No, that’s not a typo. If you haven’t heard of “Heartbleed” yet, listen up.
Events that radically change our lives don’t come along that often. The 9/11 attacks changed not only how we travel, but how we think and act when we go out. Having your belongings searched when you go out to a ballgame was unthinkable before; now it’s routine.
Heartbleed is such an event, and over the next few years it will change how all of us do business.
What is Heartbleed?
It’s a security breach, but not just any security breach. Think of the infamous Target breach as a little rowboat and Heartbleed as the Queen Mary. Some have called it the biggest data security breach in the history of the Internet, and the ripples across the digital landscape have only just begun.
When you do financial transactions online, have you noticed how the URL (web address) at the top of your browser changes from “http” to “https“? That little “s” stands for “secure.” The boffins call that feature “Secure Socket Layer” or “SSL.” It’s a method used to encrypt your information so nobody can see it. Anybody with a web business knows that, to receive payment, your payment processor will only use those safer SSL pages; and, for years, people have bought and sold on the Internet trusting that little “s” to protect their information.
Heartbleed is not a reach into one or two databases to pinch some data like at Experian or Target. It’s a leak in the very foundation of the encryption applied to all transactions sent over the Internet. Think of it not as robbing a bank, but hijacking all mail going to and from all banks and businesses. The assault is not on a particular target; it’s on the communications between all companies and people using the Internet. Crooks who understand this can simply tap into this “hole” and monitor all the secrets flying across the wires and airwaves — secrets like your passwords and login IDs.
How Does It Work?
Every transaction running on a secure server (one with “s” in its address) relies on encryption (or scrambling) of the information. In order to make sure that the encryption for a particular transaction works, the receiving server will echo it back to the sender, asking in essence, “Hey, is this what you actually meant to send?” When the sender says it’s going to send 100 kilobytes (kb) of data and sends only 1, it gets back 99kb of other data the server had lying around, marked as obsolete but still there.
Here’s a good semi-technical explanation of the bug and its fix.
It is impossible to understate the magnitude and significance of this breach. It affects literally everyone who uses the Internet. Never has a single bug had such widespread impact. Mashable surveyed the major sites and posted their exposure and responses here.
The good news is this isn’t something some bad guys cooked up for evil purposes. It’s an honest coding error which few good guys or crooks knew about. The bad news is that has now changed. You just know the publicity of this bug is like waving a red flag to a bull for evil people. Any crook worth his salt has just canceled his vacation plans and hired every hacker looking for work to figure out how and where to start tapping the lines for ID information on millions of unsuspecting people.
How bad is it? Nobody knows. It’s impossible to say when you’ve sent someone else’s information over a phone line when your logic told you it was only your customer’s. This may be like the Y2K thing, a storm in a teacup. However, all you need to mess up your life is a single identity theft, so this is definitely a prime example of better safe than sorry.
What You Need To Do … Now!
1. Change all your passwords – every single one. I know. I know. Simply keeping track of your 9,237 passwords is a pain in the patootie. So is going through security screening at an airport. Think of this as airport screening for your everyday life — an unwelcome hassle that has now become part of your Internet travels.
We’re talking all passwords, even the ones that don’t affect your money, such as, email, social media, hobby bulletin boards, airline frequent flyer sites, clubs … everything. Some of those sites may already have contacted you to do this. Now you know why. Either way, just do it.
2. Change them again two months from now. There will be a flurry as thousands of servers receive patches to their security systems. However, until those patches are in place, it’s better to be safe than than sorry. I have adopted a system that allows me to change passwords on a regular basis in a way that still allows me to keep track of them.
Keep a log somewhere of your passwords – but don’t keep it on your computer or phone. (Also, not in your wallet.) Or, if you do, encode them with a simple coding system, like writing down the next letter instead of the real one. For example, if your password is “nutso” then write “ovutp” wherever you’re keeping track of it — each letter written down is one letter after the real one. It’s a pain, that’s true. But pain has now become part of your Internet and credit card transactions.
That’s right, even your non-Internet credit card transactions are affected. How? That restaurant you eat at probably can’t afford a sophisticated-enough system. Same with the gas station, dry cleaners, and all mom-and-pop vendors you use. Each “brick and mortar” debit- or credit-card transaction is still sent over an open communication line to their credit-card processors. Secured, you thought. But now we know “secured” is not so secure after all.
3. Go old school. Use cash wherever and whenever you can, especially with mom-and-pop vendors. Is it less convenient? Sure it is. But so is going through airport screening. And just like Osama bin Laden made us all do it, someone else just made you do it. Buy a beer and cry in it or kick a hole in the wall — and then just do it.
This will give new meaning to the old saying “Cash is King.”
Do you have any tips for how to make any information anybody may have recovered on you become unusable to them? Please share.