News Center

Updated: USAA Takes Measures Against “Heartbleed” Bug

‎04-09-2014 01:15 PM

heart-bleed.png

For the latest update on the "Heartbleed" bug, read USAA Responds to Akamai Server Vulnerability

 

USAA is aware of the “Heartbleed” Internet bug affecting many servers. USAA continuously monitors our systems, and we have no indication that they are at risk. USAA has taken and continues to take steps to mitigate any risks. A security patch was implemented for usaa.com earlier this week, and, although we have no indication that our security certificates have been compromised, we have obtained new certificates for usaa.com. We replaced the old certificates in the early hours of Sunday, April 13, and the new certificates today show a valid date of April 10, 2014 and an expiration date of April 12, 2015.

 

However, these steps are only the first line of defense in our continuous program to protect against security risks. USAA has an aggressive fraud detection program and 24/7 monitoring of global threats – all of which are designed to detect any unauthorized activities using Heartbleed or any future threats.

 

Helping protect your personal and financial information is one of our top priorities — every day, 24/7.

 

Please see the Q&A below for more information about USAA’s response to the "Heartbleed" bug.

 

What should you do?

While there’s no indication of compromise, we recommend members periodically change their passwords, especially when there is a known vulnerability, and use a unique password for each site.

 

Additionally, we offer many services to strengthen your security, including:

 

  • Defense against phishing — Every USAA email includes the USAA Security Zone stamp. It is your guarantee that you have a legitimate email from us and includes your first and last name and the last four digits of your USAA number.
  • Security software — Try Trusteer Rapport, provided by USAA, which works with your existing anti-virus software to block malicious financial software.
  • Stronger logon features — We offer a variety of logon features, including two-factor authentication, that are stronger than a user ID and password alone.
  • Password strength indicator — Use our online tool to check the strength of your passwords and get tips to make them even stronger.

 

Visit our Security Center to obtain these tools and learn more about protecting your personal and financial information.

 

Together, we'll remain vigilant to help protect your online security. You have our commitment to continuously enhance our security measures to help prevent cybercrime from happening to you.

 

Q:  What is the “Heartbleed” bug, and is my information at risk?

A: “Heartbleed” is a flaw in software that is widely used to enable secure access to websites. USAA’s hosting provider for usaa.com implemented a security patch before the flaw was made public, and we continue to take steps to mitigate the risks associated with this bug. We have no indication that our systems are at risk and maintain a 24/7 monitoring center for all cyber threats. We have communicated with our members about how they can better protect themselves. We continue to make information available to members on this issue on our News Center. We recommend members periodically change their passwords and use a unique password for each site.

 

Q: How does this affect sites that are connected with usaa.com in some way?

A: For member convenience, usaa.com features single-sign-on transfers to a very limited number of trusted websites, such as car rental companies. However, member login credentials are not transferred to those websites, only a “token” identifying that the user is a USAA member. We are contacting critical suppliers to ensure they are taking appropriate precautions for their systems.


Q: Does USAA use OpenSSL to encrypt its servers?

A: USAA’s hosting provider for usaa.com uses Open SSL. However, they implemented a patch before the flaw was made public. 

 

Q: If the flaw existed for more than two years, why does it matter if a patch was implemented before or after it became public?

A: It’s not clear whether this flaw was exploited prior to public notice of the “Heartbleed” bug, but there is evidence of attempted exploitation since public release of the vulnerability. Because the patch was installed before the flaw became public, recent attempts to exploit the bug would not affect usaa.com.

 

Q: What is a security certificate?
A: A certificate is used by a website to prove its authenticity and to encrypt communications securely between a customer and the website.

 

Q: Did USAA have any exposed security certificates?           

A: We have no indication that our security certificates have been compromised. However, as a prudent security measure, we have obtained new certificates for usaa.com. We replaced the old certificates in the early hours of Sunday, April 13, and the new certificates today show a valid date of April 10, 2014 and an expiration date of April 12, 2015.   

 

Q: Why didn’t you update the certificate immediately?
A: Updating certificates is a significant process that must be managed carefully.  Because we have no indication that our certificates were ever compromised, and our certificates are not generally stored in an area that is accessible via the “Heartbleed” bug, we followed normal protocols to ensure the maximum amount of validation and testing went into our new certificates to ensure we have no user disruption as a result of the replacement. 

 

Q: How do you know member data was not exposed before the patch was implemented?

A: Because we implemented the patch before the “Heartbleed” bug was made public, the risk of exposure is extremely low.  We have an extensive ongoing security monitoring effort in place to monitor and detect security threats, and we have no indication that our members’ data is at risk.

 

Q: Do we use Perfect Forward Secrecy?

A: Our hosting provider for usaa.com is currently testing Perfect Forward Secrecy and planning to roll it out this quarter.


Q: What do individuals need to do?
A: While there’s no indication of compromise, it’s a good security practice to periodically change passwords and use a unique password for each site.

 

Q: Now that the patch has been implemented, does “Heartbleed” pose any threat going forward?

A: “Heartbleed” is an ongoing issue for a variety of websites. But USAA has taken steps to ensure usaa.com is protected, and we will continue to monitor for potential threats. However, we recommend members periodically change their passwords and use a unique password for each site.

 

Q: When was this bug patched?
A: Our usaa.com hosting provider patched the vulnerability over a period of several days prior to public notification of the “Heartbleed” bug.

 

Q: Is USAA doing anything else to ensure this is no longer a threat to member data?

A: We continue to monitor our systems 24/7 and collaborate with our suppliers to detect and stop threats. USAA is committed to protecting our members' personal and financial information.

