The Heartbleed computer bug is now a banking issue.
Federal bank regulators have issued notices to banks to ensure that their software, servers and other equipment – as well as those of their vendors – were not vulnerable to the flaw that has existed for two years but was discovered only earlier this month.
“Attackers could potentially impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks,” said an alert on the Federal Financial Institution Examination Council’s website.
The bug can be fixed through a series of software patches and other measures, which the FFIEC said institutions or their third-party technology vendors should make immediately.
Heartbleed has caused major security concerns across the Internet and affected a widely used encryption technology, the variant of SSL/TLS known as OpenSSL. Internet services have been working for more than a week to implement safeguards against the bug.
Greg Hernandez, a spokesman for the Federal Deposit Insurance Corp., reiterated in an e-mail to The Eagle what his agency said in a letter Friday to the financial institutions whose deposits it insures.
“The FDIC expects financial institutions to make sure they fix this vulnerability, including their third-party vendors,” he said.
Hernandez added that FDIC officials will check to make sure the fix has been made as part of their bank examination process.
He said that as of Wednesday afternoon, the FDIC “was not aware of this vulnerability being exploited at any U.S. banks.”
Chuck Stones, president of the Kansas Bankers Association, said he doesn’t know how big an issue it is for Kansas banks. He has not heard a lot of conversation about it from his members, but he said Heartbleed is worrisome.
“Anytime there’s a potential threat for a hack of any information, it’s always a concern,” Stones said. “Anytime there’s a potential for a loss of individual data, that’s our customers you’re talking about.”
Just like websites, the software used to run some networking equipment – such as routers, switches and firewalls – also uses the variant of SSL/TLS known as OpenSSL. OpenSSL is the set of tools that has the Heartbleed vulnerability. OpenSSL is a source code that programmers use to protect passwords and other sensitive information from eavesdropping. As the name implies, it is “open” source code that is publicly available and doesn’t require a license to use.
Tom Morrison, division director of payment, technology and operations for Intrust Bank, said when news of the Heartbleed bug broke, the first thing Intrust officials did was to assess whether it used OpenSSL, which the bank does not.
“We’re going to continue monitoring … and we’ll see if anything changes,” he said.
Contributing: Associated Press