Thai banks and heartbleed ... updates, news, and reports solicited

[Jingthing]

My impression is that the Thai banks are generally impacted by the heartbleed security flaw (see the internet forum or the internet for the confusing details) for online banking.

I am avoiding logging into any of my Thai bank accounts online for now while waiting for them to address.

Hopefully they will ... but when?

An announcement on Thai bank websites saying they are not effected it would be addressing it too.

So assuming they do address this someday (Songkran delay perhaps?) I started this thread so that people can post information about announcements from the many Thai banks we use to share with the public as they begin to see them.

Presumably they would or should be posted on their websites welcome pages.

At that point if they did a fix, it would probably be a good time to change your password for those banks.

This thread not intended to go into the technical details about Heartblood but really ONLY for updates on all of the Thai banks as we get that information (if ever). That's why I put this on this forum and not the internet forum.

Edited April 15, 2014 by Jingthing

[falang07]

whatever, until they get my phone with the security SMS, any security flaw is useless

[barryw52]

This link allows you to check any web site to see if it is now patched for the Heatbleed bug

https://filippo.io/Heartbleed/

I have checked all the banks I use here and there now ok. They would have most likely have been exposed before and patched now.

I have not checked every bank here

1. Check your bank by cutting and pasting the secure link to the bank eg https://ibanking.bangkokbank.com/SignOn.aspx (link must start with https:) into the test link page above if your bank is now patched and now ok.

2. Change your password now.

3. I strongly recommend you change your password on every website you have an account on especially those with financial ramifications e.g. Banks PayPal, eBay, etc. etc.

There are many good programs like Dashlane https://www.dashlane.com/ to store your password securely and have more complex secure passwords that can help you with this .

[LukDod]

Logon to your banks home page [not your acc't page] to see is they (finally) posted info on their heartbleed status.

Also...Use https://lastpass.com/heartbleed/ to verify the current vulnerability of your bank

Edited April 16, 2014 by LukDod

[Pib]

Since the heartbleed malware has been out there for a while although it has only became public knowledge very recently and if you "have been" logging onto your accounts, it would probably be a better idea to logon and change your password versus not logging on again until you read something your accont is not affected by the malware (before and/or now).

I got most of my passwords changed yesterday with my important account accounts and will finish up the remaining ones today....and then in a month from now I just may change my banking passwords again for extra safety...in fact I probably won't even wait a month to change my Thai bank account passwords again. On some of my account websites I've seen a notice that tells you if/how the website was affected usually in words along the lines they were not affected to the best of their knowledge but have still updated their security certificates, site software, etc., just to be safe....kinda like below partial quote from the USAA website.

USAA is aware of the “Heartbleed” Internet bug affecting many servers. USAA continuously monitors our systems, and we have no indication that they are at risk. USAA has taken and continues to take steps to mitigate any risks. A security patch was implemented for usaa.com earlier this week, and, although we have no indication that our security certificates have been compromised, we have obtained new certificates for usaa.com. We replaced the old certificates in the early hours of Sunday, April 13, and the new certificates today show a valid date of April 10, 2014 and an expiration date of April 12, 2015.

However, these steps are only the first line of defense in our continuous program to protect against security risks. USAA has an aggressive fraud detection program and 24/7 monitoring of global threats – all of which are designed to detect any unauthorized activities using Heartbleed or any future threats.

Helping protect your personal and financial information is one of our top priorities — every day, 24/7.

Please see the Q&A below for more information about USAA’s response to the "Heartbleed" bug.

What should you do?

While there’s no indication of compromise, we recommend members periodically change their passwords, especially when there is a known vulnerability, and use a unique password for each site.

[Jingthing]

I think this is getting too technical.

Can people just post any formal ANNOUNCEMENTS on Thai banking websites (or news releases) as they see them?

All this confusing and contradictory general technical advice you can see on the internet forum or wider web.

I started this thread as a BUCKET for the announcements from the various THAI banks.

Talking about a U.S. bank was incredibly off topic. The scope of this thread is meant to be very NARROW for a REASON.

People can go elsewhere to try to figure out what to do with this information. Such info is all of over the place, and frankly it's a big mess, and I don't see the value of another big mess on such a focused topic.

Edited April 16, 2014 by Jingthing

[brit1984]

^ Jingthing, if you take the time to read the replies posted in this thread, you will understand there is no need to wait for any announcements to come from the Thai banks

[Jingthing]

^ Jingthing, if you take the time to read the replies posted in this thread, you will understand there is no need to wait for any announcements to come from the Thai banks

That is very debatable. People shouldn't accept every random post they read as the final word on an internet forum about such important matters. Anyone who does do research on this will quickly find strongly conflicting advice. How are non-technical people supposed to filter out all of these mixed messages? I don't have a clue about that.

That's why I didn't start this thread to be about advice, but rather about ONLY the news from the Thai banks.