 

Q: An online test site I used says USAA is possibly vulnerable to this bug. Is it?

A: We have no indications that our systems are at risk. A number of sites have been quickly developed by individuals to help consumers gauge the risks associated with the “Heartbleed” bug. Some of those sites give misleading answers, while other sites now reflect the steps we have taken to mitigate risks. USAA’s hosting provider for usaa.com implemented a security patch prior to the flaw becoming public, we have updated our certificates and we continue to take steps to mitigate the risks associated with this bug.

 

Q: What member information was vulnerable as a result of the bug and for how long?

A: The software flaw in Open SSL has existed since December of 2011, but it was discovered in recent weeks by security researchers and only made public this week – after a patch was implemented for usaa.com. Login credentials such as passwords for any web site using Open SSL could conceivably have been accessed before that flaw was addressed. However, there’s no indication that this flaw was exploited prior to public notice of the “Heartbleed” bug.

 

Q: Why doesn’t USAA allow users to set longer and more complex passwords, to include passphrases?

A: We believe our current password strength is sufficient. We continually evaluate enhanced logon methods for members including biometrics, multifactor authentication, and complex passwords. 

We have offered multiple options for two-factor authentication for several years. 

 

Q: Are USAA’s mobile channels affected by this?

A: The same security patch that was implemented for usaa.com protects mobile as well.

 

 

 

204310-0414

 

Use of the term “member” or “membership” does not convey any eligibility rights for auto and property insurance products, or legal or ownership rights in USAA. Ownership rights are limited to eligible policyholders of United Services Automobile Association.

 

 

Comments
by Gauntowl ‎04-09-2014 01:57 PM
Thanks to Gabriel for a very quick and through job of running down USAA's response to this threat. Within hours of my learning about it on NPR and calling the office of the CEO the USAA News release was published. Nice work, guys!
by Arlington4 ‎04-09-2014 03:29 PM - edited ‎04-09-2014 03:32 PM

Shouldn't USAA send a notice to all Web site users to change their logon?  In my review of the Heartbleed flaw, I have learned that, since 2011, information could be compromised with NO audit trail or evidence of the compromise left.

 

The source of my information is here: http://heartbleed.com/ .  This information is from the supplier of the software in question.

 

I have changed my logon, and I advise all USAA site users to do the same because your information could already be compromised without any knowledge of that by USAA or yourself.

by Darth Rater on ‎04-09-2014 05:42 PM - last edited on ‎04-11-2014 12:44 PM by Community Manager

You are missing the 2nd step, which is revoking the current certificate and purchasing a new one. The job is only half done!

 

Thank you for your comment. We have no indication that our security certificates have been compromised.  However, as a prudent security measure, we are in the process of updating our certificates.    

by fjamied on ‎04-09-2014 07:02 PM - last edited on ‎04-11-2014 11:15 AM by Community Manager

Yes,

Lord Rater is correct.  Part of the flaw means that the attackers could have extracted your site certificate which holds the key to authenticating usaa as the terminating end of a web connection.

Until you revoke your current cert and replace it - someone who has stolen your cert can anonymously intercept transactions and extract passwords from users regardless of how many times they change them!!!

 

YOU MUST GET A NEW CERTIFICATE to complete your security measures.

 

Thank you for your comment. We have no indication that our security certificates have been compromised.  However, as a prudent security measure, we are in the process of updating our certificates. 

by NSSGuy ‎04-10-2014 04:17 AM
At 7:10 am EDT on Apr 10, a testing resource linked by the New York Times reported that usaa.com is still vulnerable, showing the results of their test, while chase.com and mail.google.com were secure. Has anyone seen hard data from USAA, other than assurances, demonstrating that changing passwords now won't simply be immediately available to interested hackers?
by TomInDallas ‎04-10-2014 05:45 AM

In addition to USAA updating its own certificate(s), USAA should reach out to VeriSign to ascertain whether the root certificate servers were vulnerable.  If they were, VeriSign needs to revoke/reissue root certificates.  

by wve on ‎04-10-2014 07:49 AM - last edited on ‎04-11-2014 09:52 AM by Community Manager

This article is not helpful.

 

USAA:  You normally do such a good job of taking care of us.  This article isn’t an example of that.  You need to clear about whether or not you were affected and when you fully corrected the issue.  This isn't a military briefing; you don't get points for being vague!

 

Please answer these questions so I know if and when I should change my password:

USAA Affected: Yes/No

Has it been fixed: Yes/No

Have new SSL certs (Private key) been installed: Yes/No

When was it fixed: Date

 

Thank you,

Concerned banking and insurance customer

 

 

Thank you for your feedback and questions. We have no indication that our systems are at risk and maintain a 24/7 monitoring center for all cyber threats. USAA’s hosting provider for usaa.com uses Open SSL. However, they implemented a patch before the flaw was made public. We have no indication that our security certificates have been compromised.  However, as a prudent security measure, we are in the process of updating our certificates.

by DeeDub918 on ‎04-10-2014 07:54 AM - last edited on ‎04-11-2014 11:20 AM by Community Manager

I've asked these questions twice directly to USAA, have only received obfuscated responses, and a link to here.

 

1)  Does USAA use openSSL and if so was USAA exposed to the bug outlined in CVE-2014-0160 and if so has it been fixed? 

2)  Does USAA recommend that I change my password based on the risks in CVE-2014-0160?

