Poor security, should temporarily stop online payments at banks

DNUM_BAZAEZCABE 16:51

Experts say that on April 8, about 15 e-banking websites of Vietnamese banks and payment gateways were attacked by hackers, through the OpenSSL Heartbleed security vulnerability.

With the above scale, experts say the amount of sensitive information related to stolen cards and login accounts cannot be estimated.

Previously, the OpenSSL Heartbleed error, which is believed to be capable of threatening millions of online transaction accounts via payment gateways and banking websites, was announced on the world's largest forum Reddit and the Heartbleed.com website on the evening of April 7.

According to Mr. Nguyen Hong Phuc, an expert at the HVA Online security forum, the OpenSSL Heartbleed error is considered extremely dangerous by experts because it is related to the infrastructure of the security system. "This error lies in the most basic encryption platform, so if the system is affected by this error, it is considered that all other encryption layers are broken," said Mr. Phuc.

Cyber ​​Attack Guide

Currently, internet transactions are securely protected based on SSL/TLS connection security encryption protocol. This platform helps encrypt internet connections, so that data from users sent to the server is not interfered with in the middle.

However, the OpenSSL Heartbleed bug allows hackers to access the OpenSSL cache - which contains decrypted sensitive data such as bank card information, credit cards, login information such as usernames and passwords. After stealing the information, hackers can steal money from the account and use the user's personal database for later exploitation.

The only recommendation given by most reputable experts in the international security community at this time is that users and the community need to temporarily suspend all online transactions through payment gateways and e-banking until the payment gateways and e-banking gateways officially confirm that their websites are safe.

The danger of the OpenSSL Heartbleed bug is that just a few hours after it was announced, the initial exploit code targeting this bug was posted online by hackers. By the afternoon of April 8, the complete and complete exploitation tools had appeared on the internet. "These tools allow people with basic knowledge to attack any system with vulnerabilities," said Mr. Phuc.

Online payments should be suspended.

According to a representative of HVA Online, fixing the error was not difficult because the patch was posted online on the evening of April 7, but for large systems, handling it requires a lot of time. On April 8, experts identified a series of attacks on many large websites around the world, including Yahoo.com. Yahoo itself took about 24 hours to complete fixing this vulnerability.

According to HVA Online, Vietnamese security experts received information about the error on the night of April 7 and continuously monitored the errors to update the system administration community. On April 8, HVA Online recorded that several major online service sites had patched the error in the morning. On the afternoon of April 8, when the exploit tool began to become popular, reports showed that about 15 e-banking websites of Vietnamese banks and payment gateways had been attacked. The amount of sensitive information such as card information and login information stolen, according to HVA Online, cannot be estimated.

Also according to HVA Online, yesterday morning (April 9), most of the banks' e-banking homepages have been patched, but it is not yet known whether the entire e-banking system of the banks has been patched. According to Mr. Phuc, normally a bank can take 24 - 48 hours to update the patch for the outer device layers. However, because the infrastructure system of banks is very large, internal and external transactions are encrypted, so fixing errors in the inner layer can take more time.

Payment gateways confirmed by HVA Online have been patched mostly on the afternoon of April 8 such as smartlink, 123pay, paygate, etc. By the evening of April 8, there were still reports from security experts that gateways such as nganluong.vn, onepay.vn have not been patched. According to the recommendations of security experts, banks should immediately update OpenSSL to the latest version, restart (force) the system and immediately change the SSL digital certificate on the entire system using OpenSSL. Because this error not only opens the door to exploitation on the web environment but all environments using the OpenSSL library are affected.

According to Mr. Phuc, the only recommendation given by most reputable experts in the international security community at this time is that users and the community should temporarily suspend all online transactions through payment gateways and e-banking until the payment gateways and e-banking gateways officially confirm that their websites are safe. Mr. Phuc also recommends that those who have used e-banking services or online payment gateways since April 7 should change their passwords because there is a possibility that their account information has been leaked without them knowing.

Check your security system again

Mr. Nghiem Sy Thang, Deputy General Director of Lien Viet Commercial Joint Stock Bank (LienVietPostbank) in charge of information technology, cards and electronic banking, affirmed that payment websites across the entire LienVietPostBank system are still safe, with no signs of being attacked, but "we will review them thoroughly, and if we find any vulnerabilities, we will immediately issue warnings to customers."

Vietcombank Deputy General Director Dao Minh Tuan acknowledged: "The new vulnerability is also very serious, so we will immediately re-examine the entire network infrastructure to prevent the possibility of hacker attacks," said Mr. Tuan, while also advising customers to be careful when using information on online transaction websites.

Director of BIDV Information Technology Center, Mr. Nguyen Xuan Hoa also said: “We have signed a contract with A70 (Department of Technical Services - General Department of Security) and BKAV to regularly review. The technical team of the bank also monitors, handles and controls attacks. In the past, we have detected and prevented many attacks on OpenSSL of BIDV system”.

According to Thanh Nien