Will Heartbleed strike at retail’s digital heart?

While the long-term repercussion of the holiday credit card breaches at Target and other retailers are still largely unknown, last week’s revelation of the Heartbleed bug appears much more mysterious and threatening.

First publicly revealed last Monday, the Heartbleed bug affects servers that relied on the OpenSSL encryption software, ironically designed to make the internet more secure and used by about two-thirds of internet servers for free.

On his personal blog, computer security expert Bruce Schneier, describes the bug as a "catastrophic" weakness that could theoretically allow hackers to steal passwords and usernames across a variety of e-mail hosts, shopping sites and other platforms. "On a scale of 1 to 10, this is an 11," he wrote.

heartbleedHackers can also potentially eavesdrop on communications and even impersonate users and other websites, scamming users into giving them more personal information. The threat went undetected for more than two years, and it’s difficult to tell if any attacks resulted because they don’t leave behind distinct footprints.

Amazon, Target and eBay are among the retailers claiming they were not exposed to the Heartbleed bug, although some security experts still feel many should have stressed a greater urgency to change and strengthen passwords. Operators of smaller websites are said to face a lengthy time making fixes.

E-commerce transactions overall are seen as more vulnerable to future attacks. Pointing to eMarketer’s prediction that global e-commerce sales will grow 20.1 percent this year to $1.5 trillion, The Economist writes, "That is a huge commercial opportunity, but it will also encourage cyber-crooks to target businesses even more vigorously. Expect more computer-security heartburn in boardrooms."

To most, however, the bug illustrates the overall risky nature of the internet, which The Washington Post describes as "inherently chaotic, built by multitudes and continuously tweaked, with nobody in charge of it all."

Consumers have heard calls to change passwords, especially those protecting sensitive data like e-mail and bank accounts. Reminders also came for installing software updates, updating virus protection and checking statements for unscrupulous activity. Government officials and businesses were likewise summoned to take cyber threats more seriously.

In an opinion piece, The Washington Post says that with the Target breach and Heartbleed, "we continue to discover that [the internet] is vulnerable to theft, intrusion and disruption on an appalling scale."

BrainTrust

Discussion Questions

How does the ongoing threat of Heartbleed and similar weaknesses change the internet’s opportunity for retailers? By asking consumers to be more vigilant, will retailers depress e-commerce sales?

Poll

9 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Max Goldberg
Max Goldberg
9 years ago

Heartbleed and other viruses dramatically demonstrate the need for retailers and consumers to be ever vigilant when using the internet. Security must be a constant concern. Retailers should help consumers create and maintain passwords, just as they must keep their websites as secure as possible. Unfortunately, consumers’ worst fears about internet security are coming true, which may have a significant impact on ecommerce.

Camille P. Schuster, Ph.D.
Camille P. Schuster, Ph.D.
9 years ago

Asking consumers to be more vigilant makes them more nervous. Finding out that one of the tools that was supposed to help security is open to vulnerability only intensifies concerns. Having retailers asking consumers to be more vigilant lacks credibility because so many retailers have not been vigilant and have had their security breached. This is a huge issue for the future of e-commerce.

Paula Rosenblum
Paula Rosenblum
9 years ago

I think Cathy Hotka has had it right all along. We desperately need an ISAC in retail, and it should include retailers, banks and (I guess) major developers.

Heartbleed is bigger than retail, that’s for sure. Everyone and their mother (literally!) has wireless connectivity in their homes – and Cisco has announced it is vulnerable. It sounds like everyone doing anything with a Linux kernel is vulnerable, which is very scary.

The thing is that constantly changing passwords feels a bit like taking your shoes off at airport security. It makes someone feel better, but is not particularly useful.

So there’s only one choice. And that is to declare war on black-hats. The internet is complex and to a certain extent chaotic, but there’s no reason we can’t be safe. It just takes vigilance. REAL vigilance.

Ryan Mathews
Ryan Mathews
9 years ago

The question really is, “Is there a point where the threat to security and/or the inconvenience of having to go back and register new credit/debit cards for all those automatic billing accounts overcomes consumer inertia and the convenience of shopping online?”

And the answer to that question is that it is possible, but not probable. The consuming horse has escaped the brick and mortar barn and there’s no bringing it back.

Rather than treating this as a weakness retailers should be doubling down on their encryption protocols and stressing why doing business with them is safer than the rest of the Internet.

As long as there are digital systems there will be hackers. That’s just a fact of cyber life. And we all will need to find out how to deal with it.

Ralph Jacobson
Ralph Jacobson
9 years ago

Consumers continue to increase their usage of eCommerce sites, while these threats also continue to permeate throughout the world. I believe that security capabilities are in place to stop most threats on a daily basis. Of course, as soon as a security software application thwarts an attack, the hackers simply try another avenue. So, although these hackers will keep the security software companies in business for a long time to come, I believe that consumer will not be going away from eCommerce anytime soon.

W. Frank Dell II, CMC
W. Frank Dell II, CMC
9 years ago

When e-commerce started up, one of the key elements that slowed its growth was the security issue. In particular, the consumer’s credit card information. Online banking was only a dream at this time. Remember when 90% of all checkouts were dropped? This was due to a combination of concern over credit card information safety and shipping costs. Some credit card companies issued an internet only card for consumer protection.

I don’t think a couple of information breeches will slow sales growth. Most consumers have no idea what heartbleed is or does, so it will not be an issue. All retailers must up their security and inform customers quickly. What will slow down e-commerce is if a website like Obamacare is hacked and all the personal information taken and used. This would damage online shopping for years.

Li McClelland
Li McClelland
9 years ago

A friend has just gone though an horrific experience with her email being hacked — and now none of us in her extensive address list know how vulnerable we might also be because of it. The more first-person experiences actual people have with actual breaches, the more reluctant we are about e-commerce and banking online. Yes. Companies that rely on internet traffic need to be very worried about the cumulative effects of stuff like this.

James Tenser
James Tenser
9 years ago

Like others here, I’m still wrestling with the implications of the Heartbleed bug for typical users. It seems like regular folks may need to change a few or many passwords to ensure safety. That can require a lot of effort, particularly where cookies need to be deleted followed by re-registration.

For retailers, that might mean notifying and then assisting frequent shoppers and app users through the process.

But I have more than 100 online accounts and so far only one has notified me about the risk, and it recommended changing my login as a precaution, not because of any detected breech.

So the real impact may be behind the scenes, as the owners of servers labor to patch the OpenSSL vulnerability and close the hole.

Despite the news coverage, the Heartbleed story may seem rather remote to the average online shopper. I doubt most will change their habits very much, unless anecdotes emerge describing individual victims.

Kai Clarke
Kai Clarke
9 years ago

No. Internet sales will continue to increase because that is the nature and future of retailing. This is more akin to the reliability of cars when they were first mass produced. They broke down, but the automobile continued to sell and thrive. The same will continue with the Internet…better retail, lower costs, and enhanced communications and consumer experiences.