A major online security vulnerability known as “Heartbleed” has opened up a window to let attackers steal information such as user names, passwords and the private keys sites use to encrypt and decrypt sensitive data.
 
We have determined that we are not affected by the Heartbleed bug, and therefore, we do not recommend any specific actions by our customers at this time. However, the security of our customers’ information is a top priority at Ally, so we are using this space to share some of our customers’ frequently asked questions.
 
Q: Has Ally installed a new security patch to fix the problem?
A:  Ally is not impacted by the OpenSSL Heartbleed vulnerability, and therefore, does not warrant this patch.
 
Q:  Has Ally changed their encryption keys after the patch was implemented?
A:  Ally is not impacted by the OpenSSL Heartbleed vulnerability, and therefore, does not warrant changing of encryption keys.
 
Q: Can Ally confirm no data was stolen prior to discovering the problem?
A:  Ally uses multiple layers of defenses to protect our services and customers. Our customers can conduct their banking securely and without their data being at risk.
 
Q: Can customers safely log into their accounts?
A:  Yes. Our online environment is continually monitored and we have detection methods in place to identify and deter any unauthorized activity.
 
Q: Should customers change their passwords?
A:  Our customers do not need to change their passwords as a result of the Heartbleed vulnerability. While we do not recommend any specific actions by our customers at this time, we always recommend that customers change their passwords regularly, i.e. several times a year.
 
Q: Should customers change their usernames?
A:  Our customers do not need to change their usernames as a result of the Heartbleed vulnerability. While we do not recommend any specific actions by our customers at this time, we can assist customers with changing their user IDs if they wish.
 
Q: Can/should customers arrange for enhanced security protocol to provide a security code each time they log in?
A:  Our security protocols closely monitor all login activity and will request additional verification when needed via a one-time use Security Code. Our system has no need to challenge all login attempts as we want to ensure the best user login experience, while remaining secure.
 
Q:  Does Ally use OpenSSL for its website?
A:   Ally has multiple layers of defenses to protect our services and customers. Ally does not comment on specific technologies and versions used to support the website.
 
For more information about how we protect our customers online, please visit http://www.ally.com/security/