 

Thank you for your comment. USAA’s hosting provider for usaa.com uses Open SSL. However, they implemented a patch before the flaw was made public. We have taken steps to ensure usaa.com is protected, and we will continue to monitor for potential threats. We recommend members periodically change their passwords and use a unique password for each site.

by peterose ‎04-10-2014 09:35 AM

wve has it exactly right.  USAA's response to date is horribly incomplete.  Here is an article that explains it more deeply:

 

http://www.pcworld.com/article/2141602/the-heartbleed-bug-and-you-a-users-guide.html

by dnet on ‎04-10-2014 11:56 AM - last edited on ‎04-11-2014 11:23 AM by Community Manager

USAA still needs to get a new SSL certificate, as echoed by other comments here.  Please see LastPass' tool that checks sites for Heartbleed: https://lastpass.com/heartbleed/?h=usaa.com

 

Site:usaa.com

Server software:IBM_HTTP_Server

Vulnerable:Possibly (might use OpenSSL)

SSL Certificate: Unsafe (created 1 year ago at Feb 4 00:00:00 2013 GMT)

Assessment:Wait for the site to update before changing your password

 

Thank you for your feedback and questions. We have no indication that our systems are at risk and maintain a 24/7 monitoring center for all cyber threats. USAA’s hosting provider for usaa.com uses Open SSL. However, they implemented a patch before the flaw was made public. We have no indication that our security certificates have been compromised.  However, as a prudent security measure, we are in the process of updating our certificates.

by Sparticuz on ‎04-10-2014 12:27 PM - last edited on ‎04-11-2014 11:24 AM by Community Manager

Please update your SSL Certificate USAA! All of us want to change our passwords, but it would be useless unless you change your SSL Cert AFTER you patch OpenSSL...

 

Thank you for your feedback and questions. We have no indication that our systems are at risk and maintain a 24/7 monitoring center for all cyber threats. We have no indication that our security certificates have been compromised.  However, as a prudent security measure, we are in the process of updating our certificates.

by Mrs. MdO ‎04-10-2014 02:46 PM

dnet is corect. I just attended a webinar about Heartbleed given by the SANS Institute in which they made an example of USAA by showing their horribly incomplete statement (written most likely by a PR person and not someone who has a technical background), but then showed us that the last time USAA issued their SSL cert was in 2012!! WTF!!

 

 

REISSUE YOUR CERT, USAA!!!!!

by DrDrew ‎04-10-2014 03:04 PM

Even if they get a new SSL certificate, USAA has other security problems.  Such as--why a 12-character limit to passwords, USAA??  C'mon, it's well known that the single biggest factor in making a secure password is its length.  Limiting users to 12 characters, regardless of what kind of characters are allowed, is yet another potential security breech.  Two-factor authentication helps, but only if VeriSign's servers were secure.....

by Garylben on ‎04-10-2014 05:02 PM - last edited on ‎04-11-2014 11:30 AM by Community Manager

I'm disappointed in this release for two reasons.

 

 

First, it is at least 24 hours late in coming and is buried deep in the website. I had to put some effort into finding it! It should have greeted me on the logon page.

 

 

Second is the language. It is dismissive, minimizing, and unclear. It reminds me of the "stuff" we'd see from middle ranking career civilians at the Pentagon, not the kind of information commanders on the ground would provide their troops before a mission.

 

 

Here's what I think you may be trying to say. Please tell me if I missed something somewhere.

 

1. Heartbleed is a serious security flaw affecting an enormous part of the internet community, including many of the biggest players in the arena.

2. The flawed product has been in use at USAA as well.

3. We became aware of the flaw and have now patched it. USAA is again secure.

4. No-one can know for certain if user data at USAA may have been compromised. We have no specific reason to think it has, but cannot be certain.

5. Since we have now patched the flaw, USAA's site is secure again. We recommend that EVERYONE, out of an abundance of caution, change their password immediately. (It would also be nice if you'd include a date/time of when the patch was installed, since some early reactors may have changed passwords before you patched.)

 

USAA serves a military community, or a community fostered by military. We are used to direct communication and are suspicious of BS and those that distribute it. We need to remember our roots.

 

Thank you for your feedback, Garylben. We updated our article shortly after you published this comment. Please let us know if you still have any concerns. We endeavor to keep our members informed. 

by q`Tzal on ‎04-10-2014 05:46 PM - last edited on ‎04-11-2014 06:40 PM by Community Manager

We'll actually need to know that specific tasks were completed, like issuing a new certification for the site AFTER the problems have been fixed. Users changing passwords and even issuing a new cert are a waste of effort if the same flaw that comprised them to begin with haven't been resolved. Telling users not to worry after changing your password smacks of the writer not being aware of the scope of the problem. Truth be know most of the IT community is still scrambling back from this breach just to get visual perspective on everything that could have been affected. USAA: please hold off on the platitudes and give us real information.

 

q'Tzal We understand your concerns. Here's some real information... 

 

We have no indication that our security certificates have been compromised.  However, as a prudent security measure, we are in the process of updating our certificates. Updating certificates is a significant process that must be managed carefully.  Because we have no indication that our certificates were ever compromised, and our certificates are not generally stored in an area that is accessible via the “Heartbleed” bug, we are following normal protocols to ensure the maximum amount of validation and testing go into our new certificates to ensure we have no user disruption as a result of the replacement. 

by dancebert ‎04-10-2014 06:20 PM

"We know what it means to serve."   Not in this case.

by Rtom on ‎04-10-2014 06:40 PM - last edited on ‎04-11-2014 06:37 PM by Community Manager

Still possibly insecure, according to the LastPass Heartbleed checker: Site: usaa.com Server software: IBM_HTTP_Server Was vulnerable: Possibly (might use OpenSSL) SSL Certificate: Possibly Unsafe (created 1 year ago at Feb 4 00:00:00 2013 GMT) Assessment: Wait for the site to update before changing your password Come on, USAA, you are failing us!

