'Heartbleed' cybersecurity threat looms over advisers and clients

Steps, including changing passwords, multi-factor verification, can be taken to lessen threat

Apr 9, 2014 @ 1:04 pm

By Joyce Hanson

Technology, Internet security, cybercrime, passwords, Bill Winterberg
+ Zoom
(Getty Images)

Advisers and financial services firms are scrambling this week to avert any potential damage from the “Heartbleed” cybersecurity bug that has recently come to light and threatens millions of web users.

Encrypted channels for online communication that were thought to be secure have now been identified as being at risk due to a flaw in a piece of code in the OpenSSL — an open-source cryptographic library — said Arthur Bierer, chief technology officer at online lead-generation startup Vestorly Inc.

The compromised code is shared by many programs and can be found in many different products, which makes the threat so widespread, said Mr. Bierer, who previously worked on the engineering team at Microsoft and helped implement SSL on Internet Explorer.

“What's happening is that the private keys to the castle can be gotten hold of using this security flaw,” he said. “It allows a hacker to eavesdrop on the communication between clients, the adviser and their financial institutions."

“This is a really bad one,” Mr. Bierer said of the Heartbleed bug.

Mr. Bierer recommended that advisers and clients immediately change their banking passwords and then follow good Internet security guidelines: Passwords should be changed every 90 days, should not be shared and shouldn't be re-used for different websites.

Bill Winterberg, founder of FPPad, a technology consulting firm for financial advisers, agreed with the potential dangers of Heartbleed.

Calling it “bad news,” Mr. Winterberg said anyone who uses Internet services has potential vulnerability to the bug.

He recommended advisers and clients go to the filippo.io Heartbleed test and use the online tool to enter the domain name of any web service used, to identify whether the site is subject to attack.

“Fortunately, more and more providers are securing their services and actively fixing this,” Mr. Winterberg said. “Still, the advice I'm giving my clients is to assume you're affected. Run the filippo.io test, and if the test says there's no more vulnerability, it's fixed. Then change your password.”

He also urged advisers and clients to use multi-factor web verification whenever possible.

Custodians and other financial services firms are testing their platforms to see if they're vulnerable to the Heartbleed bug.

TD Ameritrade Institutional, for example, released a statement saying that TDAI is monitoring the situation and working with business partners to validate that they are secure as well.

“TD Ameritrade's websites and mobile applications do not utilize versions of OpenSSL that are susceptible to the recently announced Heartbleed vulnerability,” the custodian said in its statement.

Roel Schouwenberg, principal security researcher at IT security vendor Kaspersky Lab, warned that any service that has run or is running the vulnerable OpenSSL code suffers a risk of information disclosure.

“The vulnerable code has been out there for two years already, and exploitation of the vulnerability doesn't leave any traces in the logs on the server, making it hard to determine if exploitation ever occurred,” he wrote in an e-mail.

“An attacker could possibly get access to personal identifiable information, user names, passwords, Social Security numbers, financial records and even the cryptographic keys that are responsible for encrypting the network traffic between client and server,” Mr. Schouwenberg said.

0
Comments

What do you think?

View comments

Recommended for you

Sponsored financial news

Upcoming Event

Sep 12

Webcast

Longevity Lifestyle Preparation: What advisors need to know to prepare female clients for living well to and through retirement

Featuring Mary Beth Franklin from InvestmentNewsYour clients are living longer and spending more time in retirement than ever before — especially female clients, who often outlive their spouses or partners.... Learn more

Featured video

Events

The client of the future

Your clients of tomorrow want you to stay ahead of the curve with technology. Some of the industry’s top young advisers and thought leaders explain what they think tomorrow’s clients will need.

Latest news & opinion

Will Jeffrey Gundlach's Trump-like approach on Twitter work in financial services?

The DoubleLine CEO's attacks on Wall Street Journal reporters is igniting a discussion on what's fair game on social media.

Fidelity wins arb case against wine mogul but earns a rebuke from Finra

In the case of investor Peter Deutsch, Fidelity doesn't have to pay any compensation, but regulator said firm put its interests ahead of his.

Plaintiffs win in Tibble vs. Edison 401(k) fee case

After a decade of activity around the lawsuit, including a hearing before the U.S. Supreme Court, judge rules a prudent fiduciary would have invested in institutional shares.

Advisers get more breathing room to make Form ADV changes

RIAs can enter '0' in some new parts of the document before their annual filing next year.

Since banking scandal, Wells Fargo advisers with more than $19.2 billion leave firm

Despite a trying year, the firm has said it will sweeten signing bonuses for veteran advisers.

X

Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print