News Center

USAA Responds to Akamai Server Vulnerability

‎04-17-2014 10:01 AM

Helping protect our members’ private information is one of USAA’s top priorities. As such, we are continuing to provide relevant updates to our members about the “Heartbleed” bug and its potential impacts.

 

Akamai, the host provider for usaa.com, notified USAA that it has identified a group of servers that did not receive the initial Open SSL patch for the “Heartbleed” bug implemented prior to April 7. While USAA had replaced its security certificates following the initial patch, we have now done so again to ensure member information remains safe. 

 

Akamai, which delivers 15-30 percent of global Web traffic and is used by 97 of the top 100 online U.S. retailers, issued a second patch to the group of servers that did not receive the first patch. It could not say whether usaa.com was at risk prior to either patch.

 

USAA has no indication that our earlier security certificates had been compromised by “Heartbleed” or that Akamai’s disclosure impacts USAA directly. However, as a prudent security measure, we installed new certificates for usaa.com.

 

USAA has aggressive fraud detection programs and monitors global threats 24/7. These programs are designed to detect any unauthorized activities. Based on information gathered by our fraud detection programs, at this time the security team has not seen any increased threat activity due to the “Heartbleed” vulnerability.

 

In light of this new information and as a precaution, we recommend that USAA members change their passwords on usaa.com as soon as possible.

 

Here’s What You Should Do

 

 

WHAT IS THE “HEARTBLEED” BUG?

“Heartbleed” is a flaw found in software that is widely used to enable secure access to websites. The problem was discovered by researchers and security experts, who alerted affected companies before the flaw was made public. They delayed announcing the flaw to give companies time to patch their security software. Akamai, the hosting provider for usaa.com, implemented security patches on April 4 and 5 before the flaw was made public. Subsequently, USAA obtained new security certificates. On Wednesday, April 16, Akamai notified us that certain servers did not receive the April 4 and 5 patches. Once again, we obtained new security certificates.

 

We continue to take steps to mitigate the risks associated with this bug. We have no indication that our security certificates have been compromised by “Heartbleed”.

CyberCode™ Token and Quick Logon

In addition to setting a strong password, USAA security professionals urge members to use a unique password for their financial accounts or better yet sign up for USAA’s freeCyberCode Token1 for desktop or Quick Logon to access USAA’s mobile app.

 

A CyberCode token generates a unique security code every 30 seconds. With this token, you log on with a new password – made up of your PIN plus security code — every time. It is not possible for members already using the CyberCode token to be adversely affected by the “Heartbleed” bug.

 

Quick Logon uses what is called two-factor authentication, which requires something you know – your PIN – and something you have – your phone with Symantec VIP. It's more secure because even if hackers are able to guess your PIN, they would still need to have your phone to log on.

 

To learn more about USAA’s logon choices, visit the security center.

 

Working Together to Fight Fraud

 

Heartbleed AkamaiWhile USAA uses sophisticated fraud detection processes, we are most effective in fighting fraud when we work together with you. USAA security professionals recommend you monitor your account activity on a regular basis and take advantage of all the tools available to mitigate risks when checking your account on your desktop, smartphone or tablet.

 

Visit our Security Center to obtain these tools and learn more about helping protect your personal and financial information.

 

Together, we'll remain vigilant to help protect your online security. You have our commitment to continuously enhance our security measures to help prevent cyber crime from happening to you.

 

Changing Your Password

 

Passwords are one of the many defenses in place to protect your sensitive information from getting into the wrong hands. Hacking or guessing your password is one of the most basic tactics a cyber criminal will use.

 

Don't make it easy for them by...

 

  • Using the same password for multiple sites.
  • Writing your password down where others can see it.
  • Including your name in the password.
  • Using words from the dictionary in your password.

How to Create a Strong Password

 

There are many ways to create a strong password. Here is one way that may make it easier for you:

 

Steps

How to do it

Example

Think of a sentence using eight or more words and turn your sentence into a row of letters

Use the first letter of each word.

Iltwtang

Make it stronger using upper and lower case letters.

Make any letter in the alphabet between N and Z upper case.

ilTWTaNg

Make it stronger by adding numbers.

Place a number inside the password. Sometimes, you can even replace words with numbers.

il2WTaNg

Make it stronger by adding punctuation.

Place a punctuation mark inside the password.

il2WTa-Ng

The result: A password that is a strong deterrent against cyber crime and easy enough to remember to get quick access to your information. Change your password on your desktop or mobile device.

