The Heartbleed Bug and Your Accounts at Affinity Plus.

Affinity Plus takes security of our members’ information seriously. As such, we wanted to share more information surrounding a recently announced security concern called the  “Heartbleed Bug".

The Heartbleed Bug became public April 7, 2014 and it was disclosed that the bug could expose personal information such as credit cards and passwords on websites running vulnerable versions of OpenSSL technology. An updated patch was released the same day to fix the bug. OpenSSL is an open-source implementation of SSL and TLS which are protocols used to encrypt your private information when you exchange data with your credit union or other companies. 

What is open source?
Open Source is a method in which a software application is freely distributed with the source code so that anyone can modify and redistribute the code.  Software developers supporting this concept believe that open source applications will be more useful and error-free over the long term. 

I recently read about the OpenSSL protocol bug reported in several articles online, does that affect Affinity Plus online banking system?
Affinity Plus does not use OpenSSL so we are not directly affected.

Should I change my password?
Changing your passwords regularly continues to be the best first line of defense in protecting your personal information. Affinity Plus’ online banking system supports complex passwords, and changing them is an easy process to complete. The trick to this vulnerability is that is you are reliant on the website administrators of the services that you use to fix the problem. Basically, if their service is not patched then there is a potential risk that your new password is vulnerable.     

How do I know if a website uses OpenSSL?
There are test sites that are helpful in determining whether the site is currently vulnerable; however, they are not 100% definitive, nor can they tell if the site was affected in the past. Two sites we’ve found that can help determine if a site is vulnerable are: http:  //filippo.io/Heartbleed/, or https://www.ssllabs.com/ssltest/. CNET has posted a list of the top 100 sites for their Heartbleed status at: http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/.

It was recommended that I reach out to my financial institution to see if you’ve updated the security software and changed the encryption key. I want to make sure that's done before I change my password.

Affinity Plus does not use OpenSSL so we are not directly affected, but we do recommend that you change your passwords on sites in which you transmit private data. Additionally, consider making your password combination harder to decipher using these tips:

  • Create passwords that are easy to remember but hard for others to guess. When possible use a phrase such as “I love Affinity Plus credit union in 2014 and beyond!” and use the initial of each word like this: IlAPcui2014ab!
  • Choose a combination of lower and upper case letters, numbers, and special characters.  Consider using an $ instead of an S or a 1 instead of an L.  An excellent password would take a phrase like Affinity Plus. Not for Profit. For People and turn it into @PN4p4p!.    
  • Make your passwords at least 8 characters long.  The longer the better as longer passwords are harder for thieves to crack.
  • Don’t just use one password.  Using different passwords ensures that if one password is compromised that all of your accounts are not affected. 
  • Don’t use dictionary words.  If it is in the dictionary, it is easier to guess.
  • Don’t post your passwords in plain sight  If you must write it down, hide it somewhere where no one can find it. 
  • Consider a password for your phone too.  Many phones and Internet enabled devices can be locked with a PIN or password.