Heartbleed and online buying
Hey gang! Anyone out there thinking about Heartbleed in relation to your online purchasing? Curious as to what folks are doing in response to this bug. I wonder how it changes online buying habits? Short-term? Long-term?
Wishing each of you all the joy you can stand,
Nah, security breaches are a fact of life these days and they don’t bother me really. I change my passwords, I keep an eye on my credit cards, but otherwise nothing about my habits changes.
Unlike some I’ve been a victim of credit card fraud more than 5 times (various reasons, just unlucky I guess) and so it is pretty old hat to me and not really a reason to freak out. And actually all the times my credit card number has been stolen it was most likely from a hacked card reader or brick-and-mortar merchant database, which is to say that in my experience buying in store has been more dangerous than buying online!
That’s a valid point! I’ve had 3 Visa’s that were compromised and each time it was because I used it at a physical location that had been compromised.
yeah, the biggest risk is usually skimmers at gas pumps and atms and grocery stores. Even the huge target breach was from retail point of sale machines, online shopping is comparatively pretty safe, especially if you stick to using paypal, and remember to have unique passwords for everything.
Doesn’t change what I’m doing, especially since I know the banks and paypal are still secure. And I assume (perhaps wrongfully?) that whatever connects my payment info through those service to the vendors would also be secure?
Actually not all banks were safe from heart bleed. There are a number of websites you can use to check to see if an online site you bought from or if your banking website was affected or could have possibly been affected.
I checked a number of retailers I purchased from recently, mostly tea, and all of then were listed as possibly affected with no fix to the website known at the time I checked.
Sadly, most tea vendors don’t actually use SSL at all I’ve found, so they’d be unaffected. (for login/password leaks etc, payment wise, I only ever use shops that use paypal, never directly trust them with a credit card) Even steepster doesn’t have a working SSL certificate.Also, the bug was introduced fairly recently so their site software would have needed to have been updated in the last year or 2, and the new heartbeat tls extension enabled. Even among ssl supporting websites only like 18% of those fit that criteria and were vulnerable, and small scale tea vendors tend to really fall behind the curve on tech updates, using the same old static site software forever. (though that has its own risks…)
I use LastPass, which gave me a list of the passwords and sites I needed to review ASAP, as well as recommendations as to what to do (wait, update now, etc.) Other than that hour of my day spent updating passwords and information, it’s changed little for me.