U.S. regulators warned financial firms Thursday of a ‘material security vulnerability’ related to the newly-discovered ‘Heartbleed’ bug.
The networking snafu that was revealed this week by computer security researches enables cyber attackers to steal so-called encryption keys that would let them decrypt sensitive network traffic. The issue affects a very popular encryption system called OpenSSL.
“An attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network communications that would otherwise be protected by encryption,” the Federal Financial Institutions Examination Council Attackers, warned in a note to banks across the U.S.
“Attackers could potentially impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks. Potential attacks are made feasible by the public availability of exploitation tools.”
The council that is made up of leading financial regulators like the Federal Reserve and Federal Deposit Insurance Corporation also said the vulnerability has existed since Dec. 31, 2011, although it’s unclear as to whether it has been exploited.
Banks have been facing mounting cyber threats in recent years. Indeed, JPMorgan Chase (JPM) CEO Jamie Dimon said in a note to shareholders on Wednesday that the biggest U.S. bank by assets is launching three Cybersecurity Operations Centers around its regional headquarters.