04-09-2014 01:15 PM
For the latest update on the "Heartbleed" bug, read USAA Responds to Akamai Server Vulnerability.
USAA is aware of the “Heartbleed” Internet bug affecting many servers. USAA continuously monitors our systems, and we have no indication that they are at risk. USAA has taken and continues to take steps to mitigate any risks. A security patch was implemented for usaa.com earlier this week, and, although we have no indication that our security certificates have been compromised, we have obtained new certificates for usaa.com. We replaced the old certificates in the early hours of Sunday, April 13, and the new certificates today show a valid date of April 10, 2014 and an expiration date of April 12, 2015.
However, these steps are only the first line of defense in our continuous program to protect against security risks. USAA has an aggressive fraud detection program and 24/7 monitoring of global threats – all of which are designed to detect any unauthorized activities using Heartbleed or any future threats.
Helping protect your personal and financial information is one of our top priorities — every day, 24/7.
Please see the Q&A below for more information about USAA’s response to the "Heartbleed" bug.
What should you do?
While there’s no indication of compromise, we recommend members periodically change their passwords, especially when there is a known vulnerability, and use a unique password for each site.
Additionally, we offer many services to strengthen your security, including:
- Defense against phishing — Every USAA email includes the USAA Security Zone stamp. It is your guarantee that you have a legitimate email from us and includes your first and last name and the last four digits of your USAA number.
- Security software — Try Trusteer Rapport, provided by USAA, which works with your existing anti-virus software to block malicious financial software.
- Stronger logon features — We offer a variety of logon features, including two-factor authentication, that are stronger than a user ID and password alone.
- Password strength indicator — Use our online tool to check the strength of your passwords and get tips to make them even stronger.
Visit our Security Center to obtain these tools and learn more about protecting your personal and financial information.
Together, we'll remain vigilant to help protect your online security. You have our commitment to continuously enhance our security measures to help prevent cybercrime from happening to you.
Q: What is the “Heartbleed” bug, and is my information at risk?
A: “Heartbleed” is a flaw in software that is widely used to enable secure access to websites. USAA’s hosting provider for usaa.com implemented a security patch before the flaw was made public, and we continue to take steps to mitigate the risks associated with this bug. We have no indication that our systems are at risk and maintain a 24/7 monitoring center for all cyber threats. We have communicated with our members about how they can better protect themselves. We continue to make information available to members on this issue on our News Center. We recommend members periodically change their passwords and use a unique password for each site.
Q: How does this affect sites that are connected with usaa.com in some way?
A: For member convenience, usaa.com features single-sign-on transfers to a very limited number of trusted websites, such as car rental companies. However, member login credentials are not transferred to those websites, only a “token” identifying that the user is a USAA member. We are contacting critical suppliers to ensure they are taking appropriate precautions for their systems.
Q: Does USAA use OpenSSL to encrypt its servers?
A: USAA’s hosting provider for usaa.com uses Open SSL. However, they implemented a patch before the flaw was made public.
Q: If the flaw existed for more than two years, why does it matter if a patch was implemented before or after it became public?
A: It’s not clear whether this flaw was exploited prior to public notice of the “Heartbleed” bug, but there is evidence of attempted exploitation since public release of the vulnerability. Because the patch was installed before the flaw became public, recent attempts to exploit the bug would not affect usaa.com.
Q: What is a security certificate?
A: A certificate is used by a website to prove its authenticity and to encrypt communications securely between a customer and the website.
Q: Did USAA have any exposed security certificates?
A: We have no indication that our security certificates have been compromised. However, as a prudent security measure, we have obtained new certificates for usaa.com. We replaced the old certificates in the early hours of Sunday, April 13, and the new certificates today show a valid date of April 10, 2014 and an expiration date of April 12, 2015.
Q: Why didn’t you update the certificate immediately?
A: Updating certificates is a significant process that must be managed carefully. Because we have no indication that our certificates were ever compromised, and our certificates are not generally stored in an area that is accessible via the “Heartbleed” bug, we followed normal protocols to ensure the maximum amount of validation and testing went into our new certificates to ensure we have no user disruption as a result of the replacement.
Q: How do you know member data was not exposed before the patch was implemented?
A: Because we implemented the patch before the “Heartbleed” bug was made public, the risk of exposure is extremely low. We have an extensive ongoing security monitoring effort in place to monitor and detect security threats, and we have no indication that our members’ data is at risk.
Q: Do we use Perfect Forward Secrecy?
A: Our hosting provider for usaa.com is currently testing Perfect Forward Secrecy and planning to roll it out this quarter.
Q: What do individuals need to do?
A: While there’s no indication of compromise, it’s a good security practice to periodically change passwords and use a unique password for each site.
Q: Now that the patch has been implemented, does “Heartbleed” pose any threat going forward?
A: “Heartbleed” is an ongoing issue for a variety of websites. But USAA has taken steps to ensure usaa.com is protected, and we will continue to monitor for potential threats. However, we recommend members periodically change their passwords and use a unique password for each site.
Q: When was this bug patched?
A: Our usaa.com hosting provider patched the vulnerability over a period of several days prior to public notification of the “Heartbleed” bug.
Q: Is USAA doing anything else to ensure this is no longer a threat to member data?
A: We continue to monitor our systems 24/7 and collaborate with our suppliers to detect and stop threats. USAA is committed to protecting our members' personal and financial information.
Q: An online test site I used says USAA is possibly vulnerable to this bug. Is it?
A: We have no indications that our systems are at risk. A number of sites have been quickly developed by individuals to help consumers gauge the risks associated with the “Heartbleed” bug. Some of those sites give misleading answers, while other sites now reflect the steps we have taken to mitigate risks. USAA’s hosting provider for usaa.com implemented a security patch prior to the flaw becoming public, we have updated our certificates and we continue to take steps to mitigate the risks associated with this bug.
Q: What member information was vulnerable as a result of the bug and for how long?
A: The software flaw in Open SSL has existed since December of 2011, but it was discovered in recent weeks by security researchers and only made public this week – after a patch was implemented for usaa.com. Login credentials such as passwords for any web site using Open SSL could conceivably have been accessed before that flaw was addressed. However, there’s no indication that this flaw was exploited prior to public notice of the “Heartbleed” bug.
Q: Why doesn’t USAA allow users to set longer and more complex passwords, to include passphrases?
A: We believe our current password strength is sufficient. We continually evaluate enhanced logon methods for members including biometrics, multifactor authentication, and complex passwords.
We have offered multiple options for two-factor authentication for several years.
Q: Are USAA’s mobile channels affected by this?
A: The same security patch that was implemented for usaa.com protects mobile as well.
Use of the term “member” or “membership” does not convey any eligibility rights for auto and property insurance products, or legal or ownership rights in USAA. Ownership rights are limited to eligible policyholders of United Services Automobile Association.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.