By now you've probably read or heard about the Heartbleed bug. Discovered one week ago, the bug makes encrypted Internet communication vulnerable to being hacked and easily decrypted. It is a particularly insidious bug because it leaves no trace of being hacked, so if information is stolen, the theft is never detected. Still, it is important to remember that as of now, there is no known case of hackers using the bug to steal information.
So how much of a threat is it really, and what can you do to protect yourself?
Are You Impacted?
The general consensus from the media and security experts is that people should be concerned and vigilant about the bug. Mark Nunnikhoven, a security expert at Trend Micro said that about 17% of secured sites on the Internet are vulnerable to the Heartbleed bug. The website Mashable.com has done a nice job putting together a list of major sites that were impacted by the bug. Some large sites include: Netflix, Youtube, and Gmail. On any of these non-banking sites, your personal information and credit card could be compromised. So, although they are not banks per se, you might still conduct financial transactions on them.
Large Banks Not as Impacted
The list from Mashable also shows that large banks have been largely unaffected by the bug. Big banks have multiple layers of authentication and rely on more than just a secure certificate to keep their customer's information safe.
Smaller Banks May Be Vulnerable
What about smaller banks? I went to several smaller bank sites and used a Heartbleed Vulnerability testing tool. In five out of five cases, I received the message below.
Server software: Apache
Was vulnerable: Possibly (known use OpenSSL, but might be using a safe version)
SSL Certificate: Possibly Unsafe (created 8 months ago at Aug 16 00:00:00 2013 GMT) Additional checks SSL certificate history yielded no new information
Assessment: It's not clear if it was vulnerable so wait for the company to say something publicly, if you used the same password on any other sites, update it now.
You can test your own bank using the tool found here.
In contrast, this is the message I received when I tested Bank of America's website:
Server software: Not reported
Was vulnerable: No
SSL Certificate:SafeAssessment: This server was not vulnerable, no need to change your password unless you have used it on any other site!
This doesn't mean that smaller banks have the bug but if you receive the Possible message using the test, you should call your bank and ask if the bank was vulnerable to the bug and if they have fixed it.
While you shouldn't panic, it would be wise to change your passwords if you use any of the sites listed as vulnerable. While it's unclear if this vulnerability was ever exploited, it makes sense to change passwords on a regular basis anyway. So, use this opportunity to upgrade your own personal digital security. One caveat though. You might want to wait a few days or even a week to ensure that all of the vulnerable sites have upgraded their software. Otherwise, you could be giving out your new password to an insecure site. In the meantime, check your bank statements and credit card activity regularly to make sure you don't see anything out of the ordinary.