Payments Industry Awaits Potential Fallout Of ‘Heartbleed’ OpenSSL Flaw

Well, it might not constitute breach news per se – or it doesn’t yet anyway– but the announcement this week that two-thirds of all online websites for the past two years had been vulnerable certainly was. The security flaw, dubbed Heartbleed,” had made openly available to hackers usernames, passwords and other sensitive data. That is, if hackers knew of the flaw. Thus far, it appears, they didn’t.

By Jeffrey Green (@epaymentsguy) (https://twitter.com/epaymentsguy)

Hard to tell, but this week’s major breach news seemed fairly big, at least potentially, but no one had yet said whether any card data or online merchants were affected. Seems a security flaw, dubbed “Heartbleed,” in the OpenSSL data-encryption library used by two-thirds of the Internet’s websites exposed potential access to credit card and other personal information, including passwords, for the past two years.

However, it was discovered, at least by legitimate concerns, only earlier this week. Everyone probably is crossing their fingers hoping the good guys saw it first. Umm….

According to qz.com, GitHub user Mustafa Al-Bassam performed a mass scan for vulnerable sites on April 8. The scan of more than 10,000 websites found 627 vulnerable, including Yahoo email and Tumblr sites and the dating site OkCupid. Such sites and others scrambled quickly to update their Open SSL software with a recently released patch.

Even Cisco Systems Inc. and Juniper Networks Inc., leading manufactures of network equipment, said they discovered the Heartbleed bug in their systems, creating the potential for hackers to gain access to “user names, passwords and other sensitive information as it moves across corporate networks, home networks and the Internet,” the Wall Street Journal reported.

Various eCommerce sites, including Bay, Etsy, PayPal, GoDaddy, provided their own advice to online merchants. “Merchants need to own and solve the issue themselves,” Z-Firm’s Rafael Zimberoff said. He also gave some advice for sellers who operate their own eCommerce websites, and it’s spelled out in a blog post on the Z-Firm website.

PayPal posted a blog advising its users that there was no need to take additional action or change passwords.

“While we always advise our customers to be cautious and aware of the security of their personal and financial information, in this case we want to reassure you there is no need to be unduly concerned. When you log in to PayPal using your username and password, these details [are] not exposed to the OpenSSL vulnerability,” the company noted in a statement.

States stepping in

If the Heartbleed news wasn’t bad enough, a bill is making its way through the California state legislature would make companies such as Target liable for damages after successful cyberattacks against their systems expose customer data. The bill appears to take liability away from banks.

“Financial institutions should not be taking the heat for a data breach that occurs at a retailer,” said Assemblyman Roger Dickinson (D-Sacramento), a bill co-author along with Assemblyman Bob Wieckowksi (D-Fremont).

In New Mexico, a separate bill would require organizations to notify individuals whose data has been compromised as the result of a breach within 10 days of breach discovery, and let the state attorney general know if more than 50 state residents are affected.

Meanwhile, the Federal Financial Institutions Examination Council issued an alert to banks on April 10 instructing them to make necessary upgrades to their security as soon as possible and incorporate patches on their systems using OpenSSL. The council also encouraged banks relying on third-party vendors to alert them of the security issue and take appropriate preventative action.

Russians at work?

Also reported this week was a claim that the recent Neiman Marcus data breach was the work of a Russian hacking group, the same one that attacked Heartland Payment Systems five years ago. Attempts to shut down the criminal network have failed despite international sting operations and secret meetings with Russian intelligence officials, Bloomberg reported this week.

Meanwhile, in the United Kingdom, MWR InfoSecurity researchers showed how mPOS terminals can be comprised via multiple attack techniques. The researchers displayed how an attacker could gain full control of the mPOS terminal, allowing them to display “try again” messages, switch the device into insecure mode, capture PIN and credit card data, and even enable the device to accept illegitimate payments from stolen credit cards.