 

What You Need to Know About “Heartbleed”

 

Q: Does USAA utilize Akamai servers in support of usaa.com?
A: Yes, USAA utilizes Akamai to support usaa.com.

 

Q: With the announcement made by Akamai, will USAA update its certificates?
A:  Yes. Akamai notified all customers, including USAA, about the new information concerning its servers. USAA took immediate action to mitigate risk due to this bug by replacing the certificates.

 

Q: What does this announcement mean for members?
A: Based on information gathered by our fraud detection programs, there is no evidence that USAA or its members have been affected. To provide the highest level of protection, we strongly recommend members change their passwords. Passwords are the first line of members’ defense. Members should make it a habit to periodically change them and use unique passwords for each site.

 

Q: Should I change my password?

A: Yes, as a matter of caution, we strongly recommend members change their passwords. When you change your password:

 

We recommend that members regularly review financial statements for any suspicious activity. USAA’s zero liability policy helps protect members from fraudulent charges made on a USAA credit or debit cards.2 Regular monitoring of credit reports can also help detect any suspicious activity on accounts.

 

Q: An online test site says USAA is possibly vulnerable to this bug. Is it?
A: A number of sites have been quickly developed by individuals to help consumers gauge the risks associated with the “Heartbleed” bug. Some of those sites can give misleading answers. We have updated our security certificates, and we continue to take steps to mitigate the risks associated with this bug.

 

Q:  What has changed since your last statement about members not needing to change passwords?
A: Akamai notified USAA that certain servers had not been patched, and, as a result, we have again replaced our security certificates. As another layer of security, we strongly recommend members change their passwords.

 

Q: Do we know how many other sites are affected by Akamai’s announcement? Is it all their customers? 
A: All Akamai customers that leverage their secure application network may have been affected. Based on information gathered by our fraud detection programs, there is no evidence that USAA or its members has been affected, but we are taking every precaution to help protect our members.

 

Q:  What do I do if I think my account has been affected?
A: Contact USAA immediately and change your password.

 

Q: What is the “Heartbleed” bug, and is my information at risk?
A: “Heartbleed” is a flaw in software widely used to enable secure access to websites. USAA’s hosting provider for usaa.com implemented a security patch before the flaw was made public, and we have now replaced our security certificates twice. We continue to take steps to mitigate the risks associated with this bug. Based on information gathered by our fraud detection programs, there is no evidence that USAA or its members has been affected. We maintain a 24/7 monitoring center for all cyber threats. We recommend that members change their passwords and use a unique password for each site.

 

Q: What can I do to further protect myself from “Heartbleed”-related issues?
A:  In light of this latest development, we strongly recommend members change passwords. Members should consider using enhanced authentication options offered by USAA, such as CyberCode Token. In addition, we recommend that members regularly review financial statements for any suspicious activity. USAA’s zero liability policy helps protect members from fraudulent charges made on a USAA credit or debit cards. Regular monitoring of credit reports can also help detect any suspicious activity on accounts.

 

Q:  What are security certificates?
A: Certificates are proof of a website’s authenticity and are used to encrypt communications securely between a customer and the website.

 

Q:  Is the “Heartbleed” issue the only security bug I need to worry about?
A:  While USAA has taken strong and immediate action to help protect members from any potential vulnerability related to the “Heartbleed” bug, there are still companies that may not have patched their systems.  There are still many threats in cyberspace, and hackers use numerous techniques in order to infiltrate websites and networks. USAA tries to do everything possible to protect members’ information from these threats. We also urge you to use the free Trusteer product and CyberCode Token offered through USAA to enhance your overall security posture. Together, with the vigilance of both USAA and our members, we can help protect your information. 

 

Q: Do I need to change my Quick Logon PIN for USAA’s mobile app?
A: No, because the PIN is tied to that device.  Someone who manages to obtain that PIN due to this bug would have to use your mobile device to gain access to your account.

 

Q: I access USAA only on my mobile device. Am I secure?
A: It depends.  If you are a user that accesses usaa.com directly through your mobile browser or have not enabled Quick Logon on the USAA application, then you could be vulnerable and we advise you to change your password. If you use only the USAA mobile app, then your credentials are secure.

 

Q:  Do I need to change my phone password?
A: No. Phone passwords are not affected by the “Heartbleed” bug. The main vulnerability is the password you use for logging into to usaa.com from a desktop or mobile device.

 

Q: I use CyberCode Token to access usaa.com on my desktop. What do I need to do?
A:  Nothing.  CyberCode Token is our strongest form of authentication and not susceptible to this bug.

 

1You may only activate one security token per account. Your phone carrier’s data charges may apply.

