Thursday, April 10, 2014

Heartbleed and banks - WTF?!

We've all heard about the HeartBleed bug.  More than anything, I think that the lack of very public coordination by vendors has been troubling.  I should not have to dig on a vendor's site to find out whether they had vulnerable products.  Should be front page news, even if the answer is "we still don't know."

And banks... wow. I have accounts at several major banks.  I checked their websites this afternoon and not a single one has a notice up about whether or not they were ever vulnerable.  If they were, customers should know this, so they can choose what information they feel may have been compromised.  As it stands, the customer is currently at a significant disadvantage.  Why is this?  Admitting you were following best practices is a good thing. There's no shame in being vulnerable to a zero day bug.  There is shame in hiding this fact from your customers who might want to change passwords (not a bad idea anyway) or even do something more drastic like change account numbers.

So, does anyone know of any banks out there that have publicly disclosed whether they were vulnerable?  Has anyone given the "all clear"?  What's the status of the security of my accounts, and why am I having to guess.

If you check a bank site, leave a note here (or DM me on Twitter) with the name of the bank so we can keep a running list of who is and isn't notifying customers about HeartBleed status.

8 comments:

  1. I haven't seen/heard any. However I am using this site to check all the sites that I use to see if they are vulnerable or not.

    https://lastpass.com/heartbleed/

    ReplyDelete
  2. Western Credit Union is reporting that they were unaffected.

    ReplyDelete
  3. USAA

    https://communities.usaa.com/t5/USAA-News/USAA-Takes-Measures-Against-Heartbleed-Bug/ba-p/25876

    ReplyDelete
  4. Capital One has given the all clear:

    http://phx.corporate-ir.net/phoenix.zhtml?c=251626&p=irol-headline8_wh

    ReplyDelete
  5. Haven't heard anything from the banks in Australia either and it is concerning!!

    ReplyDelete
  6. Of the major Canadian banks, only CIBC has anything posted. Their site says their online and mobile services are unaffected by HeartBleed.

    ReplyDelete
  7. HSA Bank said they were unaffected also.

    ReplyDelete
  8. Not that I totally believe them... www.txn.banking.pcfinancial.ca PC Financial says they're unaffected.

    ReplyDelete

Note: Only a member of this blog may post a comment.