'Heartbleed' cybersecurity threat looms over advisers and clients

Steps, including changing passwords, multi-factor verification, can be taken to lessen threat.
MAY 07, 2014
Advisers and financial services firms are scrambling this week to avert any potential damage from the “Heartbleed” cybersecurity bug that has recently come to light and threatens millions of web users. Encrypted channels for online communication that were thought to be secure have now been identified as being at risk due to a flaw in a piece of code in the OpenSSL — an open-source cryptographic library — said Arthur Bierer, chief technology officer at online lead-generation startup Vestorly Inc. The compromised code is shared by many programs and can be found in many different products, which makes the threat so widespread, said Mr. Bierer, who previously worked on the engineering team at Microsoft and helped implement SSL on Internet Explorer. “What's happening is that the private keys to the castle can be gotten hold of using this security flaw,” he said. “It allows a hacker to eavesdrop on the communication between clients, the adviser and their financial institutions." “This is a really bad one,” Mr. Bierer said of the Heartbleed bug. Mr. Bierer recommended that advisers and clients immediately change their banking passwords and then follow good Internet security guidelines: Passwords should be changed every 90 days, should not be shared and shouldn't be re-used for different websites. Bill Winterberg, founder of FPPad, a technology consulting firm for financial advisers, agreed with the potential dangers of Heartbleed. Calling it “bad news,” Mr. Winterberg said anyone who uses Internet services has potential vulnerability to the bug. He recommended advisers and clients go to the filippo.io Heartbleed test and use the online tool to enter the domain name of any web service used, to identify whether the site is subject to attack. “Fortunately, more and more providers are securing their services and actively fixing this,” Mr. Winterberg said. “Still, the advice I'm giving my clients is to assume you're affected. Run the filippo.io test, and if the test says there's no more vulnerability, it's fixed. Then change your password.” He also urged advisers and clients to use multi-factor web verification whenever possible. Custodians and other financial services firms are testing their platforms to see if they're vulnerable to the Heartbleed bug. TD Ameritrade Institutional, for example, released a statement saying that TDAI is monitoring the situation and working with business partners to validate that they are secure as well. “TD Ameritrade's websites and mobile applications do not utilize versions of OpenSSL that are susceptible to the recently announced Heartbleed vulnerability,” the custodian said in its statement. Roel Schouwenberg, principal security researcher at IT security vendor Kaspersky Lab, warned that any service that has run or is running the vulnerable OpenSSL code suffers a risk of information disclosure. “The vulnerable code has been out there for two years already, and exploitation of the vulnerability doesn't leave any traces in the logs on the server, making it hard to determine if exploitation ever occurred,” he wrote in an e-mail. “An attacker could possibly get access to personal identifiable information, user names, passwords, Social Security numbers, financial records and even the cryptographic keys that are responsible for encrypting the network traffic between client and server,” Mr. Schouwenberg said.

Latest News

Judge OKs more than $90 million in settlement money for GWG investors
Judge OKs more than $90 million in settlement money for GWG investors

Mayer Brown, GWG's law firm, agreed to pay $30 million to resolve conflict of interest claims.

Fintech bytes: Orion and eMoney add new planning, investment tools for RIAs
Fintech bytes: Orion and eMoney add new planning, investment tools for RIAs

Orion adds new model portfolios and SMAs under expanded JPMorgan tie-up, while eMoney boosts its planning software capabilities.

Retirement uncertainty cuts across generations: Transamerica
Retirement uncertainty cuts across generations: Transamerica

National survey of workers exposes widespread retirement planning challenges for Gen Z, Millennials, Gen X, and Boomers.

Does a merger or acquisition make sense for your firm? Why now is the perfect time to secure your firm’s future
Does a merger or acquisition make sense for your firm? Why now is the perfect time to secure your firm’s future

While the choice for advisors to "die at their desks" might been wise once upon a time, higher acquisition multiples and innovations in deal structures have created more immediate M&A opportunities.

Raymond James continues recruitment run with UBS, Morgan Stanley teams
Raymond James continues recruitment run with UBS, Morgan Stanley teams

A father-son pair has joined the firm's independent arm in Utah, while a quartet of planning advisors strengthen its employee channel in Louisiana.

SPONSORED RILAs bring stability, growth during volatile markets

Barely a decade old, registered index-linked annuities have quickly surged in popularity, thanks to their unique blend of protection and growth potential—an appealing option for investors looking to chart a steadier course through today's choppy market waters, says Myles Lambert, Brighthouse Financial.

SPONSORED Beyond the dashboard: Making wealth tech human

How intelliflo aims to solve advisors' top tech headaches—without sacrificing the personal touch clients crave