2You must notify us immediately of any unauthorized use.

 

204624-0414

 

 

Use of the term “member” or “membership” does not convey any eligibility rights for auto and property insurance products, or legal or ownership rights in USAA. Ownership rights are limited to eligible policyholders of United Services Automobile Association.

 

Comments
by ‎04-17-2014 03:23 PM

Everyone;

 

1. USAA Member Concerns (Now Answered):

 

  • When was the new SSL Certificate (Private Key) updated?
  • ANSWER (Via Update to News Posting here):  Although we have no indication that our security certificates have been compromised, we have obtained new certificates for usaa.com. We replaced the old certificates in the early hours of Sunday, April 13, and the new certificates today show a valid date of April 10, 2014 and an expiration date of April 12, 2015.
  • When was the old SSL Certificate revoked? (See ANSWER above).
  • When will USAA allow more than 12 characters in Password. (See my earlier reply in a posting here).

2. IMPORTANT:

 

  • If you haven't done so already, it should be safe to change your passwords, if you so desire.

Keeping Everyone Informed

by CMW ‎04-17-2014 04:31 PM

 

After reading this USAA post, I'm confused.  Didn't Akamai recently admit that its patch was faulty--that the patch didn't fix all of the Heartbleed vulnerabilities?  Below is a link to an April 14 article on the CNET website that describes the situation I'm referencing:

 

 http://www.cnet.com/news/akamai-heartbleed-patch-not-a-fix-after-all/

 

I'm an ordinary computer user with an incomplete understanding of this situation, so maybe this CNET article about Akamai's faulty patch isn't relevant to the security of the USAA website.  I'd appreciate your clarification.

 

 

 

 

 

 

 

 

 

by ‎04-17-2014 05:20 PM

CMW;

 

The SECOND PATCH being reported by this News Posting IS RELEVANT to the security of the USAA website as indicated by this edited quote from USAA's Post above:

 

------------------------------

Akamai ... issued a second patch to the group of servers that did not receive the first patch. It could not say whether usaa.com was at risk prior to either patch.

 

USAA has no indication that our earlier security certificates had been compromised by “Heartbleed” or that Akamai’s disclosure impacts USAA directly. However, as a prudent security measure, we installed new certificates for usaa.com.

------------------------------

 

USAA Continues to Keep its Members SAFE!

by wbhjr on ‎04-17-2014 08:08 PM - last edited on ‎04-18-2014 02:21 PM by Community Manager

i changed my password when USAA issued the first warning a few days ago.  Are you saying that i need to change it again ASAP?

 

 

If you changed your password after 6 a.m. CT on April 15 there is no need to change it again.

by CMW ‎04-18-2014 01:25 AM

 

Website Guru,

 

I was still confused after reading your reply.   However, I found an article dated April 16 on the Akamai website, which explains what they have done and are still doing to address issues around the Heartbleed vulnerability.  

 

Here's the link, in case another USAA member would like to read it:  

 

https://blogs.akamai.com/2014/04/heartbleed-a-history.html#more

 

 

by player0ne on ‎04-18-2014 06:55 AM - last edited on ‎04-18-2014 02:19 PM by Community Manager

I and others would like to know if passwords changed after 04/16/2014 are still potentially compromised.  In other words, we want to know the date and time when final security patches took effect and after which subsequent passwords should be considered secure.

 

Thank you for your question.On April 11, 2014, we generated two sets of certificates. One set was implemented, the second set was a back-up and not visible on the Internet. The current certificate was implemented on April 15, 2014 and is not vulnerable. If you changed your password after 6 a.m. CT on April 15 there is no need to change it again.

by RF ‎04-18-2014 06:56 AM

Instructions for making a strong password that I can remember, presumably without writing it down, are great and might work if this is the only password I need.  As it is, I probably have hundreds, many need to be changed periodically - the CyberCode Token worked on desktop a few times - then quits and defaults to the regular logon procedure - there's got to be a better way. 

by Richardv42 ‎04-19-2014 02:24 PM

Hello,

I just signed up with USAA and am looking forward to working with this great company and all the services that they will provide to me. Thanks. Richard

 

 

 

 

 

 

by Ex-Jarhead on ‎04-22-2014 12:18 PM - last edited on ‎04-22-2014 01:25 PM by Community Manager

My daughter received an email from USAA saying she needed to change her password, does USAA send out emails or is this someone phishing?

 

Thank you for your vigilance. Yesterday we began sending out emails to members, alerting them to change their passwords. 

by ElSahl ‎04-22-2014 02:28 PM

I'm sure most people loath having to create passwords. I have a solution that I find most useful.

