Heartbleed bug no danger to bank websites, group says

Canadians have no need to fear for the safety of their banking information because of the Heartbleed security bug that's affected millions of websites, including the Canada Revenue Agency's site, a group that represents the banking industry says.
The Heartbleed bug affects about two-thirds of all servers on the internet, and security experts are scrambling to patch over the hole. (Canadian Press)

The Heartbleed web security bug that's raised vulnerability concerns across much of the web and prompted the Canada Revenue Agency to block access to part of its site Wednesday is no threat to the bank websites in Canada, the group that represents the industry says.

"The online banking applications of Canadian banks have not been affected by the Heartbleed bug," the Canadian Bankers Association said Wednesday. "Canadians can continue to bank with confidence."

Heartbleed is a recently discovered security bug built into the newest version of a ubiquitous software code known as OpenSSL. The software code itself is what powers the encryption process on about two-thirds of the world's secure web servers (which can be recognized by a closed lock-and-key symbol) and it ensures that only authorized users have access to the sensitive data being transmitted.

A glitch in the most recent version of the program was uncovered this week that could theoretically allow a hacker to mimic the appearance of an authorized user, and subsequently be granted access by an affected server to be able to collect sensitive information.

Although there's an easy fix to the buggy OpenSSL version, there's an added problem with the bug in that it makes it very difficult to tell after the fact who may have been granted unlawful access to data before the loophole was closed.

Tax agency site shut down

The Canada Revenue Agency took the bold step on Wednesday of shutting down its public website until it can address the issue. That's prompted questions as to whether other websites with highly sensitive data, such as banks, may be vulnerable.

There's no need for Canadians to be concerned about their banking information being unlawfully accessed, the CBA said Wednesday.

"Banks have sophisticated security systems in place to protect customers' personal and financial information, including encryption and other measures," the CBA said. "As part of a normal course of business, the banks actively monitor their networks and continuously conduct routine maintenance to help ensure that online threats do not harm their servers or disrupt service to customers."

Canada's major banks echoed that sentiment individually.

We always recommend that customers change their passwords regularly.- TD Bank spokesperson

"We take every threat seriously," a spokesman for the Royal Bank of Canada told CBC News. "Our websites have not been affected by the Heartbleed security bug."

Toronto-Dominion bank noted that the vulnerability affects any company in any industry connected to the internet, but says customers have no added need to worry about banking.

"TD already has put in place defences to protect customers from this potential threat, and is adding additional, layered security, so customers can conduct their banking securely and without their data being at risk," the bank said.

"While we don’t recommend any specific actions to TD customers as a result of this vulnerability, we always recommend that customers change their passwords regularly (i.e. several times a year). That said, TD has intelligent and multi-layered authentication, so there are multiple safeguards in place to protect customers."

A spokesperson for the Bank of Montreal said "customer information is safe and secure. Protection of customer information is our highest priority and we will continue to monitor our banking platforms as a precaution."

CIBC and Scotiabank both said they support the industry group's statement on the issue.

Despite the lack of a specific Heartbleed-related threat, the CBA urges banks customers to remain vigilant about what data they share online, by keeping track of statements, monitoring PINs and changing passwords regularly.


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversation  Create account

Already have an account?