JavaScript disabled. Please enable JavaScript to use My News, My Clippings, My Comments and user settings.

If you have trouble accessing our login form below, you can go to our login page.

If you have trouble accessing our login form below, you can go to our login page.

Coles Mastercard, Myer Visa Card and other GE Money partners stung by Heartbleed security bug

Date

Ben Grubb

Zoom in on this story. Explore all there is to know.

EXCLUSIVE

The Heartbleed bug left about half a million websites exposed.

The Heartbleed bug left about half a million websites exposed.

GE Money is recommending customers change their passwords in the wake of the Heartbleed security bug, which appears to have made vulnerable a number of GE's Australian websites.

Financial websites run by GE Money, including the Myer Visa Card and Myer Card portals, as well as Coles Mastercard, were vulnerable to the Heartbleed security bug, Fairfax Media can reveal. A number of other GE partner websites, including 28degrees Mastercard, were also vulnerable.

A security warning appears on Myer's website.

A security warning appears on Myer's website.

Many of the affected websites have since been patched against Heartbleed or are in the process of being patched. It's understood Coles patched its Mastercard website on the night of Wednesday, April 9. It put a new private encryption key on the website on Friday, April 11.

Do you know more? Email bgrubb@fairfaxmedia.com.au

Being vulnerable to the security bug meant that the websites were potentially exposing financial details and log-in credentials up until recently, and that a hacker could have scooped up these private details prior to GE patching the flaw. As yet, there is no evidence to suggest the websites were compromised, although this doesn't mean that they weren't, as the Heartbleed bug left no logs according to the security researchers from Google and a Finnish firm who discovered it.

A similar warning appears on Coles MasterCard's website.

A similar warning appears on Coles MasterCard's website.

At least one Canadian government department, the Canada Revenue Agency, said on Monday that the ID numbers of roughly 900 people were stolen from its systems, which were left vulnerable by Heartbleed. The agency said everyone affected would receive a registered letter and free access to credit protection services.

Fairfax Media contacted GE Capital and Coles on Friday about Heartbleed affecting their sites.

"There is no vulnerability or issue with Heartbleed for any of our platforms," Coles spokeswoman Anna Kelly said then. "Our tests confirm, no recent or current vulnerability to Heartbleed."

The security advisory on GE Money's website.

The security advisory on GE Money's website.

After then showing Coles evidence on Saturday that the Coles Mastercard site was vulnerable, Kelly said on Monday: "We cannot discuss details of our IT security testing or processes for obvious reasons. However, we can confirm that our systems have not been compromised."

Kelly did not dispute the evidence that the Coles Mastercard website was vulnerable.

Since Fairfax contacted Coles, its website is now showing a "security update" that links directly to the GE Money website. The advice, which appeared on the site on Monday night, says that recent media reports concerning Heartbleed demonstrated "the need to ensure that you regularly change your online passwords".

"GE has taken precautions and steps to protect customer data from this [Heartbleed] threat and has no reason to believe that any customer data has been compromised," the advisory says.

"To change your password now, please click on the 'forgot your password' link…"

Furthermore, Coles Mastercard, Myer Visa Card and Myer Card websites now have new SSL certificates with Friday's date, meaning that they were all updated in the wake of the Heartbleed bug. The bug was officially disclosed by the team behind the open-source encryption software OpenSSL at 3.27am AEST on Tuesday, April 8

Experts recommended SSL certificates - private keys only website owners are supposed to have - be changed if a site was vulnerable to Heartbleed, as the certificates may have been copied by hackers, and could be used to perform "man in the middle" attacks against customers to decrypt their internet traffic to reveal encrypted data.

A GE Capital spokeswoman told Fairfax on Friday the same advice that has since been put on GE Money's websites.

Myer said in a statement that it was "confident" that GE was able to protect its customers against the Heartbleed bug.

"[GE] has taken the appropriate action to protect customer data in line with industry best practice," a Myer spokeswoman said on Tuesday.

Further calls and emails for details from Coles and GE went unanswered on Tuesday.

Comment is also being sought from 28degrees Mastercard, as well as other GE affected partners.

The revelation that GE's financial websites were vulnerable to Heartbleed follows a source telling Fairfax on Monday that the Commonwealth Bank of Australia's main website was also vulnerable, but not its NetBank website. A CBA spokeswoman said on Thursday that the bank had "patched against the Heartbleed bug".

It's understood CBA's main website - commbank.com.au - used Amazon Web Services' Elastic Load Balancing, which Amazon indicated was vulnerable to Heartbleed.

Amazon has since patched against it.

