Personal Finance

Heartbleed exploit: check your bank's website before logging in!

  • Last Updated:
  • Apr 24th, 2014 8:53 pm
Tags:
Deal Addict
Nov 24, 2002
2278 posts
624 upvotes

Heartbleed exploit: check your bank's website before logging in!

I don't know if this has been posted in other areas, but I think it is important enough to post on the Personal Finance section as your financial logins could be at risk.

WHAT IS HEARTBLEED?

Think that https gives you a secure connection between you and the website? think again. Someone can get your login and password pretty easily and it isn't traceable. System admins tested their own servers and reported it was a breeze to get logins and passwords using this exploit. Heck, they even got a hold of the master keys that can let other people impersonate the secure website.

On a scale of 1 to 10 in terms of security risk, system admins are describing this as an 11.

Read more about heartbleed here

wpengine (my web hosting company) posted a useful tool regarding the heartbleed exploit. To test if the website that you are logging into is vulnerable, use the link below.

http://possible.lv/tools/hb/

I have tested the financial sites that I use and they all seem to pass the check. It doesn't mean that they didn't grab my password before the vulnerability was patched.

Here are the sites that I have tested so far. I went to their "login" page to get the IP.

PEOPLE'S TRUST: OK

[QUOTE]Looking for TLS extensions on https://www6.memberdirect.net

TLS extension 15 (heartbeat) seems disabled, so your server is probably unaffected.[/QUOTE]

TD CANADA TRUST EASYWEB: OK

[QUOTE]Looking for TLS extensions on https://easywebsoc.td.com

ext 00035 (session ticket, length=0)
TLS extension 15 (heartbeat) seems disabled, so your server is probably unaffected.[/QUOTE]

TANGERINE: OK

[QUOTE]Looking for TLS extensions on https://secure.tangerine.ca

ext 00035 (session ticket, length=0)
TLS extension 15 (heartbeat) seems disabled, so your server is probably unaffected.[/QUOTE]

Please post your findings on other financial institutions here.

UPDATE: It seems as if all banks patched up the exploit, but please keep posting for the sake of other RFD'ers, especially if one fails the check.

From other users:

PC Financial: OK
Canadian Direct Financial: OK
Paypal: OK
Desjardins:OK
Chase:OK
MBNA:OK
CIBC:OK
BMO:OK
Standard Life: OK
Sun Life: OK
Great-West Life: OK
CI Investments: OK
American Express: OK
Capital One: OK
Libro: OK
Scotiabank: OK
63 replies
Deal Fanatic
User avatar
Aug 29, 2012
9301 posts
10316 upvotes
PC Financial uses Microsoft IIS, so it is immune to this exploit.

I think all the online banks have blocked the exploit by now, or at least blocked scanning for server RAM while it is being fixed. However they have no replaced their certificates yet, they should do it ASAP.
Sr. Member
User avatar
Jun 18, 2008
622 posts
368 upvotes
Burnaby
I checked Canadian Direct Financial, Paypal, Desjardins, Chase, MBNA and nothing is out of place
Deal Addict
Mar 28, 2010
1005 posts
566 upvotes
GTA
I checked BMO, Standard Life, Sun Life, Great-West Life, CI Investments, and American Express and they all seem to check out as well.

On a side note, is it possible that they've all disabled it since the warning came out?
Newbie
Jun 14, 2011
86 posts
28 upvotes
Toronto
kevinyvr wrote: I checked BMO, Standard Life, Sun Life, Great-West Life, CI Investments, and American Express and they all seem to check out as well.
So do amazon.ca and chapters.indigo.ca.
kevinyvr wrote: On a side note, is it possible that they've all disabled it since the warning came out?
That's what I'd expect/hope. I'm on lastpass anyway, I think I'll do the rounds and change everything.
Deal Addict
Nov 24, 2002
2278 posts
624 upvotes
kevinyvr wrote: I checked BMO, Standard Life, Sun Life, Great-West Life, CI Investments, and American Express and they all seem to check out as well.

On a side note, is it possible that they've all disabled it since the warning came out?
Probably, would be the first thing that IT people would do. I would be more scared with the smaller banks, but even People's Trust has disabled the exploit.
Jr. Member
May 1, 2006
176 posts
26 upvotes
Toronto
They all probably plugged the hole now, but there is no way to tell how the bug was use because it was not traceable (oh well, some site said it can if you look at TCP log.. but how possible a high traffic web site has all TCP log for last two years...). It is recommended to change password for those websites to prevent further data bleach.
Deal Addict
Sep 12, 2004
1575 posts
348 upvotes
Ajax
Capital One login page seems ok using the tool above.
Member
Mar 14, 2010
283 posts
144 upvotes
Toronto
Thanks to PennyArcade for starting this thread and linking to a test for heartburn, er, bleed. :razz: .

