The commotion around the “Heartbleed” security bug has everyone fretting over the safety of their personal information, usernames and passwords that can be hacked from vulnerable websites. Financial websites, in particular, may pose the most harm if they are subject to this security flaw, but most financial companies have informed customers that they are well-protected.
“Some clients have asked us if it’s necessary to change the passwords they use to log on to vanguard.com,” said Vanguard, a major U.S. brokerage firm, in an online notice. “Our view is that it’s always a good practice to change your password periodically, and to use different passwords for every site you visit — especially banking and investment sites.”
Like many of the nation’s largest banks and financial firms, Vanguard said that its website is not vulnerable to Heartbleed.
The Heartbleed bug is a coding flaw of the Open SSL encryption protocol for websites, which is used by many companies and organizations around the world. The bug has existed for more than two years, during which hackers could have exploited the flaw to steal personal information and login credentials.
Although most banks and financial firms were not affected by the Heartbleed bug, customers of these companies can still be become victims of fraud if they reuse the same password for other websites — one of which could have been vulnerable.
According to a 2012 survey from security firm CSID, 61 percent of consumers use the same password across multiple websites.
It is possible that the usernames and passwords stolen from one website could be used to log into financial websites. Following the news of the Heartbleed bug, financial companies are reminding customers to change their passwords occasionally to thwart these fraudulent login attempts.
There is further consolation in knowing that many banks now require customers to go through an authentication process when they try to log in on an unrecognized computer or mobile device. Usually, a customer is provided a temporary code by text message or phone call, which must be entered to verify the login session.
However, it is remains a good practice to use different passwords across all websites.