 

We understand your concerns. We have no indication that our security certificates have been compromised.  However, as a prudent security measure, we are in the process of updating our certificates. Updating certificates is a significant process that must be managed carefully.  Because we have no indication that our certificates were ever compromised, and our certificates are not generally stored in an area that is accessible via the “Heartbleed” bug, we are following normal protocols to ensure the maximum amount of validation and testing go into our new certificates to ensure we have no user disruption as a result of the replacement. 

by realold ‎04-10-2014 06:55 PM

another checker gives another result ?

 

https://www.ssllabs.com/ssltest/

 

for

 

https://www.usaa.com

 

lastpass may be wrong

by Jiyu ‎04-10-2014 07:07 PM - edited ‎04-10-2014 07:09 PM

Actually, Lastpass seems to be noncommittal, and apparently isn't sure about anything and so is just playing it safe:

 

Site: usaa.com

Server software: IBM_HTTP_

Server Was vulnerable: Possibly (might use OpenSSL)

SSL Certificate: Possibly Unsafe (created 1 year ago at Feb 4 00:00:00 2013 GMT)

Assessment: Wait for the site to update before changing your password

 

As realold noted, Qualys SSL labs gives USAA a passing (but not perfect) score:

 

Overall Rating: A-

Certificate: 100%

Protocol Support: 90%

Key Exchange: 90%

Cipher Strength: 90%

https://www.ssllabs.com/ssltest/analyze.html?d=usaa.com

 

A third checker called filippo (recommended by PC Magazine along with the last two) also gives USAA a passing grade:

"All good, usaa.com seems fixed or unaffected!"

http://filippo.io/Heartbleed/

by fjamied ‎04-10-2014 07:23 PM

Jiyu,

1. The ssllabs isn't testing specifically for the Heartbleed vulnerability - just for ssl security in general.  Prior to 1 week ago - it was an OK rating - after the announcement of Heartbleed - it's incomplete.

2. filippo's check is just checking  to see if the serve has been patched - it doesn't tie in the age of the certificate.

3. The fact that USAA *was* vulnerable for an undeterminate length of time, and that it hasn't recently updated it's certificate - means that an attacker could have been targeting places like usaa for weeks, months even and heartbleeding them continuously until they extracted valueble information.  This may have given them enough time to get "the key to the usaa kingdom", their server certificates.

With these keys they can reek all kinds of havoc in the future - WITHOUT ANYONE KNOWING until it's too late.

 

4. Yes - it's uncertain, we don't know if it happend, just that it's possible.  As long as the possibility exists - USAA must do like all other responsible banking/credit card institutions are doing and revoke/replace  their certificates.

 

 

by Jiyu ‎04-10-2014 08:24 PM

Fjamied,

 

I understand what you are saying, and it makes sense to me.  But according to Qualyss SSL Labs, they DO specifically check for the Heatbleed bug (although they list their test as "experimental."), and they say USAA.com is NOT vulnerable to it.  They also explain the A- rating is because USAA.com does not support Forward Secrecy as of yet.  If you go to the link I provided and scan USAA.com, in addition to the ratings I listed, you see the following footnotes:

 

This server is not vulnerable to the Heartbleed attack. (Experimental)
The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-.  MORE INFO »
 
I don't know exactly what filippo is checking, but it claims to be a specific check for Heatbleed vulnerability.
 
So what you say about the certificate doens't seem to be considered a serious risk by these professional security sites.  While what you say makes sense to me (I'm not a cybersecurity professional, maybe you are), it doesn't make sense that so many security and computer sites and blogs would be recommending these checkers if the checkers don't know what they are talking about.  Either you are wrong, or all of them are wrong, and I can't tell which is more likely.  All I know for sure is that two of the three sites say USAA.com is not vulnerable to Heartbleed, and the third says it just doesn't know.  Do you have other checker sites that we can try to verify vulnerability?
by Jiyu on ‎04-10-2014 08:27 PM - last edited on ‎04-11-2014 10:27 AM by Community Manager

Is anyone from USAA monitoring these boards?  If so, how about answering the concerns of your customers?  Have you changed your certificate, or are you going to?  When?  Can we safely use the site or not?

 

 

Thank you for your questions. We have no indication that our systems are at risk and maintain a 24/7 monitoring center for all cyber threats. We have no indication that our security certificates have been compromised.  However, as a prudent security measure, we are in the process of updating our certificates. While there’s no indication of compromise, it’s a good security practice to periodically change passwords and use a unique password for each site.

by EvilScott ‎04-10-2014 10:14 PM

The sky is not falling.

 

You have no reason to panic and get emotional.

 

If you are concerned, then change your username and password.

 

 

by TerryLT ‎04-11-2014 04:26 AM

Disappointed in this response from USAA..  just because the flaw was not public knowledge does not mean there was no risk.  The dismissive nature of their response is not what I want to see from my bank.

by realold ‎04-11-2014 04:41 AM - edited ‎04-11-2014 05:02 AM

A group I use to follow security issues, with an ongoing and interesting discussion. I would suggest that Qualys "might" be regarded as the expert group on SSL in general.

 

 

http://www.dslreports.com/forum/r29162555-Heartbleed-zero-day-critical-bug-in-OpenSSL

by fjamied on ‎04-11-2014 05:17 AM - last edited on ‎04-11-2014 11:36 AM by Community Manager

http://www.symantec.com/connect/blogs/heartbleed-openssl-take-action-now

 

 

See this Link.  It's a recommendation from Symantec, owner of Verisign, the Certificate Authority that USAA uses.

