Given the ever-increasing use of online services, it is worrying to discover that, for more than two years, most supposedly secure online sites had a significant vulnerability.
Across the industry we use technology to try to improve services and reduce cost so
anything that calls into question the security of such services is clearly a risk.
The recent episode with the Heartbleed scrare is a classic case. I wonder if, as an industry, we are being explicit enough about Heartbleed and how it might affect services.
The first thing to understand about Heartbleed is that is it not a virus. It is essentially a security hole in a widely used version of software known as Open SSL. To get technical just for a moment, this is an open-source cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption.
It seems that approximately 60 per cent of supposedly secure websites were using the at-risk code for around two years before the flaw was widely recognised. The weakness could have allowed hackers to extract secure information. In fact, no one really knows how much data might have been stolen.
Open source software has the advantage of being low-cost but, given many financial organisations’ preference for proprietary software, it is fair to assume that less than 60 per cent of firms in the industry are affected as many were not using Open SSL.
I am surprised more life companies and platforms have made statements about how they might have been affected. If they were not using Open SSL they do not have a Heartbleed problem.
Notably, Standard Life has put a statement on its consumer login to confirm it had not been affected but I have found no similar declarations on other life office or platform sites.
Similarly, industry technology suppliers could make clear statements to advisers confirming either that they have not been affected or, if they have, when their servers were patched to address
Software specialist JCS did put out a statement to users confirming it has no vulnerability. It would be good if others could provide such an assurance. I expect the vast majority have had no problems but I communicating this would be a positive move.
Some very big technology companies, ones many people use every day, have been affected by this problem and if you are not using good password discipline, that is, maintaining an individual alphanumeric password, ideally using special characters for each website you use, there is some risk your security may have been compromised.
From a practical perspective this means that if you used the same password to access a popular social media site as you did for logging in to details of clients’ investments or for cloud storage you could have been compromised.
The advice if you think you might have been affected is to wait until the vulnerable site has been patched – most now have – and then change your passwords. If in doubt, there are an increasing number of Heartbleed checkers you can use to check if a site is vulnerable.
So far, there have been surprisingly few horror stories about losses incurred as a result of Heartbleed, but it is important not to be complacent. It may be that firms are not coming forward with such information – or that the internet simply had a very lucky escape.
All this is a stark reminder of why password security is essential. Using the same passwords in your personal life and on social media as you do in business is asking for trouble.
Ian McKenna is director of Finance & Technology Research Centre