Watch: There’s a warning about computer security, one that could be lurking in computers all over the world. The “Heartbleed” bug can potentially expose your personal information, even on encrypted websites, and it’s so serious the Canada Revenue Agency shut down its website. Mike Drolet reports.
Canada’s big banks are assuring customers that a newly discovered and far-reaching vulnerability in a common security software used to handle personal info online doesn’t pose a threat to online banking services.
Roughly 24 hours after it was disclosed that a bug has existed on the Internet for two years capable of collecting supposedly encrypted information sent from computers, mobile phones and other devices, organizations who rely on the secure delivery of customer information via the web were still scrambling to assess the potential impact of the so-called “Heartbleed” security flaw.
“It’s like ripping off the top of the envelopes of your regular mail and sending it,” David Skillcorn, a computer science professor at Queen’s University said. “Anyone can read it.”
Uncovered by security experts late Monday, the bug can crack widely used encryption technology called OpenSSL.
Everyone from big online retailers and email provider like Amazon and Yahoo to even the Canada Revenue Agency rely on the OpenSSL standard to protect user information.
The CRA — which through its website collects tax and income information, including social insurance numbers— shut down its web portal Wednesday morning.
“We have received information concerning an Internet security vulnerability named the Heartbleed Bug. As a preventative measure, the CRA has temporarily shut down public access to our online services to safeguard the integrity of the information we hold,” the agency said on its website.
‘Online banking applications not affected’
Still, customers who use online or mobile banking aren’t at risk, officials and experts say.
“The online banking applications of Canadian banks have not been affected by the Heartbleed bug,” the Canadian Bankers Association said in statement issued Wednesday afternoon.
Royal Bank of Canada spokesperson Jason Graham said the websites of the country’s largest bank haven’t been affected by the bug.
A spokesperson for Toronto-Dominion Bank, the second-biggest bank in Canada, said TD “already has put in place defenses to protect customers from this potential threat.”
The bank “is adding additional, layered security, so customers can conduct their banking securely and without their data being at risk,” TD spokesperson Barbara Timmins said in an email.
The CBA said encryption is just one among several measures used to protect accounts, account information and bank servers.
“As part of a normal course of business, the banks actively monitor their networks and continuously conduct routine maintenance to help ensure that online threats do not harm their servers or disrupt service to customers,” the organization said.
Like others, TD said it also uses “multi-layered authentication” such as security questions to guard against a person’s account being compromised. “There are multiple safeguards in place,” Timmins said.
We always recommend that customers change their passwords regularly
TD isn’t asking customers to change their online banking passwords.
“While we don’t recommend any specific actions to TD customers as a result of this vulnerability, we always recommend that customers change their passwords regularly, i.e. several times a year,” Timmins said.
Experts suggest about two thirds of secure websites used the OpenSSL encryption standard, with the remainder operating with proprietary digital security measures.
“It’s the encryption mechanism that lets me type something on my keyboard and transmit it to the server in a way – in theory – that other people can’t tell what I actually typed,” Prof. Skillcorn said.
Secure websites display a lock icon in the address bar or at the bottom of the screen.
“That tells you your information is encrypted,” Skillcorn said. “And it turns out that’s a bit of a joke.”
Still, Mark Nunnikhoven, a security software expert at Trend Micro, said that while the vulnerability resided in the OpenSSL standard, it only affected a specific variant of the software.
Nunnikhoven said estimates he’s seen suggest only about 17 per cent of secured sites on the Internet are actually vulnerable to the Heartbleed bug. Canadian online banking security standards would make it unlikely any were using the specific vulnerable standard.
“I don’t think there was a big threat to Canadian banking clients,” Nunnikhoven said.
Ralph Marranca, a spokesman for Bank of Montreal, confirmed in an email that BMO’s customer information was “safe and sound.”
“Protection of customer information is our highest priority and we will continue to monitor our banking platforms as a precaution,” he said.