You may have heard recent news reports regarding the "Heartbleed" internet security risk. Mid Carolina Credit Union members can rest assured that neither our website, midcarolinacu.com, or our online banking systems were affected. The security of your financial information is our highest priority.
Although the Credit Union does not seem to be affected by this bug, you always need to be weary and vigilant and NEVER give out any personal information until you verify who you are communicating with. Following is some information to help educate you about this new threat and general good practices to help protect your information.
What is Heartbleed and why is it a big deal?
) affects the encryption technology designed to protect online accounts for email, instant messaging and e-commerce. It was discovered by a team of researchers from the Finnish security firm Codenomicon, along with a Google Inc. researcher who was working separately. Heartbleed is not a computer virus, and unlike many cyber security scares it is not limited to a single company or website. Heartbleed is a basic flaw in the security programming that protects roughly half a million different websites, according to one estimate. It’s unclear whether any information has been stolen as a result of Heartbleed, but security experts are particularly worried about the bug because it went undetected for more than two years.
How does it work?
The flaw is in a piece of open source code (called OpenSSL) that is available for anyone and widely used as a way of saving time when programming. The code was written by the open source community, so its precise authorship is unclear. What happens is that when your computer is communicating with a secure website (sites that are https and have the padlock icon), it’s asked to send a “heartbeat” of data to confirm the connection. When that heartbeat is sent, a small amount of the server’s short-term memory, about 64 kilobytes, can leak. While that’s not very much data at one time, and its data chosen at random, the action can be repeated over time to gain many fragments of information without being detected. The information that’s typically in a server’s short-term memory is often quite valuable, things such as user names and passwords, according to Eric Skinner, vice-president at Canadian web security firm Trend Micro.
The site might leak what are known as “session cookies,” Mr. Skinner said, which would allow someone to impersonate an unsuspecting victim on a particular site for a short time. It might also leak a site’s SSL private keys, which would allow a sophisticated user to pretend to be that website and fool other computers into believing they had landed in the right place. The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet.
So if the problem has been identified, it’s been fixed and I have nothing to worry about. Right?
NO. A fixed version of OpenSSL has been released, but it’s up to the individual website administrators to put it into place.
What can I do to protect myself?
Change your passwords, but that won’t do any good until the sites you use adopt the fix. It’s also up to the Internet services affected by the bug to let users know of the potential risks and encourage them to change their passwords. There are several links on the internet providing updates as to which sites are affected and/or have applied the patch. Here is one example of roughly the top 100 US Internet sites. http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/
Here are some other tactics identity thieves and hackers use. Watch for and avoid:
1. Any emails from companies imploring you to “click here” to change your password or update your account information
. Companies are learning not to do this precisely because it’s such a common phishing and spear-phishing tactic. You should try to pre-empt any such email
by going straight to the affected websites once they’ve implemented the Heartbleed fix. But if you don’t, or didn’t, and get worried by the email, take the extra few seconds to open up a new tab and (correctly) type the website’s name into your browser.
2. Any phone call that promises to fix your problem but only if you give them passwords, account access or a credit card right now. Phone phishing (or vishing) scammers rely on two things to succeed: your fear that you did something wrong or are in some sort of trouble; and their ability to project authority and the ability to fix it. If someone calls you and wants any information and won’t allow you to get off the phone to call back the customer service number you find on your own, they aren’t legit.
3. Any text message from an unknown number. Don’t open links and pictures or call any numbers you just don’t recognize. Text-message phishers (known as smishers) use our own Fear Of Missing Out (FOMO) to draw us in and take advantage of us.
4. Any calls from weird numbers, especially if your cellphone isn’t widely known. I assume that there are (mostly young) people who often get calls or texts from numbers they don’t know after a night -- or several nights -- out. But for the rest of us, we probably hoard our cellphone numbers closer than most of the rest of our personal information, if only to avoid overage charges. So if you suddenly start getting calls from numbers you don’t know, don’t let the FOMO lead you down the wrong path. Let them leave a voice mail: just because you can pick up doesn’t mean you have to.
We have provided additional resources regarding affected websites on our Facebook page