Heartfelt Advice: Heartbleed Facts from E-Commerce Pros

Published May 26th, 2014 by Michael Farin

When the OpenSSL bug Heartbleed went public, the whole web went crazy. Apparently, this system defect has been leaking data for two years, and nobody realized what was going on. (Well, maybe the NSA knew – but they’re not telling.)

Heartbleed is an especially big scare for e-commerce companies, since the bug could potentially compromise passwords, credit card information and more. Right now, we’re all asking questions: Who’s affected? What are the next steps? And what should online store owners do to stay safe after Heartbleed?

Here are some answers – and helpful tips – from top ecommerce providers.

Z-Firm’s Rafael Zimberoff says the most vulnerable systems are PHP-based and run on Apache web servers. (PHP applications include Magento, Zencart, WooCommerce, Opencart and more.) “Merchants need to own and solve the issue themselves,” Zimberoff says. He's posted a handy list of tips here.

Etsy was the first e-commerce company to offer marketplace-specific tips about Heartbleed. Michael Rembetsy, the VP of Technical Operations, reassured users: "While at this time we have no indication that an attack against Etsy has occurred beyond proactive security tests, members who want to take extra precautions can take the following steps.

eBay spokesperson Ryan Moore says eBay users can continue to shop safely after Heartbleed: ”The vast majority of our services were not impacted and our users can continue to shop securely on our marketplace. Consumer safety is our top priority, and we will continue to monitor this bug to ensure our users remain protected."

Amazon was not affected by Heartbleed, according to spokesperson Ty Rogers. End of story.

PayPal claims that user accounts have remained secure and that no passwords or information were compromised. “When you login to PayPal using your user name and password these details were not exposed to the OpenSSL vulnerability,” the company says. However, PayPal did recommend that a small number of businesses upgrade their Payflow Gateway integrations to avoid vulnerability. According to PayPal CTO James Barrese, "We have already been in touch with the merchants who could potentially be affected and are working with them to upgrade their integrations.” So essentially, if you haven’t heard from PayPal, you’re fine.

Many hosting companies have provided a patch to fix vulnerable servers – some will install it for you automatically, some will not. GoDaddy Chief Information Security Officer Todd Redfoot recommends: “Online merchants (should) confirm their IT provider has secured their service environment and then rekey their SSL Certificates.” After taking these steps, most ecommerce stores should be secure.

Jimmy Rodriguez, the CTO of 3DCart, says online store owners should also make sure their platform is PCI compliant – and that hosting companies should make extra efforts to be secure. E-commerce store owners may not have all the tools they need to maintain compliance, so a knowledgeable hosting provider is crucial.

"Part of being a PCI compliant hosting provider includes making sure that the operating system software is constantly updated, and that someone at the organization is constantly on the lookout for new security updates, as new ones appear on a regular basis,” Rodriguez says. “While companies will constantly test their software, and release patches, the hosting environment itself needs to be constantly monitored as well."

For more tips on staying safe after Heartbleed, read our article here.

Comments ()

Stay Connected

Contact Us

Phone: 1-855-363-5293 Email: info@endlayer.com

Endlayer.com Newsletter