Heartbleed’s damage far from over


While banks and insurers have been swift to respond to the Heartbleed vulnerability, some industry players say the damage may not yet be fully realised.

Rob McMillan, Research Director at Gartner told FST Media “because this vulnerability has existed for a long time, we do not know what information has been compromised. Any activities that arise from it might not necessarily occur in the short-term.”

McMillan added the financial services landscape has a “high degree of complexity and is becoming even more complex. We have a more complex threat environment emerging.”

Agreeing that complexity is now part of the financial services landscape, Zurich Australia’s CEO of General Insurance Business for Australia and New Zealand, Daniel Fogarty said “innovation leads to new, previously unthought-of risk scenarios – like cyber security.”

"Business must insure itself against these risks,” he added.

However, a spokesperson for Citi Asia disagreed, saying “one of our priorities on any new innovation is ensuring that all the relevant risk scenarios have been thoroughly assessed. Any new innovation we use or launch is given rigorous testing including cyber security. The aim is to always be one step ahead.”

While McMillan conceded “the financial services firms that I speak with do consider risk scenarios as their business depends on it,” he warned against complacency, saying “there will always be a risk scenario that no-one has thought of before.”

Heartbleed is one of the biggest security flaws to hit the internet. The vulnerability was identified in the popular OpenSSL cryptographic software library, which was discovered by researchers from Google and a Finnish company called Codenomicon.

The Heartbleed bug compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to also impersonate them.

“We are aware of the OpenSSL vulnerability reported in the media, and all of our customer- and client-facing banking sites across the Consumer Bank and the Institutional Clients Group have been safeguarded against the Heartbleed bug," said the Citi Asia spokesperson.

Singapore’s largest bank, DBS told FST Media “we are not affected by this vulnerability and have multiple layers of security in place to protect our customers. Some of our security measures include the encryption of iBanking usernames and passwords as well as the use of 2FA for online banking transactions.”

Spokespeople for CIMB, Maybank and Bank Danamon were unavailable for comment.

Australia’s NAB, ANZ and Westpac assured FST Media that the banks have not been exposed to this threat and all customers remain secure. CBA’s official statement and a separate blog assures customers that the bank is "patched against the ‘Heartbleed’ bug" but does not reveal whether any CBA websites were affected.

All banks approached for comment said they encouraged customers to change passwords regularly and never re-use the same user ID and password across multiple sites as a best practice.

However, Gartner’s McMillon warned that the bug “came out of nowhere really, not for the first time, and it will not be the last time. The next big thing might be something that is right in front of us that we are not seeing. You just never know.”

Spire Research’s Alyssa Tan, Group Corporate Communications agreed, saying ““What this episode shows is the need to think harder about the parts of the whole internet ecosystem lying outside the direct control of the financial services industry, such as web servers and the encryption standards they use.”


With Jamie Pericleous and Adrian Barclay