This is to advise the public on the “Heartbleed Bug”, which has recently been the focus of media coverage. Said bug is a programming error found in certain versions of “OpenSSL”, a widely used security tool software that allows websites to communicate securely with computers, laptops and mobile devices of users.
The “Heartbleed Bug” poses a critical threat to vulnerable systems by exposing sensitive information such as encryption keys, user credentials, financial information, and private communications or documents. Attackers could potentially impersonate bank services or users or gain access to internal networks.
Relative thereto, the Bangko Sentral ng Pilipinas (BSP) conducted a survey of banks operating in the Philippines. The results of the survey showed that most of the banks in the country use proprietary security software (privately owned and not open-source) for their internet banking and other client-facing applications and services. A few banks using “OpenSSL” do not use the versions identified to be susceptible to the “Heartbleed Bug.” Moreover, the BSP conducted its own verification through third-party “Heartbleed Bug” vulnerability check websites and confirmed that none of our banks are indeed vulnerable.
The BSP wishes to assure the public that it is working closely with the banking industry to take cyber-security issues very seriously. Last 22 August 2013, the BSP issued Circular No. 808 which required supervised institutions to adopt robust security measures to address the growing number of sophisticated cyber threats. These include, among others, enhancement of detection capabilities by adopting proactive vulnerability management processes where new threats and vulnerabilities are identified and assessed and effectiveness of existing security controls are evaluated and tested on an ongoing basis.