Heartbleed bug: A financial services perspective
May 2, 2014

The financial service sector manages some of the most sensitive data out of all industries in virtually every region, challenges only by the information that can be found in the average health care organization. As such, security should be the highest priority of decision makers in banks and any other company that handles financial data, especially considering the high costs associated with breach in these industries. 

The Heartbleed bug threatens a wide variety of industries, regardless of region, considering the fact that it compromised the OpenSSL technology used to protect two-thirds of the websites on the Internet. Now, officials in North America are urging banks and other financial services providers to protect themselves against the flaw as soon as possible, as their computer systems are likely to be at risk if nothing is done in reaction. 

Banking on vulnerabilities
Bloomberg recently reported that the Federal Financial Institutions Examination Council has announced that it expects banks to take several targeted steps that will mitigate threats associated with the Heartbleed bug in a timely fashion. Like many other industries, the financial services sector has seen many of its practices and processes move into the digital realm amid consumer demand for online banking products.

The source explained that many of the largest banks in the United States have not relied upon the OpenSSL technology that was compromised by the bug, but this does not completely protect them from the various vulnerabilities that have sprouted up as a result. For example, clients who have had their email accounts compromised might represent collateral risk seeing as credential information might have been involved.

"The vulnerability could allow an attacker to potentially access a server's private cryptographic keys compromising the security of the server and its users," officials of the council explained, according to the news provider. "Attackers could potentially impersonate bank services or users, steal login credentials, access sensitive e-mail, or gain access to internal networks."

Finally, Bloomberg noted that new threats are likely to manifest in the coming months and years, both those related to Heartbleed and completely novel ones. As such, banks must be taking steps to protect themselves and clients proactively, or run the risk of falling victim to a major breach. 

Proven practices
Overall, there has been a limited number of organizations using more advanced multi-factor authentication solutions for identity and access management control, and these tools have had a profoundly positive impact on security performance. Because authentication replaces the need for antiquated passwords and other traditional credential systems, users are often saved from the headaches that come along with major breaches of Internet protections. 

However, while there are a wide range of options for authentication, a number are not appropriate when it comes to consumers. Many of the first and second generation authentication solutions were designed with enterprise use cases, such as VPN login, in mind. Only now are these solutions starting to meet the balance of security and usability for consumers. 

One method that holds promise is strong device identity, which involves anchoring user access within devices, specifically the consumer's smartphone, tablet or portable computer. Leveraging what consumers has in their possession, and possibly a simply PIN, can greater increase security while making for a much more streamlined user experience than traditional complex passwords would yield.

By incorporating methods such as this and other proven security frameworks now, the threat of future bugs and viruses can be mitigated with minimal issue.