Heartbleed Fallout Continues

April 14, 2014

Heartbleed Fallout Continues Since last week, e-commerce, payments and security companies have been reacting to the news of the security vulnerability—dubbed the Heartbleed Bug—uncovered in the OpenSSL encryption standard. Websites that ostensibly were protected by OpenSSL were, in actuality, leaking information directly to the Internet, enabling hackers to “ eavesdrop on communications, steal data directly from the services and users and to impersonate services and users .”

While PayPal announced to consumers that the bug did not affect their accounts, security experts said most people using the Internet are likely to be affected either directly or indirectly. Merchants and other Websites using OpenSSL to protect sensitive data, however, must take action to protect themselves and their users.

PCI-compliance technology provider ControlScan recommends four steps to their clients to begin addressing the potential damage from Heartbleed:

  • Immediately upgrade to the latest available version of OpenSSL
  • Revoke any SSL certificates used on the affected server
  • Generate and sign new SSL keys to replace the compromised keys
  • Consider a near-term strategy for updating passwords, SSH keys, and any other sensitive authentication data on affected systems

(Editor’s note: CardNotPresent.com, in an effort to ensure our registered users’ personal information is safe subjected our systems to two separate diagnostic tests. Both tests showed our systems were not vulnerable to the Heartbleed bug.)