I have obtained a password program called Password Safe. It can be downloaded from their website:

http://pwsafe.org.

 

There are other PW programs out there, but I like this one because 1. it has a free version and 2. it

lets me make notes about each site for which I create a password. I need remember only ONE

password to have access to ALL the other passwords that I regularly use. I use the mnemonic method

suggested by USAA for access to my Password Safe and then never worry about the passwords I

generate because when I need  them I merely copy and paste them into a website's logon dialog. I

find that only rarely do I have to actually type in a password.

 

Another nice feature of this password program is that I can have a copy on a Flash Drive and take

it with me to have full access to my PWs on any other computer.


Tip: One thing I always try to do when I log on to a new site is to generate as long a password as the

site will allow. Since the password is stored in my Password Safe, I need only copy it from Password

Safe and paste it into the site's logon dialog relieving me of the need to try remembering it.

by TBird27 ‎04-22-2014 11:50 PM

Interestingly enough, with 31 years and the BEST FOLKS in the industry at USAA, we received a security text alert just before 9PM EST on 4/21 regarding suspected fradulent activity on our USAA credit card.  So we thought for a second - kind of in shock, but quickly realized neither one of us even left the house that day!  The charges were definitely fraudulent and we phoned USAA immediately.  Seems, USAA knows our spending patterns/habits quicker than we do and we are truly thankful.  No way of knowing if this is a coincidence with the "Heartbleed" bug but really have to wonder - nothing like this has ever happened before.  We try our best to keep prying eyes/scanners away from our personal stuff, but it keeps getting more difficult every day.  USAA canceled our credit card immediately so hopefully that stopped some of the bleed, for all of us with USAA.  We know this stuff happens all the time, but never in our years with USAA.  It's very comforting to know though, that USAA was so quick to act - via text.  We definitely heeded USAA's advice to change passwords.  A very good habit that we should be more diligent about in the future...               

 

 

          

by jsfeeman on ‎04-23-2014 06:03 AM - last edited on ‎04-23-2014 03:14 PM by Community Manager

For my desktop access to USAA, I recently add the token thingy (yesterday) and changed my password. Today I get a popup for a Rapport report. I did not click on it but my research indicates it is a good security tool. Is this part ofthe USAA reply to the heartbleed breach? If so please let the members know to expect this popup and it is safe to click it and to leave it on their systems.

If not, then let the members also know that it needs to be removed from their systems asap.

Thanks

 

Thanks for your question. Trusteer Rapport is a service provided to members at no charge, and we encourage members to take advantage of it. It works with your current anti-virus software and web browser to provide comprehensive protection for your online banking. 

by Hellfighter6 ‎04-26-2014 08:31 AM

In regard to the CyberCode Token.  I have a a RSA SecurID token on my computer for work related programs.  Will having CyberCode Token cause any problems or interference with the RSA SecurID token ?

by AWW88 ‎04-26-2014 08:51 AM

Should I change my security questions (favorite sports team, etc.) as well as my password?

by Gym ‎04-27-2014 08:43 AM
Your email letter on the steps needed to counter Heartbleed raises a new question, When does it become wise to go back to the U.S. Postal (USPS) service?  You recommend the following steps, Repeatedly:
 
1. Changing passwords on multiple devices
2. Use of "Cyber Code Tokens" for all pc's
3. Downloading another free security tool,
    to be updated again and again well into the foreseeable future
4. Learn multiple steps to protect ourselves from uncountable Phishing attacks
5. We need to stop clicking on links and attachments
6. Hurry to change passwords on all internet sites that we access
7. Change the answers to all of our security questions on all sites
8. Then change all of our security questions
9. Keep track of all of the above new ID's and passwords
10. Hide this new inforfmation somewhere around the house,
    but don't tell anyone where you hid it
11. Then if you pass away they will have to go back to USPS,
    and your security will be safe
12. Please let me know when it is time to change my social security number
 
Implicit in the above list, is your apparent inability to monitor your own security or protect us, your clients.
Apparently you are also indicting our Internet Service Providers (ISP),
as well as our software operating systems and browsers.
At what point will consumers start to lose confidence in their vendors?
 
