April 18, 2014

'Heartbleed' not just a website issue

April 21, 2014 – The "Heartbleed" issue may be affecting other parts of financial institutions' infrastructure, including servers not serving websites, mobile apps and mobile devices, according to reports.

American Bankerreported that both Cisco and Juniper acknowledged that some of their network equipment uses the versions of the questionable OpenSSL software. Also, mobile banking apps can be vulnerable to Heartbleed issues. Even if the apps don't use the software, the article said, they may still cycle through servers that do.

Recently, the Federal Financial Institutions Examination Council released an alert urging credit unions and banks to take steps now to mitigate the "Heartbleed" issue, which the regulators termed a "material security vulnerability" affecting Web servers using OpenSSL. The council of regulators, which includes NCUA, urged institutions to ensure third-party vendors using OpenSSL on their systems are aware of the vulnerability and take appropriate mitigation steps. It also recommended upgrades to internal systems and services that may be vulnerable.

NAFCU is continuing to monitor this issue and its impact on member credit unions. As concerns grow unabated about cyber threats and data security, the association is also continuing to press for legislation that would require merchants to adopt data security standards similar to those required of financial institutions under the Gramm-Leach-Bliley Act.