You’ve likely seen the headlines regarding the Heartbleed Bug, an Internet security issue that targets private information shared over the web.
The bug makes vulnerable a version of Open Secure Socket Layer technology, a very common method used by an estimated two thirds of websites to protect users’ personal info such as passwords and transactional data.
How Does Heartbleed Work?
The discovery was made by a team from Internet security company Codenomicon. From their blog:
“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
If you’ve ever submitted your credit card details or a password online, you’ve likely noticed a small lock icon appear in your browser bar and “HTTPS” preceding the web address. This means a layer of protection has been added to the information you’re sharing. Heartbleed makes this information accessible, even when the lock is closed.
Is Your Information At Risk?
Here’s what we know so far about Heartbleed:
- While the impact is widespread,there IS a quick fix – a patch exists that solves the security issue. The onus for administering the patch, however, falls to the website or service provider.
Wondering if a website has been affected? Click here to test whether it’s at risk.
- It’s been around for a while – the Codenomicon team noted that the bug has existed for about two years, though remaining undiscovered.
- You should reset your passwords as a safeguard. While you may not know if your web service uses the vulnerable software, updating your password can give you added protection in the chance you’ve been previously exposed. The changes are recommended for websites you frequent such as email and online banking.
Update: Patch Status
Here’s a list of sites that remain vulnerable to the bug as of 10 a.m., April 10.
The Toronto Star has also compiled a list of statements from commonly used websites and services including Twitter, Google and the Canadian Banking Association.
Are Online Banking Customers Vulnerable?
One of the biggest concerns is whether millions of online banking details, such as pins and credit card info, have been exposed. While the big banks remained mum for the better part of the day (prompting a twitter frenzy from customers demanding a statement), TD and RBC have confirmed their systems were not affected. BMO, CIBC and Scotiabank have yet to officially comment.
April 10 UPDATE: The Canadian Banking Association states that none of Canada’s bank’s were affected: “The online banking applications of Canadian banks have not been affected by the Heartbleed bug. Canadians can continue to bank with confidence.”
Online Risks Still Prevalent
Theoretically, banking information could be vulnerable, according to Seth Hardy, senior security analyst at University of Toronto’s Citizen Lab.
“Normally online banking is protected using HTTPS. If a bank hasn’t upgraded its server to fix this vulnerability, it is possible for someone to steal passwords, account numbers, PINs, or see what the users are doing,” he wrote in an email to Money Wise. “It is possible for the security of the entire system (any transactions that happen over that webserver) to be compromised.”
Hardy points out that the banks would be among the first institutions to administer the bug’s fix. “There is already a fix for this bug, and companies like banks are working to update their software – many are already done.”
It’s also worth noting that the dual security measures used by banks (such as recognizing a key phrase and image) add another layer of security to your log in. However, it’s wise to stay prevalent to the possibility of fraud, and to keep an eye on your accounts in the near future. The Globe and Mail’s Rob Carrick has an excellent guide outlining your responsibility as a consumer to countering bank fraud should you notice anything amiss.
The Canada Revenue Agency Shuts Down Amid Security Concerns
Just when you thought tax time couldn’t get any worse – Heartbleed has also prompted the Canadian Revenue Agency to temporarily suspend its online services – including tax filing services NETFILE and EFILE.
Stated the agency:
“As a preventative measure, the CRA has temporarily shut down public access to our online services to safeguard the integrity of the information we hold.”
As of press time these services remain offline, and may be down until the weekend. The CRA has stated they will waive late charges on taxes due to the bug for a period of time after the issue is resolved.
Keep an Eye on your Apps
Hardy points out that the bug can extend to finance and budgeting apps that use the vulnerable version of OpenSSL.
“The same data would be sent over HTTPS, and could be seen by someone exploiting the Heartbleed vulnerability. In this case it would be possible for all users of a particular app to be compromised,” he says.
“In either case, the bulk of the burden is on the service provider – to fix the bug, to change their potentially compromised encryption keys. If a user is concerned that their provider or account may have been compromised, changing their own password is a good step to take.”