Edited April 16, 2014 by Jingthing

[rwdrwdrwd]

^ Jingthing, if you take the time to read the replies posted in this thread, you will understand there is no need to wait for any announcements to come from the Thai banks

That is very debatable. People shouldn't accept every random post they read as the final word on an internet forum about such important matters. Anyone who does do research on this will quickly find strongly conflicting advice. How are non-technical people supposed to filter out all of these mixed messages? I don't have a clue about that.

That's why I didn't start this thread to be about advice, but rather about ONLY the news from the Thai banks.

Why would you trust an 'announcement' by a Thai bank more than using a penetration test by a third party that specialises in security and has nothing to be gained by giving false information?

The advice to use a service like https://lastpass.com/heartbleed/ to check for yourself is the best advice.

Edited April 16, 2014 by rwdrwdrwd

[Pib]

I think this is getting too technical.

Can people just post any formal ANNOUNCEMENTS on Thai banking websites (or news releases) as they see them?

All this confusing and contradictory general technical advice you can see on the internet forum or wider web.

I started this thread as a BUCKET for the announcements from the various THAI banks.

Talking about a U.S. bank was incredibly off topic. The scope of this thread is meant to be very NARROW for a REASON.

People can go elsewhere to try to figure out what to do with this information. Such info is all of over the place, and frankly it's a big mess, and I don't see the value of another big mess on such a focused topic.

I recommend once again you and anyone else don't wait until "maybe" you see some announcement on your Thai bank website before you logon again...do you really think any bank, in Thailand or in western countries, will tell the whole truth and nothing but the truth when it comes to "if and how" they are affected by the heartbleed malware. Heck, I expect in many cases they just don't know. Logon "now" and change your password...don't wait until you hear some announcement you may or may not see from from your bank. The cut and paste from USAA Bank website was just meant as an example of the announcements be given by banks regardless of country.

Probably best for people to review the websites of the banks they have accounts with versus ThaiVisa posts regarding this subject. Oh yea, did I mention change your password now...and maybe do it again in a few weeks...it's very easy and fast to do.

[Pib]

Logon to your banks home page [not your acc't page] to see is they (finally) posted info on their heartbleed status.

Also...Use https://lastpass.com/heartbleed/ to verify the current vulnerability of your bank

Definitely doesn't hurt to use sites like this...I run it on several of my banks and basically whether it said the site probably safe, just updated its security certificate X days ago, etc., it recommended a password change. Heck, more and more websites now days will force you to change your password every so often like every 90 days...I expect this helps to defeat "unknown and known" malware plus other methods of password comprise

[fatdrunkandstupid]

I keep the bulk of my funds in accounts that have a passbook only. Not afraid of skimmers or the latest virus...

I keep a couple of hundred thousand baht in an account that has a debit card. The skimmers and hackers can have at that one till their hearts are content...

[55Jay]

I didn't see any notice on Krungsi (BAY) website, News or Security Tips links.

This was Last Pass result on the online (https) login page:

Site: www.krungsrionline.com

Server software: Not reported

Was vulnerable: Possibly (might use OpenSSL, but we can't tell)

SSL Certificate: Possibly Unsafe (created 1 year ago at Mar 29 00:00:00 2013 GMT) Additional checks SSL certificate history checks yielded no new information

Assessment: It's not clear if it was vulnerable so wait for the company to say something publicly, if you used the same password on any other sites, update it now.

Edited April 16, 2014 by 55Jay

[JesseFrank]

I have 3 online banks.

One need a OTP sent to my phone to do any transaction, the second one needs my credit card inserted into a digipass even to log on and for the third one I have a device that displays an ever changing code which again I have to enter when log on.

Why should I change my password ?

Edited April 16, 2014 by JesseFrank

[rwdrwdrwd]

I have 3 online banks.

One need a OTP sent to my phone to do any transaction, the second one needs my credit card inserted into a digipass even to log on and for the third one I have a device that displays an ever changing code which again I have to enter when log on.

Why should I change my password ?

Problem is that your choice of password is now in the wild, potentially in association with your email address. This means that whilst your bank account may be OK due to extra verification, if you happen to have used the same email and password combination elsewhere that does not have another level of security, it is now entirely insecure.

The bank accounts take more work, but are now less secure, if you imagine a scenario like this:

- Someone has built a tool to automatically harvest a database of exposed usernames and passwords from the heartbleed bug - not that hard to do. They then sell this in a hacker group, or leak it via a torrent.

- Someone else gets hold of your card / device / phone - perhaps you lose it, perhaps you get burgled, perhaps your card gets skimmed.

- That someone else knows how to obtain the db, and matches you up to it - emails are often based on names for example - they now have your username, password and device / card / OTP device.

Then you'll be in trouble..

