Take a minute to read up on the Heartbleed computer security breach, which has been called potentially “catastrophic” by the Wall Street Journal.
If you’re not a computer expert, here’s a (kind of) plain-English description of the problem from CNN reporter Heather Kelly:
“Heartbleed is a flaw in OpenSSL, an open-source encryption technology that is used by an estimated two-thirds of Web servers. It is behind many HTTPS sites that collect personal or financial information. These sites are typically indicated by a lock icon in the browser to let site visitors know the information they’re sending online is hidden from prying eyes.”
What’s scary is this breach has been open for two years, meaning it’s quasi-impossible to tell what data may have been compromised.
Now that the Heartbleed vulnerability has been identified, here’s what you need to know.
(Information specific to our clients who custody assets at Schwab is highlighted in red.)
What sites are affected?
Two-thirds of all active internet sites use OpenSSL and are potentially affected and need to be patched. Yahoo, Amazon, Netflix, Dropbox and Facebook have already been identified as affected targets (many sites say they have already made repairs or have addressed the issue). You can use this site to test whether internet pages you visit are safe or not. Many sites have already sent out mass emails to users with updates, so check your most frequented services and sites for news.
For our clients who custody their assets at Schwab, you will be reassured to hear that after testing its systems, Schwab says it is confident there are no Heartbleed vulnerabilities on Schwab.com or any of the company’s online channels, and it wants to assure clients that their personal information and assets are safe.
It continues to monitor the security systems and states:
“To give our clients additional peace of mind, we provide the Schwab Security Guarantee, which states that Schwab will cover 100% of any losses in any of your Schwab accounts due to unauthorized activity.”
What should I do now?
While at first experts advised you to rush to change all your passwords, others now say to wait until the sites you use install patches.
“Until the larger providers finish applying the patch, a password change could even increase the chance of somebody getting the new password through the vulnerability,” says Mark Schloesser, a security researcher with Rapid7, in a Wall Street Journal interview.
CNN’s Kelly echoes that advice, writing that “individuals should update their passwords across the various Web pages they use, but only once they have confirmed a site has already taken the proper measures to address Heartbleed. If they don’t and that site is still at risk, the new password could also be compromised. Many sites will also likely send e-mails instructing customers to update passwords when necessary.”
In terms of specific advice for our clients at Schwab, Schwab says there is no need for you to change your unique login credentials and password on Schwab.com with respect to the Heartbleed bug. However, if you use the same user name/password on other sites or share these with other service providers (which may have been affected by Heartbleed), they recommend changing your password on schwab.com immediately. As a further security measure, they always recommend that clients update their passwords routinely at least once every six months for security purposes. Click here for more Schwab-provided information on how you can protect yourself from security threats.
Remember your internet safety protocols
Breaches like this should remind users to practice safe internet practices. Change passwords frequently, use more complex and hard-to-crack passwords, and don’t leave them on a sticky note on your monitor (!). Shred financial papers and close browsers when done. Be wary when using free Wi-Fi in public places. Keep anti-virus protection up-to-date, beware of unfamiliar attachments and email senders. And don’t use the same password for all sites (if you lose it, the hacker will be able to access all your accounts).