Bank of the West | Heartbleed Bug: Key points to know - Bank of the West

Heartbleed Bug: Key points to know

Posted by David Pollino
Fraud Prevention

Given the widespread concerns about the Heartbleed Bug, I want to provide answers to some key questions about this security flaw.

Woman's hands typing on a computer keyboard.What is the Heartbleed Bug?
Heartbleed is a flaw in the programming on secure websites that could put your personal information at risk, including passwords, credit card information and e-mails. The Heartbleed Bug is a defect in encryption technology — called Open SSL — used by most Web servers to secure users’ personal or financial information. It is behind many “https” sites that collect personal or financial information.

Basically, it provides a secure connection when you are conducting a transaction or sending an e-mail online. Experts discovered the bug recently and warned that cybercriminals could exploit it to access visitors’ personal data or to impersonate a website and collect even more information.

Am I affected?
Most active users of the Internet have likely been exposed, since a majority of websites — including Facebook, retail and even government sites — use the Open SSL software. But it is unknown whether any criminals have actually exploited the bug, and several major sites, like Amazon, have already installed patches. Most sites with an address beginning with “https” are vulnerable until the website operator fixes the bug and users change their passwords.

Is my bank account safe?
Yes, consumers are always protected from any unauthorized transactions. Let your bank know immediately if you suspect any unusual activity.

Banks, including Bank of the West, are monitoring your accounts. They use many different systems to protect customers’ information including rigorous security standards, encryption, and fraud detection software.

What can I do?
As always, it is a good idea to update your bank password every few months. Also, monitor your account regularly and report suspicious transactions to the bank immediately. Beware of phishing scams — or emails with malicious links — that will attempt to get additional sensitive or personal information from you.

What are banks doing?
Banks are researching the possible impact of the Heartbleed Bug and are taking appropriate actions to ensure that it has no impact on customers. Most Internet banking applications are not affected by this bug. Most financial institutions have a special layer of security that prevents this type of exploit and some don’t use Open SSL at all.

If you are a Bank of the West customer and have concerns, please call us at (800) 488-2265.

 

Add a Comment

Reminder: All comments are moderated prior to publication and must follow our Community Guidelines.

  • Anonymous says:

    You didn’t say if BOTW is or is not using the bugged software or is or is not vulnerable. We need definate answer!

    Reply | 3 months ago
    • Bank of the West Admin says:

      At this time, we have no evidence that our systems are affected by the Heartbleed Bug, but we are continuing to investigate.

      Reply | 3 months ago
  • Anonymous says:

    This isn’t really very helpful. You did not say if Bank of the West has installed a patch in their system. I have read we should not change passwords until the patch is installed as otherwise the new password will also be eligible. i do need to know when I can safely pay my bills using online banking.

    Reply | 3 months ago
    • Bank of the West Admin says:

      As we mentioned in the earlier reply, at this time we have no evidence that Bank of the West systems have been directly affected by the Heartbleed Bug, but we are continuing to monitor the situation. If you need further assistance at this time you can call the Contact Center at 800-488-2265.

      Reply | 3 months ago
  • Anonymous says:

    Thank you for the general information. You say “most financial institutions have a special layer of security …” What about BoW? I used a tool recommended by cnet to test all my business bank sites and your site is the only one that does not come up “All good”. They say: “It might mean that the server is safe, we just can’t be 100% sure!”
    The tool is: http://filippo.io/Heartbleed/#www.bankofthewest.com
    I called the number you gave above and the rep seemed unaware of this issue then transferred me to the website team, and that transfer cut me off.

    Reply | 3 months ago
    • David Pollino says:

      At this time I can tell you Bankofthewest.com does not utilize technology that is directly vulnerable to the Heartbleed Bug. (The replies of the blog administrator above remain true; we are continuing to work with our vendors to identify potential risks.)

      Reply | 3 months ago
  • Anonymous says:

    Hi David,

    @BankoftheWest 2-step web authentication is broken. @BankoftheWest now sets Flash Cookie upon entering username, always suppressing security question.

    I tried reporting this twice but your people pretended that nothing was wrong.

    Joel

    Reply | 3 months ago
    • Bank of the West Admin says:

      Joel, our online banking team looked into this and it sounds like you may need additional support on how to authenticate on bankofthewest.com. Please call our Contact Center at 800-488-2265 if you still need assistance with this. Thank you.

      Reply | 3 months ago
  • Anonymous says:

    Since BoW hasn’t said either “our systems don’t use OpenSSL” or “our systems use OpenSSL but it has been patched and we have obtained updated SSL certificates”, my interpretation of all of the waffling above is that we should, at this time, consider the site insecure.

    Reply | 3 months ago
  • Anonymous says:

    Does Bank of the West use OpenSSL ?

    Reply | 3 months ago
  • Anonymous says:

    David, While I appreciate the need to be unspecific about which security approaches BoW employs, this particular situation requires an answer, not platitudes and assurances. Does the BoW site employ Open SSL and, if so, have the necessary patches and certificates been put into place. Having been in IT and responsible for the security of a server farm, 4 days of elapsed time is nothing to be proud of when it comes to installing critical patches. At this point, I am seriously considering closing my accounts and moving elsewhere.

    Reply | 3 months ago
  • Anonymous says:

    I’m dissappointed with the answers provided here. Every answer provided side steps the actual question. We all want to know one thing, has BOW installed the patch to protect the information? Once that is done, then we can change our username and password and feel safe until another breach occurs.

