Will Heartbleed strike at retail’s digital heart?
While the long-term repercussion of the holiday credit card breaches at Target and other retailers are still largely unknown, last week’s revelation of the Heartbleed bug appears much more mysterious and threatening.
First publicly revealed last Monday, the Heartbleed bug affects servers that relied on the OpenSSL encryption software, ironically designed to make the internet more secure and used by about two-thirds of internet servers for free.
On his personal blog, computer security expert Bruce Schneier, describes the bug as a "catastrophic" weakness that could theoretically allow hackers to steal passwords and usernames across a variety of e-mail hosts, shopping sites and other platforms. "On a scale of 1 to 10, this is an 11," he wrote.
Hackers can also potentially eavesdrop on communications and even impersonate users and other websites, scamming users into giving them more personal information. The threat went undetected for more than two years, and it’s difficult to tell if any attacks resulted because they don’t leave behind distinct footprints.
Amazon, Target and eBay are among the retailers claiming they were not exposed to the Heartbleed bug, although some security experts still feel many should have stressed a greater urgency to change and strengthen passwords. Operators of smaller websites are said to face a lengthy time making fixes.
E-commerce transactions overall are seen as more vulnerable to future attacks. Pointing to eMarketer’s prediction that global e-commerce sales will grow 20.1 percent this year to $1.5 trillion, The Economist writes, "That is a huge commercial opportunity, but it will also encourage cyber-crooks to target businesses even more vigorously. Expect more computer-security heartburn in boardrooms."
To most, however, the bug illustrates the overall risky nature of the internet, which The Washington Post describes as "inherently chaotic, built by multitudes and continuously tweaked, with nobody in charge of it all."
Consumers have heard calls to change passwords, especially those protecting sensitive data like e-mail and bank accounts. Reminders also came for installing software updates, updating virus protection and checking statements for unscrupulous activity. Government officials and businesses were likewise summoned to take cyber threats more seriously.
In an opinion piece, The Washington Post says that with the Target breach and Heartbleed, "we continue to discover that [the internet] is vulnerable to theft, intrusion and disruption on an appalling scale."
- Heartbleed – Codenomicon
- Heartbleed – Schneier on Security
- Digital heart attack – The Economist
- Global B2C Ecommerce Sales to Hit $1.5 Trillion This Year Driven by Growth in Emerging Markets – eMarketer
- Heartbleed bug puts the chaotic nature of the Internet under the magnifying glass – The Washington Post (tiered sub.)
- Retailers Sending Mixed Messages in Wake of ‘Heartbleed’ Bug Scare – ABC News
- Massive OpenSSL Bug ‘Heartbleed’ Threatens Sensitive Data – The Wall Street Journal (sub. required)
- Ecommerce Sites Warn Sellers About The Heartbleed Bug – Pymts.com
- Heartbleed portends larger security threats – The Washington Post (tiered sub.)
How does the ongoing threat of Heartbleed and similar weaknesses change the internet’s opportunity for retailers? By asking consumers to be more vigilant, will retailers depress e-commerce sales?