by Justin Thomas

How We're Handling Heartbleed

simple guilloche

UPDATE 4/14/14: Simple’s mobile and web applications are now fully secured from any vulnerability to the Heartbleed exploit. We pushed an update to the Apple App Store and Google Play Store on Friday afternoon, April 11th. Simple customers should immediately update their mobile apps and change their passwords. Below is a record of our original response to Heartbleed.

By now, you’ve likely heard about the Heartbleed exploit. In case you haven’t: on April 7th, researchers discovered a flaw in OpenSSL, a piece of fundamental security software used by a broad range of companies and organizations across the globe. That flaw could allow an attacker to gain access to sensitive information stored in the memory of an affected system with just a basic network request.

To give an example, imagine this: a stranger comes up to you and says “hey, how are you?” If you were affected by Heartbleed, you might say “I’m fine,” and also include an unfiltered snippet of whatever you were thinking of at the moment—regardless of how sensitive it was. Each additional request would reveal a different piece of unrequested information. You can see how this could get dangerous.

Companies all across the web are responding to this security flaw. You may be wondering about the steps that Simple has taken in response, so I wanted to give you a bit more detail about how we’re working to keep your information safe.

How Simple Responded

Simple’s Security and Engineering teams actively monitor channels where such vulnerabilities are announced and discussed, and we quickly recognized the seriousness and severity of this issue. While we have no reason to believe (e.g., by monitoring for fraudulent attempts to access customer information or transfer funds) that this exploit was used to expose any sensitive Simple information or any data associated with any Simple customer, the risk associated with this flaw is significant, so we went into high gear to eliminate any potential exposure.

We immediately applied patches to our services that use OpenSSL. If you’re interested, you can verify the effectiveness of that action using a tool like this one. By applying the patches, we were able to ensure that Simple’s systems were no longer susceptible to the underlying flaw that permitted the Heartbleed exploit. We’ve also recreated the cryptographic certificates and underlying keys used by the previously vulnerable servers. A certificate is a file used to create an encrypted connection between a client (like a web or mobile app) and a server (where your data is stored). A certificate contains (among other data), public encryption keys, so in other words, we needed to generate new keys and get rid of the old ones to ensure that information is safe in the future. New certificates are in place on all of Simple’s servers, and we’re in the process of revoking the old certificates.

Remaining Work

Access to Simple on the web has been secured, however we have one outstanding challenge. Because we include components of our certificates within our mobile apps (an enhanced security mechanism known as “key pinning”), we also must publish updated Android and iOS clients to all of our customers before we can completely revoke the old certificates used by the servers that support those clients. Our developers are working quickly to publish those updates to the Apple App Store and the Google Play Store and we’re doing everything in our power to speed that process along.

Because we have no indication of increased fraudulent activity on customer accounts, we’ve made the decision to not disable access to Simple on mobile, as we did with customers using iOS 7.0.4 when a security flaw was identified recently. As part of our normal security protocol, we always monitor for unusual activity, suspicious transfers, and other indications that a user’s credentials or data may be compromised. That will of course continue.

Steps You Can Take

In the meantime, you can also take some measures to protect yourself. Because a successful attack would require access to your data while it’s in transit, we suggest that you use the mobile apps only on networks that you trust (e.g., don’t use public WiFi hot spots where Man-in-the-Middle attacks are more likely). Again, based on the information that we have today and the actions that we’ve taken thus far, we believe the risk to be minimal, but it’s always a good idea to only use networks you trust.

Once we’ve published updated Android and iOS applications and we’re able to revoke the certificates for the older mobile clients, we will be requiring that all customers update their mobile devices and then change their passphrases. Please watch for communication from us when we’re ready for you to take that step.

Thanks for reading, and please let us know on Twitter, Facebook, or Google+ if you have questions.

Disclaimer: Hey! Welcome to our disclaimer. Here’s what you need to know to safely consume this blog post: Any outbound links in this post will take you away from, to external sites in the wilds of the internet; neither Simple or our partner bank, BBVA USA, endorse any linked-to websites; and we didn’t pay/barter with/bribe anyone to appear in this post. And as much as we wish we could control the cost of things, any prices in this article are just estimates. Actual prices are up to retailers, manufacturers, and other people who’ve been granted magical powers over digits and dollar signs.

Important! This account is for your personal use only

An increasing number of customers are being targeted by fraud scams. Before you apply, review these guidelines to help prevent you from being involved in fraudulent activity.

Do not open an account on behalf of someone else
If anyone asks you to open a Simple Account to receive funds, it is an attempt at fraud. Common fraud attempts include requesting that you open an account to receive a gift or bonus offer, obtain a job or job training, or help someone else receive funds (such as unemployment benefits).

Do not share your login or account information with anyone
Neither Simple nor any other legitimate institution will ever ask for your account information. If any third party requests your Simple Account login information, it is an attempt at fraud. Sharing your account information with another person or allowing someone else to use your account to receive funds is a violation of the Simple Deposit Account Agreement terms and conditions and can expose you to fraud.

Actions we may take if fraud is suspected

We take fraud and security very seriously at Simple, and take rapid action in the instance of suspected fraud attempts.

We may freeze and close accounts
We may freeze and close accounts if fraudulent activity is suspected, including the following circumstances:

We will report fraud attempts
We are responsible for reporting fraud attempts to authorities, including attempted unemployment fraud. There are state and federal penalties for unemployment insurance fraud (including potential fines and incarceration). If you suspect you are a victim of unemployment fraud, contact the appropriate state fraud hotline listed here.

I acknowledge that I have read this notice Continue Application