Pib Posted April 18, 2014 Share Posted April 18, 2014 Site: ibanking.bangkokbank.com Server software: Not reported Was vulnerable: Possibly (might use OpenSSL, but we can't tell) SSL Certificate: Possibly Unsafe (created 2 years ago at Apr 18 00:00:00 2012 GMT) Additional checks SSL certificate history checks yielded no new information Assessment: It's not clear if it was vulnerable so wait for the company to say something publicly, if you used the same password on any other sites, update it now. But when checking the main www.bangkokbank.com website a person gets below. Maybe the ibanking.bangkokbank.com is really just a subcomponent of bangkok.com whose SSL Certificate is providing the protection....but I'm guessing. Site:www.bangkokbank.com Server software:AkamaiGHost Was vulnerable:Possibly (might use OpenSSL, but we can't tell) SSL Certificate:Now Safe (created 4 days ago at Apr 14 03:39:03 2014 GMT) Assessment:Change your password on this site if your last password change was more than 4 days ago Link to comment Share on other sites More sharing options...
JimGant Posted April 20, 2014 Share Posted April 20, 2014 whatever, until they get my phone with the security SMS, any security flaw is useless Would they not have already taken your money and you are merely being notified of such via SMS? No. Bangkok Bank, the only Thai bank I'm familiar with, uses a One Time Password (OTP) via SMS before they'll authorize the opening of a third part account (and before you send the first transfer). Pretty secure, in my estimation, in that no third party account can be opened through which my online accounts can be drained (unless NSA chooses to sell my OTP -- during the 5 minute validity period -- NOT). But, I guess a fraudster could log onto my online account -- and transfer to existing third party accounts -- like my wife's, our joint account, and our utility account. Yes, ridiculous. So, as falang07 says, if your cell phone hasn't been stolen before you can report it to Bangkok Bank (or other Thai banks using OTP), relax. Bangkok Bank's security features actually trump those of my US bank - USAA. I can open a third party account going online with USAA. And by telling them in the application that "I have no signature authority over this account," the security feature of sending two trial deposits is sidestepped ('cause, by definition, by having no signature authority over this account, I thereby have no access to validate the two trial deposits). Instead, USAA send an email to the email address you've registered with them, that says: Dear xxx, Our records show that on 02/19/2014 at 11:17 a.m., you added the following account to your list of accounts available for transactions on usaa.com. This account will be available for funds transfer within three business days. Account ending in: *****xxx Account holder: xxxxxx If this account was added without your knowledge or permission, please call 1-800-531-USAA (8722) to report the unauthorized change. Thank you, USAA Hmmmm. I've got three days to access my email. Most likely I will -- but what if I don't -- or can't due to technical issues? Transfer authority, then, automatically kicks in after three business days. Thailand's Bangkok Bank mo' betr than USAA in the online security arena. And maybe most other US banks......? I dunno. 1 Link to comment Share on other sites More sharing options...
caughtintheact Posted April 20, 2014 Share Posted April 20, 2014 There are now Firefox and Chrome extensions called Heartbleed-ext and Chromebleed respectively at https://addons.mozilla.org/en-US/firefox/addon/heartbleed-checker/ and https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic?hl=en to detect vulnerable sites. I have not found a similar tool for IE or Safari. The accuracy is not 100%, though. The Heartbleed-ext for Firefox seems to function smoothly though. I did not try the one for Chrome. Link to comment Share on other sites More sharing options...
fletchsmile Posted April 24, 2014 Share Posted April 24, 2014 Standard Chartered Thai had a strip to click on for info. Here's their message: Important Security Message - Heartbleed Bug Date April 21th 2014A security vulnerability has been detected in the commonly used OpenSSL 1.0.1a-f. The Open Secure Sockets Layer (SSL) provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM), virtual private networks, etc.Standard Chartered Bank websites and banking services are secure and not affected by this vulnerability. However, please remain vigilant and contact the Bank if you notice any suspicious activity in your account Cheers Fletch Link to comment Share on other sites More sharing options...
fletchsmile Posted April 24, 2014 Share Posted April 24, 2014 (edited) Here's BKK bank as at today: "Following the recent discovery of the Heartbleed bug in OpenSSL software there has been concern about the possible theft of user information. Bangkok Bank would like to reassure our customers that our services do not use OpenSSL and so we are not affected by any security breach. Customers can continue to safely use our services as usual" BTW For all those people posting "useful links" and "useful services" and "plugins" think about it for a moment... most of us have no idea who each other actually are or the authenticity of what you are claiming, or the risks of using these services Personally I've no intention of looking at the "useful links" and trying the "useful services" or "plug-ins"you're posting. Certainly not to check if my bank account is safe. Get real! Trying out links, services and plug-ins from people I've never met who anonymously post on websites and using them to check my bank's services... I'd much rather read the notifications from the banks as suggested by Jingthing. Cheers Fletch Edited April 24, 2014 by fletchsmile 1 Link to comment Share on other sites More sharing options...
rwdrwdrwd Posted April 24, 2014 Share Posted April 24, 2014 (edited) Like the useful one from SCB above that did not mention anything about whether users are affected, whether their system remains vulnerable, nor what action they should take? The nature of the vulnerability means the most secure action you can is either to test the server yourself or use a third party to do the same, if you don't know how to do it yourself. Then act upon the result of the test - any login that was used on a compromised site must be changed AFTER the security hole has been fixed. If you prefer to read notices on the banks website to assure you, that's fine, but it proves nothing, technically. You obviously did not consider testing the third party websites, but they simply check using public web addresses, you don't need to provide any other info to them, such as username or password - only the publically available login screen of the bank. Edited April 24, 2014 by rwdrwdrwd 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now