From Heartbleed to Heartburn

Briefcase with lock

Information security is a constant game of catch-up. We get new technology capabilities, the bad guys find new vulnerabilities. They devise new forms of malicious assault, we come up with new defensive strategies. And so it goes. We know it, they know it, everyone knows it.

Why, then, is the bug known as Heartbleed getting so much attention?

Sure, no disputes that it’s at least potentially a very big deal. But one week into the discovery, Google turns up more than 530 million hits on the subject. The Electronic Frontier Foundation, among others, has labeled it “catastrophic,” and some have gone so far is to describe it as the worst vulnerability to be identified since commercial traffic began on the Internet. Is it really that bad?

Hype aside, here’s what we do know. Over the years, the open source community—basically, thousands of

Heartbleed, the big bad bug in the room, takes advantage of a feature within OpenSSL known as heartbeat, and essentially steals the security certificates that verify a site’s and/or user’s authenticity. The bug has been present but quiet for the past two years, during which time it has potentially undermined security measures for password encryption in a range of environments, from search engine and social networking services to Android devices.developers not beholden to any corporation in particular—have worked together to create much of the software many of us use today. One such program that most people with a life actually know nothing about is OpenSSL, which is very important, since it provides a means for security on web servers all over the world. With this technology, sites can offer encrypted information to visitors, ensuring that the data can’t be seen anyone else when it travels between the user’s device and a particular site.

After that the details get more technical and, sadly, far more murky. On the one hand, we’re being told that despite considerable scrambling on the part of security specialists at companies everywhere, the potential for major damage is very real. It potentially affects hundreds of thousands of Web sites, from Google and Yahoo to Twitter and Dropbox, along with hundreds of millions of users. By that measure, the level of effort needed to truly fix the problem is nothing short of monumental. On the other hand, it’s far from clear just how many sites or users have actually been affected. Challenges issued by security companies to steal information using the vulnerability—basically crowdsourcing digital theft—have so far come up mercifully short, indicating that the concerns, while valid, could be overblown. On the third hand, of course, we just don’t know.

One thing is certain: The old adage about regularly changing passwords, and not using the same one for multiple functions and services, applies now more than ever. The buzz over this recent episode has apparently prompted many users to rapidly change their passwords for all the online services and devices they use, and that’s good. But it would be even better if that became a habit rather than a reaction to much-publicized fears.

There’s a larger question here as well. The ubiquity of technology in every aspect of daily life, from social media to mobile banking apps, has perhaps seduced consumer sensitivity to the issue of information security. And that’s definitely not good.

Making technology capabilities ever more user-friendly carries with it a potentially steep price tag; the easier a service is for everyone to use, the easier it might be for the bad guys for to hack. On a related note, many of the more common services, from email to mobile apps, are free. That carries with it fewer guarantees of rock-solid security.

Many financial technology vendors are already stepping into to the breach to implement fixes for the Heartbleed bug. For their part, numerous commercial banks and other financial services institutions are raising awareness of the threat and running tests to ensure that their communities are not left unprotected.

But somewhere in this environment, consumers have a critical role to play too. Regularly changing passwords is a good start. As digital currency in all forms becomes more embedded in the mainstream, it would be wise to be more aware of security threats and more proactive in taking security precautions.

Security: On Top of the Christmas Wishlist

To security professionals in the financial services industry, every new data breach—with the high-profile coverage it generates—must seem like another knife in the back. All those resources dedicated to the area, all that time spent securing the infrastructure, never seem to be enough. Despite all the effort, some anonymous hackers somewhere are able to brazenly infiltrate the system and steal the account information of potentially millions of holiday shoppers. The Grinch was never this bad.

With the most recent debacle, the company squarely taking the hit in the court of public opinion is Target. But of course, it’s not just the retailer that’s going to suffer. The most recent information we have is that between November 27 and December 15, all consumers who swiped their credit cards at a Target store in the U.S.—perhaps as many as 40 million—had their information compromised. That includes names, both debit and credit card numbers, expiration dates and even the three-digit security codes on the back. As hacks go, this one is big, and of course it took more than just some petty thieves to get the job done. Reports indicate that a sophisticated network of cyber criminals coordinated their activities to uncover the treasure trove of private information. While no one can be sure how big the ne6twork is, it seems their haul could be in the hundreds of millions. As a result, it will end up affecting not just Target and its customers but also the credit card providers, IT companies and industry security specialists.

Christmas Ornamnet

But there are other repercussions too. While the industry has every right to be proud of the progress made in the adoption of many new technologies, each bringing about major changes in user behavior, the painful truth is that we could be doing much better. One big reason why we haven’t is security, and each high-profile data breach like this one sets back the conversation.

Take mobile banking. The speed with which this field has progressed is nothing short of astonishing—it’s gone from fantasy outlier to mainstream adoption virtually overnight, with thousands of custom apps emerging and finding an audience in record time. But most of the action is on the consumer side; corporations are still taking it slow.

We all know how mobile capabilities have obliterated the line with between personal and business data—sensitive information now resides next to video games and personal calendars on every knowledge worker’s phone and tablet. But with banking, it’s a different story. To be sure, there are other many factors to consider. For example, the average CFO has a lot more information to deal with than the average user, and the tiny screens we love on our smartphones can be a problem.

Yet the biggest issue by far is security. New research from Capital One shines a spotlight on this unfortunate issue. In its survey of financial services professionals, only a small number of the firms those firms that haven’t yet implemented corporate mobile banking plan to do so anytime soon. Fully 66% cited security challenges as the main concern.

On a very different but unrelated front, news emerged recently that the two-factor authentication feature designed to protect online bank accounts has been greatly compromised. The practice, which entails sending an SMS message with a code that quickly expires, has been threatened by new malicious software for Android devices. In fact, there are already numerous malware suites to defeat one-time passcodes, and experts urge institutions and individuals alike not to rely on them.

On the face of it, swiping a credit card while buying a Christmas gift, implementing mobile banking at large corporations and getting a test message with a code don’t have much to do with each other. But underlying each technological advance and the behavioral change it induces is the need for security.

The reality is that people will continue to use credit cards while shopping, just as corporations will inevitably overcome their justifiable skittishness and implement mobile banking—the benefits are just too great. But how fast those practices evolve depends on how secure we can make them. Looking ahead to 2014, it would be nice to end the year without having the Christmas spirit spoiled by concerns about financial information being compromised.

*Image courtesy of  digitalart -