Edited April 16, 2014 by rwdrwdrwd

[Pib]

Problem is that your choice of password is now in the wild, potentially in association with your email address. This means that whilst your bank account may be OK due to extra verification, if you happen to have used the same email and password combination elsewhere that does not have another level of security, it is now entirely insecure.

I use to do that years back....that is, use the same password on multiple sites...but I got out of that bad habit...different password for each of my accounts now.

[innerspace]

There is another thread running where I have posted independent results of testing most of the banks. Tests run a few days after vunerability was publicised so cant say if there were issues before but shows most are now safe.

Found 1 bank with vunerable website but their online login was safe.

Best report you have until your banks issue a declaration in thai that they use thai made software not openssl so are obviously superior to the stupid other websites and nothing was ever at risk on their servers or this country... hub of secure banking havent you heard?

Sent from my GT-N7100 using Thaivisa Connect Thailand mobile app

[belg]

think about this : most ATM work with windows XP, where there is no support anymore... how long before one of them is hacked?

[Suradit69]

^ Jingthing, if you take the time to read the replies posted in this thread, you will understand there is no need to wait for any announcements to come from the Thai banks

That is very debatable. People shouldn't accept every random post they read as the final word on an internet forum about such important matters. Anyone who does do research on this will quickly find strongly conflicting advice. How are non-technical people supposed to filter out all of these mixed messages? I don't have a clue about that.

That's why I didn't start this thread to be about advice, but rather about ONLY the news from the Thai banks.

Why would you trust an 'announcement' by a Thai bank more than using a penetration test by a third party that specialises in security and has nothing to be gained by giving false information?

The advice to use a service like https://lastpass.com/heartbleed/ to check for yourself is the best advice.

And possibly this one mentioned below. Of course it's always possible if you use some new extensions and rush about changing passwords that you will simply be opening yourself up to even more exposure. Obviously the process of choosing a new password could make you all the more vulnerable at some sites.

"Kaspersky's Internet Security" offers some password and data entry protection, but who knows if that really protects you if the problem lies with the security of information stored at the banks and businesses.

This plugin will warn you immediately when you visit a site affected by Heartbleed

Developer Jamie Hoyle has created a nice Chrome extension dubbed Chromebleed that serves a single purpose: It displays a warning when you visit a website affected by Heartbleed.

http://news.yahoo.com/plugin-warn-immediately-visit-affected-heartbleed-143835743.html

Edited April 17, 2014 by Suradit69

[MJCM]

<snip>

The advice to use a service like https://lastpass.com/heartbleed/ to check for yourself is the best advice.

Re: The screenshot you posted about Lastpass checking www.scbeasy.com

I don't know where Lastpass gets it Info from, but when I open www.scbeasy.com and check the certificate it's issued on 8/10/2013 and expires on 27/10/2014.

Edited April 17, 2014 by MJCM

[connda]

Logon to your banks home page [not your acc't page] to see is they (finally) posted info on their heartbleed status.

Also...Use https://lastpass.com/heartbleed/ to verify the current vulnerability of your bank

@LukDod. Thanks for this information. I checked my banks and updated accordingly. Good stuff.

[Pib]

think about this : most ATM work with windows XP, where there is no support anymore... how long before one of them is hacked?

Actually, many ATMs run a version of XP called XP Embedded which is still supported until Jan 16. And banks, governments, and companies can buy extended XP support to get support for a few more years where you and I can't because Microsoft wants the retail consumer to buy Win 8.1...they would even settle for Win 7.

[rickirs]

Heartbleed is a problem on the side of the web provider. Unless your bank, stock trader, pension provider, etc. has informed you that is it has installed SSL and kernel patches to their systems to protect against Heartbleed and updated its SSL certification, you are at risk no matter if you change your passwords. Good luck all.

[Satcommlee]

Job done change password from 12345 to 54321

[i claudius]

Job done change password from 12345 to 54321

copycat!!

[Pib]

Job done change password from 12345 to 54321

I know...didn't take me long to figure it out.

[deepcell]

Of course it will take a huge time to fix the problem. Since you need to update everything that uses the lib openssl. Can you imagine how many routers/devices are using this bugged version? This is a Hercules task and will take years to fix everything.

[budrico]

Site: ibanking.bangkokbank.com

Server software: Not reported

Was vulnerable: Possibly (might use OpenSSL, but we can't tell)

SSL Certificate: Possibly Unsafe (created 2 years ago at Apr 18 00:00:00 2012 GMT) Additional checks SSL certificate history checks yielded no new information

Assessment: It's not clear if it was vulnerable so wait for the company to say something publicly, if you used the same password on any other sites, update it now.

[FiestyFarang]

whatever, until they get my phone with the security SMS, any security flaw is useless

Would they not have already taken your money and you are merely being notified of such via SMS?

[connda]

Job done change password from 12345 to 54321

copycat!!

I hope you wrote that on a yellow sticky notepad and placed it on your computer monitor, otherwise you're sure to forget it