April 10 (Bloomberg) -- Banks and other financial institutions should take steps to patch their computer systems as soon as possible to prevent attacks that exploit the Heartbleed We-security flaw, U.S. agencies said.
The Federal Financial Institutions Examination Council, made up of representatives from the Federal Reserve Board of Governors, the Consumer Financial Protection Bureau and other regulators, said systems that use a widely used encryption technology called OpenSSL are at risk of being hacked.
Heartbleed, which was recently discovered by researchers at Google Inc., prompted security experts to urge consumers to change their Web passwords, even as Google, Facebook Inc. and large banks said they weren’t affected. While OpenSSL runs on as many as two-thirds of all active websites, many large consumer sites aren’t vulnerable to being exploited because they use specialized encryption equipment and software, according to the researchers.
“Attackers could potentially impersonate bank services or users, steal login credentials, access sensitive e-mail, or gain access to internal networks,” the council said in a statement today.
JPMorgan Chase & Co., the largest U.S. bank, doesn’t use the vulnerable software and user information hasn’t been exposed, the New York-based company said in a statement yesterday. Tests on the home pages of other large technology, e- commerce and banking companies including Microsoft Corp., Amazon.com Inc. and Bank of America Corp. indicated they weren’t vulnerable.
The Heartbleed revelation comes at a time of mounting concern about hackers’ capabilities following consumer data breaches at Target Corp. and Neiman Marcus Group Ltd. and the spying scandal involving the National Security Agency. The flaw involving a two-year-old programming mistake was discovered by researchers from Google and Codenomicon, a security firm based in Finland, and reported to OpenSSL, according to a blog post from Codenomicon.
It isn’t known whether malicious hackers knew about the bug and were exploiting it, the researchers wrote. Google and Facebook said they addressed the problem before it was made public and saw no signs of vulnerabilities. OpenSSL is used by Internet companies to secure traffic flowing between servers and users’ computers. SSL refers to an encryption protocol known as Secure Sockets Layer and its use is indicated by a closed padlock appearing on browsers next to a website’s address.