

How not to respond to Heartbleed – CBA, an Australian bank (read the comments) - parisidau
https://www.commbank.com.au/blog/what-you-need-to-know-about-heartbleed.html#

======
ben_grubb
I've tweeted what I know:

[https://twitter.com/bengrubb/status/455603832806842368](https://twitter.com/bengrubb/status/455603832806842368)

[https://twitter.com/bengrubb/status/455604173908606976](https://twitter.com/bengrubb/status/455604173908606976)

[https://twitter.com/bengrubb/status/455604344885227520](https://twitter.com/bengrubb/status/455604344885227520)

[https://twitter.com/bengrubb/status/455604746275930112](https://twitter.com/bengrubb/status/455604746275930112)

[https://twitter.com/bengrubb/status/455605049595420673](https://twitter.com/bengrubb/status/455605049595420673)

~~~
notjosh
To save someone else the clicking, these are:

> A source close to CBA tells me only CBA's main website was impacted by
> #Heartbleed. It uses Amazon ELB, which was vulnerable (cont...)

> Main CBA website now has a new certificate dated Friday, April 11 (you can
> check yourself in your web browser) (cont) #Heartbleed

> Now, considering CBA's main website was vulnerable, according to source, it
> could've been subject to a man in the middle attack #heartbleed

> An attacker could've sat in between connection on Wi-Fi or on carrier side
> and seen who visited site. So they only get IPs #heartbleed

> Next question becomes could attacker have used man in middle to change
> iframe login on main CBA site to collect credentials? #Heartbleed

------
hadoukenio
This is why technical questions should never be answered by the Maketing
department.

~~~
duskwuff
And, particularly, why anyone who's tasked with answering questions from the
public needs to be trained on when it is and isn't appropriate to use a canned
response. Whoever it was handling the comments here clearly had no idea what
they were talking about, and ended up making the company look _much_ worse as
a result!

~~~
hadoukenio
Making the company look must worse? I don't care how about the company image.
As a customer, I'm more concerned about the security of my money!

~~~
chad_oliver
Yeah, but the _bank_ cares about its image.

------
catmanjan
This is my bank, what should my next steps be? Change my password/PIN?
Withdraw my savings (temporarily)?

~~~
dsymonds
Hi catmanjan, you do not need to change your NetBank password. We are patched
against the Heart Bleed bug. We are dedicated to ensuring our data and that of
our customers is safe and secure. We take matters of security very seriously
and our security teams are always up to date with all of the latest security
developments so that we can continually strengthen the protections we have in
place.

~~~
waps
You have to wonder if they're actually paying someone to put those messages
there. They're just different enough to make one think a human is typing them.

I guess management instructed them to do this.

I would advise against changing banks over this though. Knowing banks, this is
not going to be the only one or even remotely the most serious security bug
they ignored. And their competition is just not going to be better. The way
security works at banks is threefold : (a) screw inattentive customers (b)
watch backend systems for transactions like a hawk (c) call the police over
every small problem claiming (correctly) that the financial system could fail
if they don't track the culprits down for their current problem.

------
mrmagooey
Not to detract from the fundamental misunderstanding of the word 'patch' by
their marketing department, but it's probably safe to assume that they're not
using an open-source stack and hence will be ok.

~~~
yaur
Looking a little more... it looks like the e-banking stuff feeds into an F5
box. F5 claims they have never have been vulnerable if you are terminating TLS
at the load balancer... so this may indeed just be marketing drones who don't
know how to communicate clearly about what happened.

------
duncan_bayne
I called CBA tech support, and they confirmed (verbally) that CBA has never
been vulnerable to Heartbleed. I've suggested that they get someone to clarify
the comments made on the blog.

------
TWAndrews
It seems like there's a bot who's replying to comments with a handful of
canned responses. I'd be interested if you could get the same responses from
the CBA twitter/facebook accounts.

------
kysol
The canned responses are hurting me to read. Pretty sure comments will be
turned off shortly when this blows up.

------
dang
That a bank responded inappropriately to a security breach is regrettable, but
not intellectually interesting, so I don't think this counts as on topic for
Hacker News.

Also, when there is a rash of stories surrounding a single event, like
Heartbleed, HN only needs the most significant or interesting articles.
Otherwise it'd be all too easy for the front page to consist of nothing but
stories on that one subject—most of which would at best be auxiliary.

~~~
pan69
I'm glad you are here to remind us what is interesting and what is not. Thank
you.

~~~
dang
Determining what's "interesting" here isn't so arbitrary. This post is no
doubt interesting to customers of the bank, as well as to connoisseurs of PR
disasters and internet indignation (cf. the submission title), but all that is
outside what has traditionally counted as "interesting" on Hacker News, and I
see nothing else in the article. If you do, please point it out.

