The Heartbleed web security bug that's raised vulnerability concerns across much of the web and prompted the Canada Revenue Agency to block access to part of its site yesterday is no threat to the bank websites in Canada, the group that represents the industry says.
"The online banking applications of Canadian banks have not been affected by the Heartbleed bug," the Canadian Bankers Association said Wednesday. "Canadians can continue to bank with confidence."
Heartbleed is a recently discovered security bug built into the newest version of a ubiquitous software program known as OpenSSL. The software is what powers the encryption process on about two-thirds of the world's secure web servers (which can be recognized by a closed lock-and-key symbol) and it ensures that only authorized users have access to the sensitive data being transmitted.
A glitch in the most recent version of the program was uncovered this week that could theoretically allow a hacker to mimic the appearance of an authorized user, and subsequently be granted access by an affected server to be able to collect sensitive information.
Although there's an easy fix to the buggy OpenSSL version, there's an added problem with the bug in that it makes it very difficult to tell after the fact who may have been granted unlawful access to data before the loophole was closed.
Tax agency site shut down
The Canada Revenue Agency took the bold step on Wednesday of shutting down its public website until it can address the issue. That's prompted questions as to whether other websites with highly sensitive data, such as banks, may be vulnerable.
There's no need for Canadians to be concerned about their banking information being unlawfully accessed, the CBA said Wednesday.
"Banks have sophisticated security systems in place to protect customers' personal and financial information, including encryption and other measures," the CBA said. "As part of a normal course of business, the banks actively monitor their networks and continuously conduct routine maintenance to help ensure that online threats do not harm their servers or disrupt service to customers."
Canada's major banks echoed that sentiment individually.
"We take every threat seriously," a spokesman for the Royal Bank of Canada told CBC News. "Our websites have not been affected by the Heartbleed security bug."
Toronto-Dominion bank noted that the vulnerability affects any company in any industry connected to the internet, but says customers have no added need to worry about banking.
"TD already has put in place defences to protect customers from this potential threat, and is adding additional, layered security, so customers can conduct their banking securely and without their data being at risk," the bank said.
"While we don’t recommend any specific actions to TD customers as a result of this vulnerability, we always recommend that customers change their passwords regularly (i.e. several times a year). That said, TD has intelligent and multi-layered authentication, so there are multiple safeguards in place to protect customers."
CIBC deferred to the CBA's statement on the issue. Requests for comment from Scotiabank and BMO were not returned.
Despite the lack of a specific Heartbleed-related threat, the CBA urges banks customers to remain vigilant about what data they share online, by keeping track of statements, monitoring PINs and changing passwords regularly.