NPR piece above. I’d rather discuss immediate steps you should take to minimize the risk that your passwords are being hacked.
How do I protect myself against the Heartbleed Bug?
- It sounds alarmist, but I probably wouldn’t bank online in the next few days. If you can avoid it, do so. Bank by phone or in person, where possible. Remember, all the data thief needs to do is to watch you log into your bank account once. Give your bank time to catch up and patch up the security flaw.
- In the meantime, you need to change your passwords TWICE on any website that houses your sensitive personal information. You should change it right now (in case your financial institution was compromised over the last two years) and in a week or two, when your institution has installed the security patches that eliminate Heartbleed (understanding that if the website is still at risk, even if you change your password today, it could still be intercepted tomorrow, prior to them fixing the problem).
- Recognize that any passwords you entered over the past two years could be at risk, including those you use for banking, webmail, social media and any other online accounts. This does not just affect banking passwords.
- The Heartbleed Bug is so new than many banks and corporations haven’t yet had time to patch or fix the bug. Therefore, changing your password before they have made the security updates is only one step of several. There is a Heartbleed Bug Test that will give you some assurance that your bank or financial provider has solved the problem. We haven’t independently verified the test site, but it comes well recommended. You can also visit your bank’s website or call them to find out if they have solved the problem.
- If you are confident that they have taken proper steps to eliminate the problem, log on to your financial provider and change your password. Make sure that it is long, strong, alpha-numeric-symbol based and that you vary it between sites (learn more about strong passwords in Privacy Means Profit).
- Regardless of what your financial institution says, change your password frequently over the next few weeks, and from that point on (I recommend once a month).
- For added layers of protection, implement two-step logins (also known as two-factor authentication, which I explain here.
- Check back here for updates.
John Sileo helps corporations make security stick, so that it works. Watch him engage an audience, interview on the Rachael Ray Show or hear from his satisfied clients, including the Pentagon, Visa and the University of Massachusetts.