Heartbleed and You


Early in the morning of April 8th, ESP’s security team discovered news of a new vulnerability in a specific version of OpenSSL, which is used to provide encryption for websites using SSL/TLS encryption (HTTPS).  This new, serious vulnerability affects a large portion of the internet, and may be exploitable on some sites for months to come.

Potential Risks

The vulnerability allows an attacker to retrieve up to 64kb of memory in a server by sending a bogus request. As such, it could potentially allow for several avenues of exploitation:

  1. Stealing logins from the web server
  2. Stealing the website’s SSL certificate and private key
    • Using this SSL certificate and private key to create a man-in-the-middle attack, pretending to be the website in question
    • Using this SSL certificate and private key to decrypt previously captured traffic 

Member Impact

While we do not believe it is likely that any client had their credentials stolen from ESP via Heartbleed, they may have used the same credentials on other websites that were. Thus, we believe that it is prudent for members to reset their online banking login credentials to something new and unique.

Members who use Yahoo email are especially vulnerable, as Yahoo email accounts were vulnerable for much of Tuesday morning, and an attacker could use the “forgot password” feature of online banking to send a reset email to the member’s email address, or try using the Yahoo password on online banking (if they were the same).

You can find members who used Yahoo email accounts with our online banking platform by running the Member Email Report in Forza and exporting to excel from the report. You can then notify members and recommend changing email and OASIS passwords by, for example:

  1. Posting a message on your website
  2. Putting up a poster at the branch
  3. Adding a message to the Oasis sign-on page
  4. Adding a message to your phone system’s welcome message

Further Reading

More detailed technical information about the Heartbleed vulnerability can be accessed from its website, or from the National Institute of Standards and Technology.  You can check if a website is still vulnerable using this tool.