The source said other CBA sites - such as Commbiz and Commsec - were not vulnerable to Heartbleed.

CBA's official statement and a separate blog have infuriated many customers on Twitter and in the blog comments, as it doesn't reveal which CBA websites were vulnerable to Heartbleed. Security experts said that if a website was vulnerable to Heartbleed and it handled passwords then that information should be changed.

CBA was ridiculed for its stock standard response to the Heartbleed fallout. To confuse matters, CBA's NetBank website has been offline since 10.30am AEST on Tuesday.

A number of other websites including the Federal Court's Commonwealth Courts Portal, JB Hi-Fi, Priceline, and Australia's Computer Emergency Response Team websites were also vulnerable to Heartbleed and have since been patched. A number of other Australian small business websites remain exposed and have not patched against Heartbleed.

"The Heartbleed bug has put personal information held on many systems running OpenSSL at risk," Australian Information Commissioner, John McMillan, said on Friday.

Professor McMillan reminded all entities covered by Australia's Privacy Act that they "must take reasonable steps to protect the personal information they hold".

"Part of those obligations would include regularly monitoring the operation and effectiveness of their [information and communications technology] security measures to ensure that they remain responsive to changing threats and vulnerabilities and other issues that may impact the security of any personal information they hold," he said.

"Where a vulnerability has been identified, patches and software upgrades should be rolled-out as soon as possible. Once organisations have patched the Heartbleed vulnerability, the [Office of the Australian Information Commissioner] strongly encourages them to assist their users to change their passwords."

with AP

twitterThis reporter is on Facebook: /bengrubb

24 comments

  • The irony is, according to Mashable - until the infected web site puts up a patch against the heart bleed bug - changing your password won't protect your account. Has GE put up a patch or are they still denying their is a problem?

    I've noticed the Coles Master Card login page is down now.

    Commenter
    p
    Date and time
    April 15, 2014, 3:38PM
    • I just changed a password on the GE site, without any hitches at all.

      Commenter
      bornagirl
      Location
      Melbourne
      Date and time
      April 15, 2014, 3:49PM
    • How about contacting the person that was mentioned on another article that created this bug? Nobody is mentioning what fines or penalties apply to this person. I find it very strange....

      Commenter
      The Other Guy1
      Date and time
      April 15, 2014, 3:53PM
    • Oh heartbleed, you just make my heart bleed.

      Commenter
      The sky is the limit
      Location
      The sky, of course
      Date and time
      April 15, 2014, 4:09PM
    • Did you actually read the article. It quite clearly says that they have fixed the problem and now require users to change their passwords.

      As to The Other Guy1's comment, the bug wasn't created by anyone in particular. It was discovered by a security company. This wasn't a hack or anything, it was a simple error in the code.

      Commenter
      Frank
      Location
      Brisbane
      Date and time
      April 15, 2014, 4:57PM
    • Penalties? Fines? You obviously have no idea how the Open Source Community works (if you have ever heard of it). This software is provided completely free of charge but you accept the risks of using it! If you don't like those conditions, then lobby businesses you customise to stop using it but be prepared for MASSIVE price rises....

      Commenter
      Les
      Location
      Sydney
      Date and time
      April 15, 2014, 5:18PM
    • The Other Guy1 - It's free and open source software. There is NO warranty. Your misplaced anger should be directed at Coles for sponging off the open source world - and dare I say, not contributing one cent to its continuation.

      As the old saying says: "If you break it, you own both pieces".

      Commenter
      Mr T
      Date and time
      April 15, 2014, 5:27PM
    • @The Other Guy1- Why should the guy that created the bug be fined. He helps create some software, release it for free for anyone to do with as they please. Many Multi Nationals then use that software for free to secure financial systems and dont pay anyone to check, test or maintain it. Who is at fault there?

      Commenter
      Dave
      Location
      Melbourne
      Date and time
      April 15, 2014, 6:17PM
    • It's critical to be
      cautious about entering credit-card info on
      electronic devices and
      the Internet...

      They are, so far, immune from most viruses and spyware,
      although they do
      need better firewalls.

      So, have these credit card providers
      actually actively (not passively on their websites) advised their credit card customers, to take action or not?

      As our hearts bleed for most banks and credit card peddlers.

      Commenter
      Hillary Q.
      Date and time
      April 16, 2014, 12:07PM
  • Boring...Amateurs abound...Visa, GE, Mastercard, Banks...Amateurs galore.

    Commenter
    Master
    Location
    Sydney
    Date and time
    April 15, 2014, 3:50PM

    More comments

    Comments are now closed
    Advertisement
    Featured advertisers
    Advertisement