 

The guys who make the certificates - say

"

  • Businesses should also replace the certificate on their web server after moving to a fixed version of OpenSSL."

No more research necessary.

 

Thank you for your feedback and questions. We have no indication that our systems are at risk and maintain a 24/7 monitoring center for all cyber threats. We have no indication that our security certificates have been compromised.  However, as a prudent security measure, we are in the process of updating our certificates.

 

by Sparticuz on ‎04-11-2014 06:39 AM - last edited on ‎04-11-2014 11:38 AM by Community Manager

@EvilScott: This statement is incorrect.

 

[quote]If you are concerned, then change your username and password.[/quote]

 

If any entity got the private key to USAA's SSL certificate. (Which was possible in the 64k of private memory space), then ANY password from 12/04/2012 to 12/06/2014 will be compromised. This INCLUDES ANY password changes made until 12/06/2014.

 

USAA needs to take steps to fix this.

1) It seems like, according to the statement, that if USAA was vulnerable, then OpenSSL has been patched.

 

2) USAA needs to not only get a new SSL certificate, but also REVOKE the current one.

 

Then and ONLY then, will the heartbleed problem be mitigated.

 

Thank you for your feedback and questions. We have no indication that our systems are at risk and maintain a 24/7 monitoring center for all cyber threats. We have no indication that our security certificates have been compromised.  However, as a prudent security measure, we are in the process of updating our certificates.

by Sparticuz ‎04-11-2014 06:46 AM

Looks like USAA is in the process of getting new certificates

 

https://twitter.com/USAA_help/status/454474447677046784

by NOS USMC on ‎04-11-2014 07:47 AM - last edited on ‎04-11-2014 06:29 PM by Community Manager

------------------------------------------------------------------------------------

by Sparticuz ‎04-11-2014 06:46 AM Looks like USAA is in the process of getting new certificates https://twitter.com/USAA_help/status/454474447677046784 ------------------------------------------------------------------------------------

So, that was last night. Where are we now? I'd really like to change my password, and it be, you know, useful.

 

I agree with many other posters in here: this current statement is entirely dismissive and does not impress me.

 

There are known attempts to utilize this security hole in server logs dating back to November.

 

We need USAA to be very clear:

1) When was this bug patched?

2) When was the new certificate updated? (once it has been!)

3) When was the old one revoked?

 

Also, I would recommend that USAA offer even higher levels of security in the future:

a) There are known methods of securing against long-running certificate and other security problems - perfect forward secrecy: https://www.eff.org/deeplinks/2014/04/why-web-needs-perfect-forward-secrecy

b) Allow users to set longer and more complex passwords, to include passphrases.

c) Allow two-factor authentication!

 

While trusted computers is a nice feature, it is more annoying than anything. I only use four devices to access my USAA account, but I have had to "update my security preferences" to add "new devices" countless times. Two factor authentication could eliminate that problem. It would also have negated any Heartbleed vulnerabilities. Hackers may have gotten our passwords, but they didn't have our phones/computers. Sure, we'd have to update our passwords anyway, but at least our accounts wouldn't be vulnerable for 2 years!

 

Concerned-and-looking-elsewhere-20plus-year-USAA-banker!

 

Daniel

 

Daniel, look no further. We are listening to your concerns and striving to give you the best support, 24/7. 

 

Our usaa.com hosting provider patched the vulnerability over a period of several days prior to public notification of the “Heartbleed” bug.

 

We have no indication that our security certificates have been compromised.  However, as a prudent security measure, we are in the process of updating our certificates. Updating certificates is a significant process that must be managed carefully.  Because we have no indication that our certificates were ever compromised, and our certificates are not generally stored in an area that is accessible via the “Heartbleed” bug, we are following normal protocols to ensure the maximum amount of validation and testing go into our new certificates to ensure we have no user disruption as a result of the replacement. 

 

Currently, our service provider does not offer Perfect Forward Secrecy.  We have been working with them closely to implement this feature, and it’s scheduled for release in the 2nd Quarter of 2014.  

 

We believe our current password strength is sufficient. We continually evaluate enhanced logon methods for members including biometrics, multifactor authentication, and complex passwords. We have offered multiple options for two-factor authentication for several years. 

 

 

 

by Sparticuz ‎04-11-2014 08:51 AM

Daniel, USAA does currently offer 2-factor auth. Check it out: https://www.usaa.com/inet/pages/security_token_logon_options

by sea_compgeek ‎04-11-2014 11:46 AM - edited ‎04-11-2014 11:46 AM

The suggestion to change your password before the SSL certificates have been regenerated is not correct. There is no way for USAA to be sure they were not compromised and the indication that they patched means they had the vulnerability. (Details about the flaw: http://heartbleed.com/)

 

I would suggest enabling 2-factor in the meantime to reduce the risk. Hopefully USAA regenerates their certificates and then notifies all customers to change their passwords and suggested 2-factor at the same time.

 

Details on 2 factor options can be found here: https://www.usaa.com/inet/pages/security_token_logon_options

by netwrkr on ‎04-11-2014 12:55 PM - last edited on ‎04-11-2014 06:23 PM by Community Manager

Q: Did USAA have any exposed security certificates?           

We have no indication that our security certificates have been compromised.  However, as a prudent security measure, we are in the process of updating our certificates.

 

 

Why hasn't this happened already? 

 

 

You state you had advanced notice to patch OpenSSL thus you also had more time than others to revoke the existing certificates and issue new ones.  Why are you dragging your feet to do so?  You've only fixed part of the problem.  Do you really think this vulnerability hasn't been known by select groups for years now and actively used to exploit?  Are you really that naive?