How many of these threats are eliminated by the U.S. Postal service?
Maybe we need some panic and urgency to appreciate the real value of the USPS?
by Jim Shell ‎04-28-2014 08:25 AM

I've installed Trusteer Rapport and started having problems with Firefox crashing and scrambling of text input to search engines (DuckDuckGo and Google) when used with Firefox or IE 11.  It may be just coincidental, but I don't think so.  I've shut down Trusteer and the scrambling problem stopped.  I undersatnd Trusteer is very difficult to uninstall.

by Robbo ‎04-28-2014 08:49 PM - edited ‎04-28-2014 09:11 PM

You state that, "USAA’s zero liability policy helps protect members from fraudulent charges made on a USAA credit or debit cards." Yet in Sept. of last year you let through a fraudulant charge on my USAA MC, that left my account with insufficent funds to pay my ACH mortgage payment. I have spent six months trying to correct your accounting on my mortgage, literally spending well over a hundred hours of my time (and yours) and you have yet to do anything to correct your mistakes. Thousands of dollars of my money has gone to interest and almost nothing to principal. Your lack of action has ruined my credit rating. Therefore your statement on zero liability IS AN ABSOLUTE LIE. I'm a seriously angry member of 26 years. I'm not worried about a bug. I'm worried about what has happened to a once wonderful bank that now consistantly delivers extremely poor customer service. It's a sad loss, but a TRUE loss.

You have almost worn me down, but I WILL NOT LET USAA STEAL THOUSANDS OF DOLLARS OF MY MONEY.

by janelaw ‎04-29-2014 01:30 PM

I just changed my password, agains, last evening!  My debit card is still being rejected!  This is costing me a lot of money which I need or I would not be going through all of this time which is not my fault!  I have read all of what has been written two or three times; I don't have the time to play "hide and seek" when I have paid money for a web page, a site and commerce!  I think I should send an invoice to USAA for the estimated time and money this game of playing dancing passwords is really costing me!  Why do I have to play?  I don't want to play!  I have to work for a living!  Where do I send my invoice for reimbursement for the down time which I believe was uncalled for?  Thank you.

by HaX0r ‎04-29-2014 04:06 PM

I wish USAA would use something like Microsoft's two factor auth solution: http://azure.microsoft.com/mfa.  Rather than having to have an app installed on your PC/mobile device (compatability issues etc.) Microsofts solution can send you a text message or call your phone to authenticate.  A much better solution for multifactor authentication. 

 

Disclaimer: I work for Microsoft

 

Disclaimer aside, my comments are genuine.  I would be happy to speak with someone at USAA should you want additional information.

by Joetallyho ‎09-06-2014 10:12 AM

TRUSTEER RAPPORT for iMAC - DO NOT INSTALL!

 

After install on my late 2013 iMac running 10.9.4, had problems with sleep/wake.  After about 3 hours of iMac being put to sleep either by time or manually, my iMac would crash (which has been never since new in Oct. 2013).  Now, it reports I do not have any WiFi hardware installed. Have to force shutdown and start-up om every occurrence (which was for every sleep mode). After many calls to Apple, no joy, now they want me to re-install the OS (easy to do, but many headaches reconfiguring most everything). But, I found a Apple Support Forum input which associated the same problems and ID'd to Trusteer install. I then removed it  (but had to install newer version which contained the uninstall software).  All is good now, no sleep/wake issues, no false hardware notifications.

 

I looked for Trusteer on the Apple App Store and it is not there. So, that might give some indication this did not go through the normal Apple evaluation process and only offered direct from IBM.

 

 

Community Managers

Briana Hartzell

Briana Hartzell

Briana knows all about moving. This Navy wife has helped her husband relocate to four different naval air stations in the last three years. A former USAA employee, Briana is co-founder of The Triple Dish, a blog focused on food, fitness and military life.

View Briana's Profile
Wendy Poling

Wendy Poling

Wendy is a social media strategist and founder of MyMilitaryLife.com, featuring a popular military spouse blog and the hit podcast Navy Wife Radio and now Military Life Radio. She is the wife of a submariner who has also served in Afghanistan.

View Wendy's Profile
Charles Pratt

Charles "Chazz" Pratt

Charles "Chazz" Pratt III is a former U.S. Army Captain who made the Military-to-Civilian career transition in 1994. In his book, The Fort Living Room Transition Course, he shares valuable tips & tricks to help you succeed. Since his transition from the military, he's worked for several Fortune 500 companies, including Pfizer, Genentech, and St. Jude Medical, among others.

View Chazz's Profile
Scott Halliwell

Scott Halliwell

Scott Halliwell is a CERTIFIED FINANCIAL PLANNER™ practitioner.

View Scott Halliwell's Profile
Joseph Montanaro

Joseph "J.J." Montanaro

Joseph "J.J." Montanaro is a CERTIFIED FINANCIAL PLANNER™ practitioner.

View Joseph "J.J." Montanaro's Profile