Yahoo provided a link to a similar test that grades each website it reviews and displays a fair amount of info about each site's security features.

https://www.ssllabs.com/ssltest/index.html
Deal Addict
Jun 9, 2003
4646 posts
746 upvotes
Libro
Looking for TLS extensions on https://libro.ca

ext 65281 (renegotiation info, length=1)
TLS extension 15 (heartbeat) seems disabled, so your server is probably unaffected.
Deal Addict
Nov 9, 2011
1067 posts
436 upvotes
Toronto, ON
Chase and Scotiabank are good.

Scotiabank even has a header/memo about the exploit and is promoting the security of its login.
Deal Addict
Jul 9, 2004
1572 posts
173 upvotes
Delta
patching this bug is only part of it. if the private keys of their certs have already been stolen, hackers can set up man-in-the-middle attacks that masquerade these sites perfectly, even after the original sites have been patched. the certs need to be reissued.
Deal Addict
Apr 12, 2005
1425 posts
182 upvotes
PennyArcade wrote: I don't know if this has been posted in other areas, but I think it is important enough to post on the Personal Finance section as your financial logins could be at risk.

WHAT IS HEARTBLEED?

Think that https gives you a secure connection between you and the website? think again. Someone can get your login and password pretty easily and it isn't traceable. System admins tested their own servers and reported it was a breeze to get logins and passwords using this exploit. Heck, they even got a hold of the master keys that can let other people impersonate the secure website.

On a scale of 1 to 10 in terms of security risk, system admins are describing this as an 11.

Read more about heartbleed here

wpengine (my web hosting company) posted a useful tool regarding the heartbleed exploit. To test if the website that you are logging into is vulnerable, use the link below.

http://possible.lv/tools/hb/

I have tested the financial sites that I use and they all seem to pass the check. It doesn't mean that they didn't grab my password before the vulnerability was patched.

Here are the sites that I have tested so far. I went to their "login" page to get the IP.

PEOPLE'S TRUST: OK



TD CANADA TRUST EASYWEB: OK



TANGERINE: OK



Please post your findings on other financial institutions here.

UPDATE: It seems as if all banks patched up the exploit, but please keep posting for the sake of other RFD'ers, especially if one fails the check.

From other users:

PC Financial: OK
Canadian Direct Financial: OK
Paypal: OK
Desjardins:OK
Chase:OK
MBNA:OK
CIBC:OK
BMO:OK
Standard Life: OK
Sun Life: OK
Great-West Life: OK
CI Investments: OK
American Express: OK
Capital One: OK
Libro: OK
Scotiabank: OK
How do you know the sites you tested were good? What is your defn of good? How do you know the hackers have not stolen your info yet? Just because you can sign in doesn't mean everything is safe.
Deal Addict
Nov 24, 2002
2278 posts
624 upvotes
a_1_a wrote: How do you know the sites you tested were good? What is your defn of good? How do you know the hackers have not stolen your info yet? Just because you can sign in doesn't mean everything is safe.
I didn't say "good", I said "ok". OK here means that the exploit isn't present on the login IP's of those particular servers when people checked when they posted. I used the link that I posted in my OP to check.

That does NOT mean that the exploit wasn't present before the heartbleed exploit was announced. Yes, your info could be in the hands of a hacker. I don't know. That's why I posted links to help people make their own decisions on what to do next.
Deal Addict
Jul 9, 2004
1572 posts
173 upvotes
Delta
it should be emphasized that this exploit doesn't just allow hackers to steal *your* information, but also the identities of the sites themselves (the certs). until the certs have been reissued, the identity of all "certified" sites are suspect. you could be connecting to a hacker's site instead of your banks site and your browser would still think the connection is fully legit. i'm not saying this is happening, in fact it's probably not, but this exploit makes that possible.
Sr. Member
User avatar
Feb 28, 2010
668 posts
340 upvotes
Flying over Canada
Note that problem is only with a specific range of OpenSSL versions (mainly used by Apache and other Linux-y web server software), so sites that use other SSL (for instance, Microsoft IIS web servers) would never have been vulnerable. Hubert, for instance, seems to use IIS all the way through. Tangerine uses Apache for its display website, but something else (not identified) for its secure account system.

There seems to be disagreement about how likely the possibility of certificate/key stealing was, but even if it happened, a badguy creating a fake site would still have to find some way to get you to visit it, or become a man-in-the-middle between you and the bank.
Deal Addict
User avatar
Apr 12, 2012
2905 posts
2578 upvotes
Toronto
If you go to online banking for Rbc before you log in there is an important notice saying that they have not been affected by heartbleed. And are safe to use.

Top

Thread Information

There is currently 1 user viewing this thread. (0 members and 1 guest)