04-17-2014 10:01 AM
Helping protect our members’ private information is one of USAA’s top priorities. As such, we are continuing to provide relevant updates to our members about the “Heartbleed” bug and its potential impacts.
Akamai, the host provider for usaa.com, notified USAA that it has identified a group of servers that did not receive the initial Open SSL patch for the “Heartbleed” bug implemented prior to April 7. While USAA had replaced its security certificates following the initial patch, we have now done so again to ensure member information remains safe.
Akamai, which delivers 15-30 percent of global Web traffic and is used by 97 of the top 100 online U.S. retailers, issued a second patch to the group of servers that did not receive the first patch. It could not say whether usaa.com was at risk prior to either patch.
USAA has no indication that our earlier security certificates had been compromised by “Heartbleed” or that Akamai’s disclosure impacts USAA directly. However, as a prudent security measure, we installed new certificates for usaa.com.
USAA has aggressive fraud detection programs and monitors global threats 24/7. These programs are designed to detect any unauthorized activities. Based on information gathered by our fraud detection programs, at this time the security team has not seen any increased threat activity due to the “Heartbleed” vulnerability.
In light of this new information and as a precaution, we recommend that USAA members change their passwords on usaa.com as soon as possible.
Here’s What You Should Do
- Change your password on your desktop or mobile device.
- Sign up for USAA’s free CyberCode™ Token for your personal computer or Quick Logon to access USAA’s mobile app.
- Forgot your password? Click here.
|WHAT IS THE “HEARTBLEED” BUG?|
“Heartbleed” is a flaw found in software that is widely used to enable secure access to websites. The problem was discovered by researchers and security experts, who alerted affected companies before the flaw was made public. They delayed announcing the flaw to give companies time to patch their security software. Akamai, the hosting provider for usaa.com, implemented security patches on April 4 and 5 before the flaw was made public. Subsequently, USAA obtained new security certificates. On Wednesday, April 16, Akamai notified us that certain servers did not receive the April 4 and 5 patches. Once again, we obtained new security certificates.
We continue to take steps to mitigate the risks associated with this bug. We have no indication that our security certificates have been compromised by “Heartbleed”.
CyberCode™ Token and Quick Logon
In addition to setting a strong password, USAA security professionals urge members to use a unique password for their financial accounts or better yet sign up for USAA’s freeCyberCode Token1 for desktop or Quick Logon to access USAA’s mobile app.
A CyberCode token generates a unique security code every 30 seconds. With this token, you log on with a new password – made up of your PIN plus security code — every time. It is not possible for members already using the CyberCode token to be adversely affected by the “Heartbleed” bug.
Quick Logon uses what is called two-factor authentication, which requires something you know – your PIN – and something you have – your phone with Symantec VIP. It's more secure because even if hackers are able to guess your PIN, they would still need to have your phone to log on.
To learn more about USAA’s logon choices, visit the security center.
Working Together to Fight Fraud
While USAA uses sophisticated fraud detection processes, we are most effective in fighting fraud when we work together with you. USAA security professionals recommend you monitor your account activity on a regular basis and take advantage of all the tools available to mitigate risks when checking your account on your desktop, smartphone or tablet.
Visit our Security Center to obtain these tools and learn more about helping protect your personal and financial information.
Together, we'll remain vigilant to help protect your online security. You have our commitment to continuously enhance our security measures to help prevent cyber crime from happening to you.
Changing Your Password
Passwords are one of the many defenses in place to protect your sensitive information from getting into the wrong hands. Hacking or guessing your password is one of the most basic tactics a cyber criminal will use.
Don't make it easy for them by...
- Using the same password for multiple sites.
- Writing your password down where others can see it.
- Including your name in the password.
- Using words from the dictionary in your password.
How to Create a Strong Password
There are many ways to create a strong password. Here is one way that may make it easier for you:
How to do it
Think of a sentence using eight or more words and turn your sentence into a row of letters
Use the first letter of each word.
Make it stronger using upper and lower case letters.
Make any letter in the alphabet between N and Z upper case.
Make it stronger by adding numbers.
Place a number inside the password. Sometimes, you can even replace words with numbers.
Make it stronger by adding punctuation.
Place a punctuation mark inside the password.
What You Need to Know About “Heartbleed”
Q: Does USAA utilize Akamai servers in support of usaa.com?
A: Yes, USAA utilizes Akamai to support usaa.com.
Q: With the announcement made by Akamai, will USAA update its certificates?
A: Yes. Akamai notified all customers, including USAA, about the new information concerning its servers. USAA took immediate action to mitigate risk due to this bug by replacing the certificates.
