This morning as you might be aware the OpenSSL bug called Heartbeat was announced. Here is my and others experience with HSBC, Barclays and Nationwide.
HSBCI called HSBC, this my personal bank. They seemed to pretend like they knew what I was talking about. I asked to be transferred to some security report line or be given an email. HSBC informed me that everything is fine and as far as they were aware, I had nothing to worry about. I knew that they probably weren't lying considering how long I was on the line. Plus their site and mobile apps don't seem to be running on OpenSSl so I trusted them (Yes, I trusted a Bank.)
BarclaysMy parents are on Barclays and use their internet service but I was also more personally invested in this. As many of you, I use the application called pingit. According to this page,
http://www.barclays.co.uk/Mobile/BarclaysPingitSoftwaretermsandconditions/P1242607867693 the app uses OpenSSl. Due this being a mobile application it's hard to find out if Heartbleed is being used.
I decided to call them so I can report the possible vulnerability. My experience can be summed up in three points.
- 1) They have no security report line or email
- 2) Customer service didn't seem to care
- 3) Even calling head office and reporting the issue they were unable to transfer me to a security team or didn't seem to be worried
After 40mins and 5GBP spent on calls later, I was told the internet fraud email. This a internet fraud prevention email not a security report bug email. Either way, I wrote to them:
This morning a serious security flaw was announced in the OpenSSl certification. This certification is currently being used by your mobile banking app pingit as outlined on your site here:
http://www.barclays.co.uk/Mobile/BarclaysPingitSoftwaretermsandconditions/P1242607867693 . The security Vulnerability in question is called HeartBleed (
http://www.bbc.co.uk/news/technology-26935905) . While doing some testing on my personal servers and trying to confirm the bug, as an outsider attacker on my personal servers I was able to get access to: user ids, passwords, documents and any communication between users. In banking this could lead to a lot more problems so please investigate if any of your software especially PingIt is affected as soon as possible.
This turned out no results and I still haven't received an email back. I assumed that this was useless and tried to reach them on twitter. That also turned out no reply.
NationwideThis not my personal experience and I only know small details of the experience. I was in talks with someone on twitter about this problem, their bank is Nationwide. They were unable to got any results.
ConclusionI find it amusing how every single Bitcoin exchange has dedicated security emails and even phone lines but massive Banks such as HSBC and Barclays don't. It might be amusing for now but in the long term this a serious problem that has to be addressed.
