Make no mistake: The HeartBleed bug is a very big deal. It impacts just about every place we do business online, as well as our own browsers storing cookies that include our passwords and private keys to access our places of business.
“Websites with the HeartBleed bug are all over the place – merchants, cloud services, even business associates connected with online businesses could be the weak link that exposes customer data,”says Chris Wysopal, Chief Technology Officer at Veracode, which has a HeartBleed discovery module for businesses to find this bug quickly on their websites.
Experts and the media advise replacing passwords, which will only help AFTER our places of businesses have cleaned up the bug. Yet consumers are not being advised when their places of business have repaired the bug. Even if some of those businesses are forcing password resets on their customers there is no way of knowing if the business fixed their own bug first or not.
And most of the alerts consumers get in their email and SMS are phishes – fake messages telling them to click this link to fix the bug. But when consumers click, the phishers own everything on the victim’s computer.
“There is no clear way to notify consumers when it’s the right time to change their passwords,” Wysopal adds. “If the criminals have already stolen the certificate that validates a consumer to the website, and then they phish that consumer and ask for password, it is a perfect attack against consumers and their online accounts.”
Businesses likely have forgotten many orphan sites developed by marketing and other units that are still taking consumer information without being patched. This will also create lingering problems that will likely affect consumers for years to come.
So, what’s a consumer to do? Clean your browser history for starters, and avoid stored passwords for now. It’s an inconvenience, but may make it more difficult for a phisher to get passwords from cookies associated with compromised sites.
Continue also to keep separate passwords for different accounts, and do not replicate the password you use on your email account anywhere else on the Internet since email accounts are often used as a username now when logging in.
Finally, don’t reply to messages asking you to click something to change your password. If you have concerns, go directly to your place of business the way you normally do and change it there. Just be wary that the site itself may not have replaced its bad certificates, and if that’s the case, changing your password won’t help.