With the discovery of a major flaw in one of the Internet’s primary encryption methods, it’s time to immediately change your passwords — and then keep your fingers crossed.
That familiar padlock on many websites that we rely on to protect our sensitive online information has apparently been opened to potential hacking.
This week, security engineers at Google and the security company Codenomicon revealed a bug named Heartbleed in OpenSSL, the encryption technology used by two-thirds of Web servers, according to the New York Times.
This technology is the standard used by most websites to transmit data that users want to keep private, basically providing a secure line when you’re sending online messages back and forth.
As many as 500,000 trusted websites may be affected, according to some reports — along with virtually any computer user that accesses them.
This doesn’t mean your sensitive information has necessarily been stolen. Rather, it means until a fix is applied, it may be vulnerable to theft — now and in the future. Already, many websites have announced they are working on the issue.
But some experts say it may be wise to avoid engaging in e-commerce until it’s clearer whether websites with which you do online business or transactions better understand, and take measures to prevent, risks you and they may face.
Check those websites for updates, which should be on the home page or elsewhere where you shouldn’t have to log in.
Also, in coming months carefully monitor your financial statements and free credit reports. (You should be doing that anyway.)
Codenomicon says many large consumer sites should be safe. “Ironically,” the company notes, “smaller and more progressive services or those who have upgraded to [the] latest and best encryption will be affected most.”
Still, Heartbleed can potentially reveal the contents of a server’s memory, where most sensitive data, past and present, is stored — user names, passwords, credit card and even Social Security numbers, according to CNET. “It also means an attacker can get copies of a server’s digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too.”
Codenomicon says it’s not known whether the vulnerability has been abused, but reports indicate there’s evidence that attackers are aware of the bug.
For now, changing your passwords is a good first step, but even that won’t help unless the services affected by Heartbleed are updated.
Learn more about Heartbleed here.
For information about other scams, sign up for the Fraud Watch Network. You’ll receive free email alerts with tips and resources to help you spot and avoid identity theft and fraud, and gain access to a network of experts, law enforcement and people in your community who will keep you up to date on the latest scams in your area.
Also of Interest
- Quiz: Are You an Easy Target for Scammers?
- Las Vegas, Nevada and 9 Other Budget-Friendly Trips for 2014
- Get free assistance with tax-return preparation from Tax-Aide
- Join AARP: Savings, resources and news for your well-being
See the AARP home page for deals, savings tips, trivia and more