Q: What does this announcement mean for members?
A: Based on information gathered by our fraud detection programs, there is no evidence that USAA or its members have been affected. To provide the highest level of protection, we strongly recommend members change their passwords. Passwords are the first line of members’ defense. Members should make it a habit to periodically change them and use unique passwords for each site.
Q: Should I change my password?
A: Yes, as a matter of caution, we strongly recommend members change their passwords. When you change your password:
- Use our password strength indicator.
- Create a strong password that has a combination of letters, numbers and punctuation.
- Make it different from your other passwords.
- Don’t write it down in a visible place.
- Don’t use words or names.
We recommend that members regularly review financial statements for any suspicious activity. USAA’s zero liability policy helps protect members from fraudulent charges made on a USAA credit or debit cards.2 Regular monitoring of credit reports can also help detect any suspicious activity on accounts.
Q: An online test site says USAA is possibly vulnerable to this bug. Is it?
A: A number of sites have been quickly developed by individuals to help consumers gauge the risks associated with the “Heartbleed” bug. Some of those sites can give misleading answers. We have updated our security certificates, and we continue to take steps to mitigate the risks associated with this bug.
Q: What has changed since your last statement about members not needing to change passwords?
A: Akamai notified USAA that certain servers had not been patched, and, as a result, we have again replaced our security certificates. As another layer of security, we strongly recommend members change their passwords.
Q: Do we know how many other sites are affected by Akamai’s announcement? Is it all their customers?
A: All Akamai customers that leverage their secure application network may have been affected. Based on information gathered by our fraud detection programs, there is no evidence that USAA or its members has been affected, but we are taking every precaution to help protect our members.
Q: What do I do if I think my account has been affected?
A: Contact USAA immediately and change your password.
Q: What is the “Heartbleed” bug, and is my information at risk?
A: “Heartbleed” is a flaw in software widely used to enable secure access to websites. USAA’s hosting provider for usaa.com implemented a security patch before the flaw was made public, and we have now replaced our security certificates twice. We continue to take steps to mitigate the risks associated with this bug. Based on information gathered by our fraud detection programs, there is no evidence that USAA or its members has been affected. We maintain a 24/7 monitoring center for all cyber threats. We recommend that members change their passwords and use a unique password for each site.
Q: What can I do to further protect myself from “Heartbleed”-related issues?
A: In light of this latest development, we strongly recommend members change passwords. Members should consider using enhanced authentication options offered by USAA, such as CyberCode Token. In addition, we recommend that members regularly review financial statements for any suspicious activity. USAA’s zero liability policy helps protect members from fraudulent charges made on a USAA credit or debit cards. Regular monitoring of credit reports can also help detect any suspicious activity on accounts.
Q: What are security certificates?
A: Certificates are proof of a website’s authenticity and are used to encrypt communications securely between a customer and the website.
Q: Is the “Heartbleed” issue the only security bug I need to worry about?
A: While USAA has taken strong and immediate action to help protect members from any potential vulnerability related to the “Heartbleed” bug, there are still companies that may not have patched their systems. There are still many threats in cyberspace, and hackers use numerous techniques in order to infiltrate websites and networks. USAA tries to do everything possible to protect members’ information from these threats. We also urge you to use the free Trusteer product and CyberCode Token offered through USAA to enhance your overall security posture. Together, with the vigilance of both USAA and our members, we can help protect your information.
Q: Do I need to change my Quick Logon PIN for USAA’s mobile app?
A: No, because the PIN is tied to that device. Someone who manages to obtain that PIN due to this bug would have to use your mobile device to gain access to your account.
Q: I access USAA only on my mobile device. Am I secure?
A: It depends. If you are a user that accesses usaa.com directly through your mobile browser or have not enabled Quick Logon on the USAA application, then you could be vulnerable and we advise you to change your password. If you use only the USAA mobile app, then your credentials are secure.
Q: Do I need to change my phone password?
A: No. Phone passwords are not affected by the “Heartbleed” bug. The main vulnerability is the password you use for logging into to usaa.com from a desktop or mobile device.
Q: I use CyberCode Token to access usaa.com on my desktop. What do I need to do?
A: Nothing. CyberCode Token is our strongest form of authentication and not susceptible to this bug.
1You may only activate one security token per account. Your phone carrier’s data charges may apply.
2You must notify us immediately of any unauthorized use.
Use of the term “member” or “membership” does not convey any eligibility rights for auto and property insurance products, or legal or ownership rights in USAA. Ownership rights are limited to eligible policyholders of United Services Automobile Association.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.