The Heartbleed Bug remains the biggest story in security news this week, as several merchants revealed the results of their testing for the security flaw in the OpenSSL data-encryption library used by two-thirds of the Internet’s websites. It turns out, that the Heart Bleed Bug is not only affecting websites as this week software companies are reporting that networking equipment is also affected.
The bug affects networking equipment the same way it affects websites. Items such as routers, switches and firewalls use the variant of SSL/TLS known as OpenSSL.
Since OpenSSL is the set of tools that has the Heartbleed vulnerability, hackers to breach a system and steal whatever sensitive information, like credit card data, they are looking for. Companies like Cisco Systems Inc. and Juniper Networks Inc. continue to advise customers on which product is still vulnerable, fixed and unaffected.
However, while Heartbleed was the biggest news in security, it wasn’t the only news. The Justice Department and Federal Trade Commission gave business permission to share information on cyber-threats in real-time. Though this seems obvious, the note was sent out to calm concerns that such corporate cooperation would fall under the general heading of anti-trust violation.
The power to collaborate should be a major boon to companies of all kinds. As the situation with the Heartbleed bug demonstrates, when it comes to security, it’s what you don’t know that can really get you. Plus, knowing the threat is only part of the problem, organizations still need to be able to choose a solution, whether it is Point-to-Point Encryption (P2PE), Tokenization or EMV. Bluefin Payment Systems and PYMNTS want to help you navigate those waters a little bit better, with a webinar on May 1st at 11 am for an educational digital discussion hosted by PYMNTS.com and Bluefin Payment Systems to review the many considerations related to keeping cardholder data secure.
Now, it is becoming a well-known fact that while the rest of the world has been falling in love with EMV, particularly in the mainstream media, some here at PYMNTS have had their doubts. America’s retailers seem to share our lack of enthusiasm, as many have not sought to update their POS systems to accept EMV cards—citing the high cost of $500 to $1,000 per payment terminal as a significant disincentive. While smaller sellers are balking at the cost, large retailers such as Kroger, Target and Wal-Mart are in the process of making the jump to EMV.
While we’re talking about large retailers, Michael’s—the Texas-based arts & crafts chain – announced the extent of its exposure in a months long breach it suffered between mid-2013 and early 2014. The company released Thursday that 2.6 million credit and debit cards used in its stores may have been affected by the breach. They also announced their affiliate Aaron Brothers was also attacked, which left an additional 400,000 cards exposed, bringing the total breach exposure to 3 million.
Also not having a very good week this week when it comes to security: Samsung. After much fanfare over adding a cutting-edge fingerprint scanner for the newly release Galaxy 5, it seems the new protocol may not be a good as initially hoped. SRLabs, a Germany-based security research firm, is claiming that anyone can gain access to a Galaxy S5 by using a wood glue mold from the fingerprint already set on a particular phone.
“Despite being one of the premium phone’s flagship features, Samsung’s implementation of fingerprint authentication leaves much to be desired,” a SRLabs researcher said. “The finger scanner feature in Samsung’s Galaxy S5 raises additional security concerns to those already voiced about comparable implementations.”
There are also concerns that because the app is tied to PayPal, the security flaw may be exploitable with mobile payments.