Over the past week, there has been much discussion about the OpenSSL coding flaw, the Heartbleed bug. OpenSSL is a commonly used implementation of Secure Sockets Layer (SSL). A diverse array of devices use OpenSSL to secure Internet communications. Heartbleed could allow someone to monitor log-in transactions as well as to grab and extract confidential data from affected websites and from hardware such as servers, mobile phones, and laptops. Research indicates that as many as 20 percent of all Internet sites could have been affected by this bug, including many high-profile sites. Google confirmed that phones operating Android 4.1.1 were also vulnerable to the bug, and they will remain so until the user installs its recent patch.
If there is a silver lining from the Heartbleed bug news, perhaps it is that the largest financial institutions have indicated they are not vulnerable. Even so, many smaller and mid-size banks and credit unions could still be vulnerable. Thus, the Federal Financial Institutions Examination Council issued a release urging financial institutions to incorporate patches on systems, applications, and devices that use OpenSSL. But unfortunately, this silver lining from the large banks isn’t enough to stanch this payments risk expert’s bleeding heart.
So what's the reason for my distress if the largest banks don’t appear to be vulnerable? I do not think that I am alone in admitting that I have used my credit card credentials all over the Internet. While I can count the number of cards that I have in my wallet, I couldn't begin to tell anyone the number of websites that those card credentials have been used or stored over the last two years—which is when Heartbleed appeared. Sure, I have a few go-to sites for online shopping, as I suspect many do, but I have used my cards and created accounts on many sites that I rarely visit or maybe even just visited once for a specific purchase. Are some of these sites vulnerable to this bug? I have a sinking feeling that the answer probably is "yes." And if my log-in credentials were extracted from websites other than my financial institution, I'll sheepishly admit that may be bad news as I have not always followed the best practice of maintaining separate IDs and passwords for each site. Is it really feasible to do that for so many sites?
No doubt talk and discussions in the days ahead will revolve around whether or not OpenSSL is a secure implementation of the SSL and transport layer security protocols. However, I think the heart (ahem) of the discussion of the Heartbleed bug should revolve around the use of passwords and card credentials on the Internet. This bug potentially exposes the flaws of relying on user IDs and passwords and highlights the vulnerability of using sensitive card data in the online environment. These flaws are well-documented, and fortunately, solutions are being discussed to mitigate these risks. My bleeding heart anxiously awaits their implementation.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed