Protecting Your Money Matters from Heartbleed
By: Chad Gramling
Posted on Friday, April 11, 2014
If you've watched the news or social media feeds for even a moment this week, you've no-doubt heard about “Heartbleed”. In short, it’s a vulnerability in the security of one of the most popular pieces of encryption software on the web, having some security experts are describing this as the biggest security breach in Internet history. With that, let's look at what Heartbleed is, who it affects, and what you need to do in response.
Heartbleed is the nickname given to a security vulnerability that is in OpenSSL, a popular online encryption library. The vulnerability allows hackers to find the secret codes that websites use to identify themselves. These codes allow hackers to translate the information (such as login credentials) that a computer sends to a website. The scariest aspect of Heartbleed is the fact that it may have been around for two years and there's no way to know whether it's been used on any particular services. Security experts have only discovered and informed the public about the flaw over the past few days.
Who was affected by Heartbleed?
If you use Yahoo e-mail, play Yahoo Fantasy Sports games, or use Tumblr, your password(s) may have been compromised. Some Google services, like Gmail and Google Drive, were also vulnerable. Social media sites like Twitter and Facebook may have been as well. The good news: most online financial services use other modes of encryption and were not vulnerable. 3Rivers has verified that the 3Rivers websites are not at risk of this vulnerability. In addition, we are reaching out to our third party vendor partners that we do business with to ensure they are taking appropriate steps to review and secure their systems.
What do you need to do about Heartbleed?
The threat isn't just in the fact that someone could gain access to your e-mail. The real problem is that most people use a small collection of passwords for most services. Hackers know this and will therefore use those user names and passwords on other, more lucrative services. If you use one of these services, change your password, both on these services and any other services where you’ve used the same password. Pick a new password that is easy to remember but strong to keep your data safe. Whether the services you use are identified as part of this breach or not, it would be wise to go ahead and swap out the old passwords for new passwords that are, again, strong and considerably different from what you had previously used. Developers have released a new version of OpenSSL without the vulnerability in it. There is no need to change your online behavior. The services named above have all patched their encryption software to avoid this problem. You should have no less confidence in online shopping and banking than you did before the announcement. But be prudent and change your passwords. In the future, it makes good security sense to not reuse passwords across many services. Part of the reason Heartbleed has become so big a deal is the fact that it exposed a weak link in the system. Your passwords are only as secure as the least secure means you use to store them. Using more passwords and multiple variations of them helps keep your personal information safe and secure. Want to know more?