As someone who oversees a global enterprise MUCH larger than that of USAA's, I'm disgused in USAA's feet dragging.  Your CIO/CISO should be fired for not taking this more seriously.    USAA is being irresponsible with the protection of our money and private data.

 

Thank you for  expressing your concerns with us. We are striving to give you the best support, 24/7. We have no indication that our security certificates have been compromised.  However, as a prudent security measure, we are in the process of updating our certificates. Updating certificates is a significant process that must be managed carefully.  Because we have no indication that our certificates were ever compromised, and our certificates are not generally stored in an area that is accessible via the “Heartbleed” bug, we are following normal protocols to ensure the maximum amount of validation and testing go into our new certificates to ensure we have no user disruption as a result of the replacement. 

 

 

by Matt in Ohio on ‎04-11-2014 01:54 PM - last edited on ‎04-11-2014 06:12 PM by Community Manager

I can't believe USAA is still "in the process of updating their certificates". USAA should be leading the way, but they are not. Also, I just changed my password and there is still a limit of 12 CHARACTERS! This was a limit from over a year ago. I cannot believe this is still a limitation. This is insane and USAA rates a 12 digit password as "superior". This is a myth. A graphics card can practically crack a 12 digit password ... and that was a year ago. USAA needs a wake up call. Maybe I should consider a bank that values security more. I never thought I would consider that, but a 12 digit password limit is indefensible. I run linux so I can't use their Cybercode Token. I use lastpass so a long password is the best, most convenient option for me.

 

Hi Matt,

 

 

We understand your concerns, but know that updating certificates is a significant process that must be managed carefully.  Because we have no indication that our certificates were ever compromised, and our certificates are not generally stored in an area that is accessible via the “Heartbleed” bug, we are following normal protocols to ensure the maximum amount of validation and testing go into our new certificates to ensure we have no user disruption as a result of the replacement. 

 

We believe our current password strength is sufficient. We continually evaluate enhanced logon methods for members including biometrics, multifactor authentication, and complex passwords. We have offered multiple options for two-factor authentication for several years. 

 

by Sunny in California on ‎04-11-2014 04:26 PM - last edited on ‎04-11-2014 06:08 PM by Community Manager

I agree that the password should not be limited to 12 digits. Please allow more!

 

Hi Sunny, 

We continually evaluate enhanced logon methods for members including biometrics, multifactor authentication, and complex passwords. In fact, we have offered multiple options for two-factor authentication for several years. We understand your concerns, but  we believe our current password strength is sufficient. 

 

by Gawain on ‎04-11-2014 04:47 PM - last edited on ‎04-12-2014 08:31 AM by Community Manager

USAA,

 

Would you please share if the necessary updates have been made to the USAA mobile apps for iOS, Android and Windows Phone? 

 

 

Thank you for your question. The same security patch that was implemented for USAA.com protects mobile as well.

by Get a New SSL Cert! ‎04-11-2014 06:08 PM

You haven't updated your certificate yet.  This is ridiculous.  Your customers are vulnerable until you do.

 

For you to say that you have "no indication that our security certificates have been compromised" as justification for your failure is absurd.  The entire point about heartbleed is that NO ONE REALLY KNOWS WHAT HAS OR HAS NOT BEEN COMPROMISED.  Heartbleed leaves almost no traces.

 

If your keys were stolen, everything can continue to be decrypted.

by Get a New SSL Cert! on ‎04-11-2014 06:09 PM - last edited on ‎04-11-2014 06:43 PM by Community Manager

@EvilScott

"If you are concerned, then change your username and password."

 

That doesn't do anything if the SSL keys were compromised already.

 

USAA has no indication that our security certificates have been compromised.  However, as a prudent security measure, we are in the process of updating our certificates. Updating certificates is a significant process that must be managed carefully.  Because we have no indication that our certificates were ever compromised, and our certificates are not generally stored in an area that is accessible via the “Heartbleed” bug, we are following normal protocols to ensure the maximum amount of validation and testing go into our new certificates to ensure we have no user disruption as a result of the replacement. 

by txbbqman ‎04-12-2014 03:54 AM

AND....where is TRUSTEER in all this?

by dsds ‎04-12-2014 05:59 AM - edited ‎04-12-2014 06:01 AM

Though I commend USAA for its world class security monitoring operations, the nature of this vulnerability implies that any and all member information could have possibly been collected for the past 2 years this bug was unknown to the public. For those of us who have been long time members, you can assume any information that is readily viewable in USAA's web application could have potentially been disclosed, to include:

 

- bank account numbers (noticed that numbers have been pseudo-obfuscated, not sure if it's a recent change... but your billpay check images are still fair game and have all the information an attacker would need)

- banking history

- banking pins

- security question answers

- PII (addresses, phone numbers, email addresses, etc.)

- biller information (i.e., from billpay)

- billing account numbers

- this is just banking & billpay, but USAA offers over 150 services that could have been targeted (e.g., insurance, investments, credit cards, real estate, etc.)

 

Why is this a fair assumption? Any data rendered in the web browser is sent via encrypted web socket channels that are protected by, you guessed it, OpenSSL. This includes any data you send from you computer as well as the data received back from the web server.

 

Seems like most of the commenters here are so up in arms about being able to log back into USAA securely (i.e., reissuing CA certs against all USAA related domains) that they are failing to see that significant damage has already taken place. The information above is critical personal information that is not easy or impossible to replace or change. Only time will tell how much of this data has been gathered to perpetrate identity theft, etc. outside of our membership with USAA.

