Heartbleed's Implications for the Banking Industry

First off, an irrelevant pet peeve: I hate stock graphics with flowing ones and zeros in the context of any computing-related news story. That the notion of code bugs is so prevalently dumbed down into the words "VIRUS" and "TROJAN" rendered floating amongst said binary bits is equally depressing. Of late, the so-called Heartbleed bug has come to the fore, and given its huge implications in numerous industries, reporters are already treating it as some arcane, science-fiction force. Although the gravity of the situation is not understated, the nature of it is certainly overstated.

Suppose you have a boss, who gives you a very specific set of instructions that must be followed to the letter. One of these instructions has enormous potential to be exploited by evildoers, but neither you nor your boss are aware of this. If a customer or client were to approach you and exploit this oversight right before your eyes, you might think, being an intelligent human being, that something really ought to be done about this flaw, as you serve the customer. Further suppose that your job is to find a customer's paperwork in their file, and hand it to them. Most customers will give you some files at the desk, whereupon you read the Boss's instructions:

1. Process the files the customer just gave you and remember the amount of paperwork they said they submitted
2. Go to the file cabinet
3. Find the customer's file
4. Get as much paperwork as the customer just said they gave you
5. Give the new paperwork back to the customer

The typical customer might give you, say, 5 forms, so you process the 5 forms and give them 5 new forms from their file in the cabinet. Our Evil Customer, Eve, gave you 5 forms, but said she really gave you 65535 forms and expects 65535 forms back from the file cabinet. 65535 seems like a lot, but you remember your boss's directions to the letter: you process the 5 forms, remember that Eve gave you 65535 forms, find Eve's file, and give her 65535 new forms. Of course, Eve's file isn't even that big. After you pull Eve's 5 new forms from the file cabinet, it starts spilling over into other people's files, but you gather all of these anyway until you have 65535 forms, containing other customers' sensitive information. Eve thanks you for your help and leaves.

As you can plainly see, it's not that the entire bank is flawed to its core. The solution isn't to burn down the bank, nor to execute all current employees, but--as you probably gathered--to change Steps 1 and 4 so that you save the amount of paperwork they gave you, not the amount they said they gave you. If C programs could talk, they'd have alerted someone to this problem ages ago, as you would have in the bank scenario. See? This was far more straightforward to comprehend than looking at a graphic of the word "HACK" centered in a field of floaty green bits.

All of the code that enumerates these instructions is publicly available for anyone and everyone to view. While trusted institutions, like those to whom you give passwords, use OpenSSL and peruse its framework, criminal hacker rings and rogue government organizations scrutinize the code vigorously to try and find such vulnerabilities for their own use. Financial institutions may try to uphold a reasonable standard of trust, but so long as the standards they use are better understood by ill-intentioned persons, the entire financial system is compromised due to lack of trust.

In the short run, organizations will incur costs by having to flush databases and reencrypt the data therein, swap their private keys, and urge their customers to change their almost surely compromised credentials. I, like nearly everyone else, find myself overwhelmed by the prospect of changing so many passwords across the internet, so this is nothing short of an incredible nuisance. But financial institutions may see fit to prepare for such incidents in the future by forming coalitions to scrutinize certification algorithms as well as, or better than, criminals. It seems like a basic step to take, but organizing private groups and motivating them toward collective action for the greater good is never anything short of a challenge.