US regulator urges banks to deal with Heartbleed bug

US regulators have urged the country's banks to act to protect themselves from the newly discovered "Heartbleed" bug.

US regulators have urged the country’s banks to act to protect themselves from the newly discovered "Heartbleed" bug.

The Federal Financial Institutions Examination Council (FFIEC) told banks that it expected them to apply patches and update security as soon as possible.

It said: "The vulnerability could allow an attacker to potentially access a server’s private cryptographic keys compromising the security of the server and its users.

"An attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network communications that would otherwise be protected by encryption."

The Heartbleed bug, uncovered by researchers for Finnish security firm Codenomicon, is a flaw in OpenSSL, a commonly used piece of code that is estimated to be used in around two thirds of websites across the globe.

Since the bug was revealed, tech giants, retailers and banks have scrambled to close the gaps in their security and to warn users.

Advice to consumers has been conflicted, with some websites, such as Tumblr urging users to change their passwords.

Some other sites have told users to hold off until the bug is dealt with, lest fraudsters gain access to their new passwords while sites are still vulnerable.

The FFIEC added: "Attackers could potentially impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks.

"Potential attacks are made feasible by the public availability of exploitation tools."

 

Related articles:

Heartbleed bug causes havoc online as retailers and banks affected

Dutch banks warn customers to stop using Windows XP due to fraud risk

Nearly twenty-fold increase in mobile banking Trojans – Kaspersky Labs