Heartbleed is serious. It's a vulnerability in OpenSSL that means people's passwords, usernames and other information transacted over the HTTPS standard may have been compromised in the last two years. One industry that has been particularly cagey has been the Australian banking sector. The Commonwealth Bank just took to its blog to "explain" the situation, and it's now getting out of hand.
Update: The Commonwealth Bank has now responded to our inquiries. Scroll down for its response!
The blog post went up late last week when the world was in the grips of Heartbleed fever.
The blog post is a confusing read:
CBA customers can rest assured we are patched against the ‘Heartbleed’ bug.
I’ve had a few friends and customers ask me if they need to be concerned about using NetBank in light of the recent ‘Heartbleed’ OpenSSL vulnerability.
I’m happy to report that our customers can rest assured we are patched against the ‘Heartbleed’ bug and you do not need to change your NetBank password. This is a testament to the hard work of our security teams who constantly monitor and stay abreast of the latest security technologies, trends and updates.
We also offer all our NetBank customers a 100 percent security guarantee provided you keep your NetBank client number and password secure and notify us immediately of any suspicious activity on your account.
To find out more about staying safe online please visit commbank.com.au/security or take a read through my previous blogs.
Obvious errors in syntax aside, the Commonwealth Bank seems keen on ushering people along from the scene of an accident like there's nothing to see. Considering that it's the biggest breach of internet security in recent memory and a bank where most Australians transact, I'd say it is a big deal.
CommBank seems doubly keen in telling us that it knew about Heartbleed before the world did thanks to its crack team. That would be especially convenient considering that it took Google — the smartest and largest tech company on the planet — two years to find the vulnerability on its own. Even if CBA did know about it before Google did, it's pretty irresponsible not to tell people about it, no?
Regardless, CommBank won't tell people how it secured their data either in the blog post or in the comments. Right now there's a "Moderator" pissing off users by doling out the same pre-approved cookie-cutter PR response to readers who have serious questions about their money.
Hi @jamesmac, you do not need to change your NetBank password. We are patched against the Heart Bleed bug. We are dedicated to ensuring our data and that of our customers is safe and secure. We take matters of security very seriously and our security teams are always up to date with all of the latest security developments so that we can continually strengthen the protections we have in place.
That, or some variation of that, has been spammed eight times into the thread, and people are getting cranky about it:
The platitude being repeatedly posted by the CommBank moderator shows a complete lack of understanding of the nature of the HearthBleed exploit and destroys my faith in CommBank's security. While applying the patch may prevent risk from now on, the bug could have been exploited at any time within the past 2 years! Anyone who ever logged in to NetBank in the past 2 years (anytime *before* the patch was applied) SHOULD change their password immediately
These replies from commbank are not reassuring. We need to know WHEN was the patch applied? How else can we feel assured that we do not need to change our passwords
Is there much point in commenting? You are copy/pasting the same (mistyped) response to two legitimate questions. The 'Heartbleed' has been in Open SSL for around 2 years. It has only just come to light and been patched. If you "have a patch" against Heartbleed then it implies you are using the affected version of OpenSSL and have therefore been vulnerable for anything up to 2 years. You should be carrying out a lot more work than just assuring us everything is fine and we should all be changing our passwords once you have changed your server certificates & whatnot.
If you don't use the affected version of OpenSSL then please say that in your communication because what you're saying right now is not very reassuring and I can't do any internet banking until I'm feeling more reassured.
There are 30 other responses just like that one saying that the response to this serious internet bug is either confusing or doesn't answer the question being asked.
We've reached out to the author of the blog post as well as the comms team in charge of mopping up after Heartbleed. We'll update you on whether or not they did use OpenSSL in the last two years when we get an answer.
Update: Here's the response from CBA. According to the bank, it never used the vulnerable OpenSSL, making it immune to Heartbleed. Here's the statement in full:
"NetBank does not, and did not, use OpenSSL. All customer data is safe. Our customers do not need to change their passwords."
If only that had been said that clearly in the first place.
Let this be a lesson in disclosure: someone out there is going to be an expert on this stuff. Write a simple version and a complex version and let your customers choose.