It’s no secret that news on the internet commerce / security / hack & bug front is “breaking” more fast and furiously than we’d like it to. But we’re determined to keep you updated so the surprises you have to plan for can be… a wee bit less surprising.
We’ll get to “Heartbleed” in a moment, but also know that Krebs on Security has just reported a year-long breach in the LaCie company website, where customer information could have been exposed. LaCie makes hard drives and data storage units, and if your company bought anything from them between March of 2013 and 2014, you may want to doublecheck your accounts.
On the much larger “Heartbleed” front, the news is very roller-coastery. There was some thought, initially, that it might not be as “bad” as feared, since private security keys couldn’t be retrieved via the “hole.”
But after a hacker challenge went out, this proved not to be the case: Those private keys were found, and reported. Which means, unfortunately hackers could theoretically spoof, or mimic, a site, in hopes of getting folks to log on and give up their private financial information.
With everyone so wary, the Federal government, as reported on the American Banker site, issued an advisory to financial institutions — though many reported they were already safe (since they weren’t using OpenSSL, the protocol with the vulnerability) — saying “”Financial institutions should consider replacing private keys and X.509 encryption certificates after applying the patch for each service that uses OpenSSL and consider requiring users and administrators to change passwords after applying the patch.”
And large, non-finance companies, like Amazon and Google, etc., were busy patching any potential leaks. But that very rush to patch, with updated certificates, may come with a certain cost. The Washington Post’s “Switch” column reports the following:
“The next step, experts say, is for all 500,000 affected sites — from mom-and-pop retailers to big conglomerates — to revoke their security certificates and issue new ones.
But as necessary as that process is, it could have dramatic consequences for Web users’ everyday experiences.
“When you visit a secure site, your browser checks the site’s security certificate against a list of invalidated certificates. Depending on how it is designed, the browser probably downloads that list to your computer. Because sites rarely change their certificates, the lists are relatively short.
“But the Heartbleed exploit now requires hundreds of thousands of sites to add their certificates to the list, practically overnight. The certificate revocation lists will become bloated with new entries. And browsers will continue to download the now-massive files,” which could gum up “cruising speeds,” or certainly “user speeds,” on the internet, quite a bit.
It will, in any case, take some time to sort itself out, and alertness is called for — but isn’t it always?
Speaking of calls, you may want to get in touch with your AVPS Rep to make sure all your security options are up to date, and that your customers — whose online patience could be tried very shortly — have as many payment options for your business as possible.
Meanwhile, we leave you with some potentially better news: “a Swedish student at Lund University has devised a way to pay for goods using a vein map of your hand,” according to the BetaBeat website.
“Fredrik Leifland’s system uses vein-scanning technology that already existed… He merely connected the scanning terminals, banks, stores and customers to create a new system.”
Upwards of 15 stores near the campus are using the technology already. We will assume that the veins in your hand remain, at this point in time, unhackable. (At least until they perfect the whole “replicant” thing). So: Take good care of them, and we’ll see you with another week’s worth of news soon.