 

FYI, public key certificates are important in third party verfiication of claimed identity, i.e., is this the real USAA site or impersonator (also called a man-in-the-middle attack)? Disclosure of the associated private key would mean malicious actors would be able to decrypt otherwise secured communications with USAA services.  Changing these certificates would ensure no further data collection could be performed, but means absolutely nothing for the information already collected.

by lost50s ‎04-12-2014 07:23 AM

Cut to the quick, USAA: let us know publicly when the CA's are changed. You have known for several days. As many have pointed out, the intentionally deceptive statement (made by corporate marketeers whose knowledge is only how to save their behinds) "USAA has no indication that our security certificates have been compromised. ".


USAA has PLENTY of such indications - many on here, and in the clear online references where knowledgable investigators have concluded USAA is one of the VERY WORST players. For you to keep parroting this nonsensical phrase is tatamount to admission of dishonesty and incompetence.

 

I am investigating moving ALL of our insurance and investments OUT OF USAA, unless this corporate posturing ends.

by KB1JCY ‎04-12-2014 07:55 AM
I'm a systems administrator and have been patching OpenSSL and replacing our SSL certs for the past two days. I advised our users to follow the password guidelines in this XKCD comic strip (http://xkcd.com/936/) when changing their passwords because it creates a mathematically complex password while making the password easy to remember. However I can't do this with my USAA online account and had to use a gibberish password that with my ADHD brain will easily forget. Currently I'm storing my new USAA password using the KeePass password manager but when using my smartphone, I don't easily have KeePass available or it's awkward to use. You speak of "complex passwords" but I'm not allowed to use a password based upon a phrase of random words that is easy to remember while being more secure than the prevailing conventional wisdom on password that dates to the 1990s.
by SJN ‎04-12-2014 07:57 AM

I have to agree with the many posts above, I am disappointed in the response being provided.

 

There should be a public, that is on the home page, announcement of where the site stands in regard to the risk mitigation process.

BZ for replacing the flawed code quickly

As for not replacing the certificates, come on, those are easier to test and replace than the OpenSSL code that needed to be fixed.

What seems to be a lack of transparency in the process is earning the company some well deserved bashing.

 

Bottom line, even if you believe that there is no threat, the rest of us do believe there is a threat, and in cases such as this perception is reality.

Replace the certificates, increase the allowed password length, and treat this as if it is the most important security issue you have because you have customers publically stating they are going to leave if this is not done.

 

by ScottyPcGuy03 ‎04-12-2014 08:31 AM - edited ‎04-12-2014 08:35 AM

@KB1JCY That's actually a bad idea. Such passwords are vulnerable to a combinator attack. See: http://hashcat.net/wiki/doku.php?id=combinator_attack

 

by JPrime on ‎04-12-2014 02:42 PM - last edited on ‎04-13-2014 04:28 PM by Community Manager

So we keep getting some version of this response: "USAA has no indication that our security certificates have been compromised. ..."

 

But USAA wouldn't see 'indications' of this - we users would. The problem is that several days after this issue became public (and apparently some even longer amount of time since USAA was first made aware of it) this site is still using its old SSL certificates! And we now know that private keys are vunerable to snooping by Heartbleed: Engadget: Cloudflare Challenge proves 'worst case scenario' for Heartbleed is actually possible

 

If anyone managed to steal the private keys to the USAA servers, it would be the users who would be vunerable to redirects to fake websites posing as the USAA site. USAA wouldn't hear about it until the affected users started to report the effects of such a fraud. And it's not enough to simply get new certs - the old ones must be revoked so that anyone who had access to the old certs could not simply get their own new certs from the issuer. With many tens of thousands of new certs being created in the last few days, the potential for such a mistake of oversight by the issuers is not to be dismissed.

 

JPrime, thank you for your comment, and we understand your concerns. Although we have no indication that our security certificates have been compromised, we have obtained new certificates for usaa.com. We replaced the old certificates in the early hours of Sunday, April 13, and the new certificates today show a valid date of April 10, 2014 and an expiration date of April 12, 2015. Helping protect your personal and financial information is one of our top priorities — every day, 24/7. 

by mbr70 ‎04-12-2014 05:21 PM

No single method for providing security, including recertification, can protect against all today's sophisticated threats.  In many cases, and it appears this is one of them, tunneling into a secure site is only going to become known long after the threats have accomplished whatever they want to do.

 

On the other hand, any hacker is unlikely to penetrate many good layers of security.  Many good multiple layers -- including common-sense vigilance by a good security team -- are likely better than a single layer thought to be impregnable.

 

I'd like to think USAA's multiple layers are an example of such layering.

 

Still, in addition to periodically changing your passwords, it's not a bad idea to visually check each one of your statements so you can add yet another layer to an already good system.

by Long Member ‎04-13-2014 05:11 AM - edited ‎04-13-2014 05:59 AM

Comment from a security analyst about what properly managed enterprises are doing:

 

 

The latest heartbleed OpenSSL vulnerability CVE-2014-0160 is again a re-affirmation that using NON-certified security modules for enterprise security is a really bad idea. 

 

The problem is not the intent or implementation,  The problem is the premise. 

 

You cannot rely on open source libraries (or vendors that use them) to secure any enterprise.

 

 

The remediation solution for this issue, and any others like it, are surprisingly simple. 

 

Technology has been on the market for many YEARS that provides secure reverse-proxy capability with industry-hardened and certified security technology. 

 

A prominent and widely adopted example of these solutions is the Forum Sentry API Security Gateway from Forum Systems.  

 

They have uniquely achieved both FIPS and NDPP certifications on the platform. 