    Reply | 3 months ago
    • Anonymous says:

      I am also quite disappointed with how Bank of the West has handled this issue. The answers provided to customers’ direct questions are what I would expect from a politician, and not from an institution that relies on my trust. All of the other banking institutions that I do business with have posted direct information on their websites, providing me with confidence that I can resume my online banking with them. I do not have the same confidence in Bank of the West. I consider this type of thing to be a very important aspect of customer service. I am sad to say that my trust in and my opinion of this institution has been greatly reduced over this incident.

      Reply | 3 months ago
  • Anonymous says:

    Yesterday (4-14) I went into my local branch and again asked about Heartbleed situation/updates. I was told BOTW is experiencing no problems, for me to monitor my accounts, let them know if I found anything amiss and no need to change my passwords. I was given a generic, older handout about security issues which did not mention this bug at all. I would like to hear something more definitive before doing any online banking i.e. BOTW does not use the OPENSSL program OR BOTW does and has already put in the patch. Very nervous about what seems to me to be a very lackadaisical attitude. Tellers were not even aware of the bug when I went in last Thursday (4-10).

    Reply | 3 months ago
    • Bank of the West Admin says:

      Thank you for your comment. This is a very serious matter, and we will follow up with you directly via email to address your concerns.

      Reply | 3 months ago
    • Anonymous says:

      went to http://www.ssllabs.com/ssltest and entered bankofthewest.com in Domain name field. It received an overall rating of B. The test indicated that their server is not vulnerable to a Heartbleed attack. I am a customer, I am not an employee or official of Bank of the West. I ran the test on the Google Chrome browser in Mac OS X and again in Windows 7. Windows 7 gave the more detailed report, returning two ip addresses for the domain bankofthewest.com. One address’ certificate was not valid for that domain, and that address received an F grade, although it tested as not vulnerable to Heartbleed. This is not my field of expertise.

      Reply | 3 months ago
  • Anonymous says:

    I agree – the consistent message from IT experts is that if Open SSL is used a patch MUST be installed before changing passwords is effective. I will remove my business account from BOTW if there is not explicit confirmation that Open SSL is not used in your systems or you have installed the patch. My other financial institutions have done this. Why not BOTW?

    Reply | 3 months ago
    • Bank of the West Admin says:

      Thank you for your comment. We will follow up with your directly via email to address your concerns.

      Reply | 3 months ago
      • Anonymous says:

        I agree with the previous comments. These are simple questions and we need a simple answers. Does BoW use OpenSSL or not? If so, has the patch been installed? Just post the answer and you will have a lot less people to follow up with.

        Reply | 3 months ago
        • David Pollino says:

          Thanks for the comments above, and here is an update: The Heartbleed bug is a very complex issue that involves many systems and business partners and requires thorough testing and monitoring, which we continue to do. However, Bankofthewest.com does not use OpenSSL and thus no patch is needed at this time. If we discover any vulnerability, we will alert customers immediately.

          Reply | 3 months ago
  • Anonymous says:

    Thank you so much for this, David. I’ve been surprised at the lack of coverage of heartbleed? I’m also shocked at how so many people aren’t even aware of it. Excellent and informative, I appreciate it!

    Reply | 3 months ago
  • Anonymous says:

    Was the patch installed or NOT? Yes or no is all I want to hear. Thank you.

    Reply | 3 months ago
    • Anonymous says:

      Can’t install a patch to software that isn’t being used. BOTW finally answered the question!

      Reply | 3 months ago
  • Anonymous says:

    I utilize Norton 360 Premium which provided an excellent link to verify each of the banking and online payment sites I go to. (http://safeweb.norton.com/heartbleed) . Every site I visit on a regular basis except for my BOTW website came back with a confirmation the site was not vulnerable to HeartBleed. BOTW at each layer of encryption from the main website down to final screen where I enter my password came back with “Something is wrong here”. I hope BOTW figures this out soon or expect to lose more accounts, including mine.

    Reply | 3 months ago
    • Anonymous says:

      We called 2 days ago and after 3 phone calls (the second one mysterious got disconnected when i wanted a yes or no answer to the same question). Finally i got through after a 4 minute wait to a technician that said they did use SSL technology and they are working on patching the Servers systems. We asked when the work would be done, and he wouldn’t tell us a date even like next year. I now doubt that this is really taken care of by BOTW. Why were they so evasive in their initial write up of this bug, and also when answering your questions from 2 weeks ago.

      Reply | 3 months ago
      • David Pollino says:

        Bankofthewest.com uses SSL. The Heartbleed bug is a vulnerability in OpenSSL which is an implementation of SSL. The bug affects OpenSSL and many software packages and products that utilize the OpenSSL code. Our customer-facing banking systems were not using any of the impacted products and did not need to be patched. We have a regular program of monitoring our systems for vulnerabilities. If the impacted products by heart bleed or other vulnerability are published, we will continue to check our systems to see if they are impacted and patch as needed.

        Reply | 3 months ago

Submit an Idea

[contact-form-7 404 "Not Found"]

You are leaving the Bank of the West Blog. Please be aware: The website you are about to enter is not operated by Bank of the West. Bank of the West does not endorse the content of this website and makes no warranty as to the accuracy of content or functionality of this website. The privacy and security policies of the site may differ from those practiced by Bank of the West. To proceed to this website, click OK, or hit Cancel to remain on the Bank of the West Blog.