Addressing the Heartbleed OpenSSL Bug in Financial Institutions

Frederik Mennes, April 11, 2014

What is the Heartbleed bug?
On Monday April 7th, security researchers from Google and the Finnish company Codenomicon reported the so-called Heartbleed bug. Heartbleed is a flaw in OpenSSL, a software library implementing the Secure Sockets Layer (SSL) / Transport Layer Security (TLS) security protocol. SSL/TLS is widely used to protect communication via websites, e-mail, instant messaging, etc. It can be recognized by the prefix “https” or by a lock in the address bar of a browser.

The Heartbleed bug allows an adversary to obtain part of the memory of an impacted server. This memory is used to store and process sensitive data, including SSL/TLS private keys, passwords of users, credit card details. As such an adversary can use the bug to obtain sensitive data from a company’s web application. Under certain circumstances the bug also allows obtaining sensitive data which has been exchanged in the past with a vulnerable SSL/TLS server. Using the SSL/TLS private key of an impacted web application, an adversary can also set up rogue servers impersonating the genuine server.

The bug has been around in OpenSSL since March 2012 and besides its popular name “Heartbleed” is formally referred to as CVE-2014-0160.

What should financial institutions do?
Financial institutions should perform following three steps to ensure their web applications are not vulnerable to the Heartbleed bug and their customers are protected.

Firstly, financial institutions should check whether their e-banking applications use an impacted version of OpenSSL. OpenSSL versions 1.0.1 up to 1.0.1f are affected. If so, they should immediately update their servers with the most recent version.

Secondly, financial institutions should assume that their SSL/TLS private keys might have been compromised, if they were using an impacted version of OpenSSL. Because of the nature of the bug it is very hard to determine whether the keys were compromised. Therefore financial institutions should be cautious and replace their existing keys and certificates with new ones.

Finally, financial institutions should assess whether sensitive data (such as user passwords) exchanged with e-banking users might have been compromised. If so steps should be taken to renew this data where possible.

Heartbleed OpenSSL Bug - What should e-banking users do?What should e-banking users do?
E-banking users might be affected by the Heartbleed bug as sensitive data exchanged with their bank via the Internet might have been compromised.

Users logging on with passwords should change their passwords, as they might be compromised. However they should only update their passwords after their bank has updated its OpenSSL software and issued new private keys and certificates, otherwise the new passwords might be compromised again in the future.

On the other hand users logging on with one-time passwords do not have worry about compromised passwords. The ephemeral nature of one-time passwords ensures they can be used only once during a limited period of time. As such adversaries cannot abuse one-time passwords obtained as a result of this bug.

Frederik leads OneSpan's Security Competence Center, where he is responsible for the security aspects of OneSpan's products and infrastructure. He has an in-depth knowledge of authentication, identity management, regulatory and security technologies for cloud and mobile applications.