 

However, only 12 point password limitation represents old 1990s technical thinking. 

 

 

by margaretm ‎04-14-2014 09:37 AM

I'm late to the party here, but I want to share my disappointment with this response. I have always had a very good impression of USAA's approach to security and your efforts to educate members about threats from phishing etc. Despite the inconvenience, I really appreciated that you proactively canceled and reissued my MasterCard in the wake of the Target security breach.

 

USAA's actual response to the Heartbleed issue was reasonably well handled – patch the vulnerable software, revoke and update the certs (granted this could have been done sooner). But your communications around it have been an exercise in coverup, misdirection and outright deceit.

 

Coverup: First, I would have expected an email detailing USAA's plan to deal with the problem and letting me know when I should change my password. Then I would have expected a splash/redirect from the home page of usaa.com with the same information. Once the certs were reissued I would have expected another email and splash page forcing me to reset my password. Instead there's this page, containing repeated misleading descriptions of the problem, buried three links deep.

 

Misdirection and deceit: It is DISHONEST AND DANGEROUS to repeat over and over that you "have no indications" of a security breach. Per countless informed descriptions of the problem, there is no way that you would have such an indication. I appreciate that you have 24/7 monitoring and multi-factor authentication and so forth. I really do. THAT DOESN'T ADDRESS THE PROBLEM, and, much worse, repeating that irrelevant information encourages a false sense of security in your members.

 

It is painfully obvious that this response is an attempt to dismiss the problem rather than owning it. I doubt anybody would blame USAA for being exposed to Heartbleed – half the Internet had the same issue. But the failure to communicate responsibly is deeply disappointing, and it has seriously damaged my trust in USAA.

 

After fifteen years as a contented member I am now looking elsewhere for more honest banks and insurance providers. I'd prefer to stay with USAA, and if you change your approach I definitely will. But please, please don't respond to this with the copy-and-paste "protecting your information is a top priority" text. If you're the organization I think you are, you'll acknowledge the communication problem and address it.

by Silkie ‎04-14-2014 12:07 PM

@margaretm.

 

I could not have said it better myself.  

 

I have been on the phone with USAA wealth management and tech support for almost 2 hours and still do not feel confident that ALL our assets are protected.  I have gotten the run around and vague answers such as:, "Oh, you are protected.  We fixed the patch before it became public."  LOL! LOL!  Oh, so the two years before when we were at risk did not matter?  This is just juvenile and laughable.  It sure seems that they have no clue about how the bug works and how long they/we could have been impacted.  

 

And NO ONE  can give me an intelligent answer except that they have fixed the flaw.  They have even gotten testy because I am terrified that we could lose all our assets which we live off of.  As seniors who have been with USAA for 50 years, we cannot afford it!

Grrrr!

by schep23 ‎04-14-2014 12:17 PM

I am so angry at USAA.  We could not access the USAA site for about a week, from April 6 through April 12, 2014.  We were able to get onto anyother site we wanted.  The first thing I did was call USAA on April 8 to ask if something was wrong with their server. That is what I was being told when trying to access the site with Safari.  

 

The 2 people I spoke with assured me that everything was working fine and that I should log on to the mobile site if I was having a problem.  Neither of those USAA representatives said anything about Heartbleed and that USAA was working to "patch" the Open SSL and update the Certificate.  

 

I was told the problem was probably with our ISP or with our Web Browser or with Apple itself.  I spent hours trying to find out why I could not access only USAA's site.  I even downloaded and installed another browser, which of course was a waste of time since I could not access USAA from that browser either!

 

USAA should have sent an email to every member informing us of what USAA was doing to update the security issues connected  with Heartbleed.  Instead, we are given the BS from the PR people.

 

We are giving serious thought to moving our accounts to a trustworthy institution. 

by Long Member ‎04-14-2014 12:33 PM

Your Trusteer Rapport  security service has only a B rating on its OWN website security assessment. 

 

https://www.ssllabs.com/ssltest/

 

The USAA rating has now been raised up to an A-- , which is good.  Thank you for catching up.  Still not an "A" rating.  USAA still has work to do to get an "A" level rating.   

 

Why does your "Trusteer" security supplier, IBM, have a lower security rating than USAA? 

 

 

Community Managers

Briana Hartzell

Briana Hartzell

Briana knows all about moving. This Navy wife has helped her husband relocate to four different naval air stations in the last three years. A former USAA employee, Briana is co-founder of The Triple Dish, a blog focused on food, fitness and military life.

View Briana's Profile
Wendy Poling

Wendy Poling

Wendy is a social media strategist and founder of MyMilitaryLife.com, featuring a popular military spouse blog and the hit podcast Navy Wife Radio and now Military Life Radio. She is the wife of a submariner who has also served in Afghanistan.

View Wendy's Profile
Charles Pratt

Charles "Chazz" Pratt

Charles "Chazz" Pratt III is a former U.S. Army Captain who made the Military-to-Civilian career transition in 1994. In his book, The Fort Living Room Transition Course, he shares valuable tips & tricks to help you succeed. Since his transition from the military, he's worked for several Fortune 500 companies, including Pfizer, Genentech, and St. Jude Medical, among others.

View Chazz's Profile
Scott Halliwell

Scott Halliwell

Scott Halliwell is a CERTIFIED FINANCIAL PLANNER™ practitioner.

View Scott Halliwell's Profile
Joseph Montanaro

Joseph "J.J." Montanaro

Joseph "J.J." Montanaro is a CERTIFIED FINANCIAL PLANNER™ practitioner.

View Joseph "J.J." Montanaro's Profile