It’s nice that the tech world used its typical wordplay and logo savvy to give the problem a name and a quickie icon. But nothing can soften the fact that the Heartbleed encryption bug has sent the e-commerce world into a tizzy.
Here’s what retailers really need to know:
Heartbleed is not a virus
Most e-commerce sites use a security encryption protocol called Secure Socket Layers (SSL) that ensures that no one can observe transactions occurring on the internet. Sites using such systems show a locked padlock, and sites ping each other to confirm the security of these connections by using a signal nicknamed a “heartbeat.”
Hence the bug’s nickname, Heartbleed. Heartbleed is a coding flaw that affects a variant of this encryption technology called OpenSSL that is probably the most commonly used. The bug was discovered independently only last week by two different techies, one at Google and the other at a Finnish cyber-security firm. But while the discovery is recent, the problem has been sitting there for two years.
The most succinct demonstration of the process and its problem comes in comic form.
Heartbleed’s consequences are still largely unknown
The biggest problem of this bug is the fact that it’s an opening, not a happening. The latest version of OpenSSL has plugged it, but it’s impossible to know the extent to which thieves or hackers have been able to access any information in the past two years when it was still undetected.
Your company may not be affected
If your company or e-commerce site vendor uses OpenSSL, keep reading. Otherwise, wait for the next cyber-security problem to come your way. Amazon.com, eBay, Groupon, Target, TripAdvisor, Walmart, PayPal, and most banks apparently never were, or are not at the moment, vulnerable because of the bug. For more information, CNET looked into 100 sites regarding their vulnerability to Heartbleed. Note: Looks like Target can breathe easy about this one.
There is a repaired version of OpenSSL, but websites must take care to put it in place
Forrester Research was among the companies providing cyber-security professionals guidance on how to deal with the Heartbleed bug. Among its recommendations are to:
- Upgrade any software using OpenSSL to the latest, patched version.
- Communicate with any hardware and software vendors to ensure they’ve also upgraded.
- Once that is secured, have everyone within your company change their passwords.
- Explain to employees and customers what you are doing and what you have done to take precautions against this bug.
Get consumers in the loop
Even if you’ve done all you can to deal with Heartbleed, you must be proactive, clear, and forthright with your customers about your company's vulnerability and the steps you've taken. And let them know what they should do to further protect themselves.
One of the biggest criticisms of retailers that dealt with security breaches over the holidays was taking too long to let customers know. In the case of Heartbleed, it may be even more important because a customer changing their password to a e-commerce site is doing no good until the company has patched its system.
Take Heartbleed to heart — the internet is a vulnerable place
The holiday credit card breaches and this encryption bug, among other cyber-security problems that have occurred over the years, are clear reminders, yet again, of how vulnerable data is online. So far, retailers and banks have spent a lot of energy trying to figure how who should be responsible for the costs and design of improving data protection. Even the much-touted chip and PIN technology that helps at brick-and-mortar point of sales does nothing on the web.
Lawmakers are making serious moves to ensure that retailers stay on top of data protection. It helps that the National Retail Federation is establishing a security platform to help deal with the matter, but retailers themselves may need to get more proactive.
Target’s experience put a lot of focus on that company, but the malware that led to that breach didn't happen only to them. And the full effects of the Heartbleed flaw on retailers and consumers may be yet to be discovered. The trouble is, even feelings of insecurity, not just actual cyber-security incursions, send consumers skittering away from affected retailers and e-commerce sites. It behooves retail companies to stay on top of trouble, take all known precautions to prevent security breaks, and be proactive in communications with customers when problems occur.