Online Protection - Quicken Loans Zing BlogHere at the Quicken Loans Zing Blog, we like to keep you in the loop on issues that can affect your home, money and lifestyle. This week, a new concern has been making headlines, and we want to ease your mind about any questions you may have with regard to usernames, passwords and your Quicken Loans MyQL account.

“Heartbleed” is the name of a recently discovered bug that affects a large number of websites on the Internet that encrypt interactions between users and their site.

Quicken Loans websites are not vulnerable to the bug due to our rigorous security standards as well as those of our vendors. We made the decision years ago to not upgrade our encryption products to those using the vulnerable versions of OpenSSL. The Heartbleed bug only impacted OpenSSL versions released after December 31, 2011.  The encryption technology we chose to keep was never a target or impacted by Heartbleed.  The content provider that serves parts of our main site did patch prior to the announcement, but that impacted parts of our site that does not contain usernames, passwords, or client information. To ensure, we did test our current encryption as well as added additional security patches. Read our security and privacy pledge for more information.

You may be wondering what kinds of sites use encryption? Banks, retailers, and basically any site that asks for a username and password. The encryption is there to ensure that any communication between your web browser and the website is scrambled so that it’s difficult to see your information. Obviously, you wouldn’t want your password or credit card number, for example, to be open for anyone to see. Encryption makes sure that doesn’t happen.

Heartbleed, however, makes it possible for someone to “eavesdrop” on communication between you and your favorite websites. In addition, scammers may be able to obtain your username and password or your shopping information from a particular website without your involvement. Experts say that at least 17% of all websites using encryption may be vulnerable to this encryption bug, but many are getting patched as you read this article.

So, what should you do to protect yourself from Heartbleed?

Remember that this isn’t a problem with your computer, phone, tablet, or anything else that you browse the Internet with – it’s about the sites that prompt you to log in to identify yourself. The bug dates back to the end of 2011, but researchers only just discovered it. Scammers may have known about it much longer. The good news is many of the big sites that you may frequent are already confirmed to be safe:

  • Google
  • Yahoo
  • Facebook
  • Twitter
  • Instagram
  • Amazon
  • PayPal

There isn’t an easy way of knowing if a website has been affected, but changing your password is a great precautionary step. Stay safe!

 

Related Posts

This Post Has 4 Comments

  1. My thoughts exactly. If you were using any of the buggy versions of OpenSSL then you were vulnerable regardless of the April 7 announcement. It’s like leaving your house key under the doormat for 2 years, then retrieving it before telling the world it was there. You in fact don’t know that it hasn’t been used.

  2. This is misleading information to your customers. The whole reason why this is so widespread is because the flaw has existed for almost two years. To say you were fine because you patched your servers a week ago before the announcement is a joke. Once you patched you should be advising every customer to change their passwords – it’s fine to tell them that you don’t think you were exploited, but at this point you really don’t know if un/pw were stolen. No one knows right now if hackers were aware of this before the announcement. To tell customers you weren’t because you patched immediately upon announcement is ridiculous.

Leave a Reply

Your email address will not be published. Required fields are marked *