April 25, 2014

OCC: Continued vulnerability from Heartbleed

April 28, 2014 – The Office of the Comptroller of the Currency, echoing numerous report of the past week, on Friday reiterated an earlier Federal Financial Institutions Examination Council statement on the "Heartbleed" vulnerability and its potential impact on a range of devices and internal networks, including servers, printers, applications and mobile devices.

Earlier this month, American Banker reported that both Cisco and Juniper acknowledged that some of their network equipment uses the versions of the questionable OpenSSL software. The article also noted that mobile banking apps can be vulnerable to Heartbleed issues. Even if the apps don't use the software, the article said, they may still cycle through servers that do.

An article in Friday's Credit Union Journal also noted that "Heartbleed could be lurking" in other parts of their infrastructure.

In its alert, the FFIEC, which includes NCUA, urged institutions to ensure third-party vendors using OpenSSL on their systems are aware of the vulnerability and take appropriate mitigation steps. It also recommended upgrades to internal systems and services that may be vulnerable.

NAFCU is continuing to monitor this issue and its impact on member credit unions. It is also continuing to press for legislation that would require merchants to adopt data security standards similar to those required of financial institutions under the Gramm-Leach-Bliley Act.