Thai banks and heartbleed ... updates, news, and reports solicited

[Pib]

Site: ibanking.bangkokbank.com

Server software: Not reported

Was vulnerable: Possibly (might use OpenSSL, but we can't tell)

SSL Certificate: Possibly Unsafe (created 2 years ago at Apr 18 00:00:00 2012 GMT) Additional checks SSL certificate history checks yielded no new information

Assessment: It's not clear if it was vulnerable so wait for the company to say something publicly, if you used the same password on any other sites, update it now.

But when checking the main www.bangkokbank.com website a person gets below. Maybe the ibanking.bangkokbank.com is really just a subcomponent of bangkok.com whose SSL Certificate is providing the protection....but I'm guessing.

Site:www.bangkokbank.com

Server software:AkamaiGHost

Was vulnerable:Possibly (might use OpenSSL, but we can't tell)

SSL Certificate:Now Safe (created 4 days ago at Apr 14 03:39:03 2014 GMT)

Assessment:Change your password on this site if your last password change was more than 4 days ago

[JimGant]

whatever, until they get my phone with the security SMS, any security flaw is useless

Would they not have already taken your money and you are merely being notified of such via SMS?

No.

Bangkok Bank, the only Thai bank I'm familiar with, uses a One Time Password (OTP) via SMS before they'll authorize the opening of a third part account (and before you send the first transfer). Pretty secure, in my estimation, in that no third party account can be opened through which my online accounts can be drained (unless NSA chooses to sell my OTP -- during the 5 minute validity period -- NOT). But, I guess a fraudster could log onto my online account -- and transfer to existing third party accounts -- like my wife's, our joint account, and our utility account. Yes, ridiculous. So, as falang07 says, if your cell phone hasn't been stolen before you can report it to Bangkok Bank (or other Thai banks using OTP), relax.

Bangkok Bank's security features actually trump those of my US bank - USAA. I can open a third party account going online with USAA. And by telling them in the application that "I have no signature authority over this account," the security feature of sending two trial deposits is sidestepped ('cause, by definition, by having no signature authority over this account, I thereby have no access to validate the two trial deposits). Instead, USAA send an email to the email address you've registered with them, that says:

Dear xxx,

Our records show that on 02/19/2014 at 11:17 a.m., you added the following account to your list of accounts available for transactions on usaa.com. This account will be available for funds transfer within three business days.

Account ending in:

*****xxx

Account holder: xxxxxx

If this account was added without your knowledge or permission, please call 1-800-531-USAA (8722) to report the unauthorized change.

Thank you,

USAA

Hmmmm. I've got three days to access my email. Most likely I will -- but what if I don't -- or can't due to technical issues? Transfer authority, then, automatically kicks in after three business days.

Thailand's Bangkok Bank mo' betr than USAA in the online security arena. And maybe most other US banks......? I dunno.

[caughtintheact]

There are now Firefox and Chrome extensions called Heartbleed-ext and Chromebleed respectively at https://addons.mozilla.org/en-US/firefox/addon/heartbleed-checker/ and

https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic?hl=en

to detect vulnerable sites. I have not found a similar tool for IE or Safari. The accuracy is not 100%, though. The Heartbleed-ext for Firefox seems to function smoothly though. I did not try the one for Chrome.

[fletchsmile]

Standard Chartered Thai had a strip to click on for info. Here's their message:

Important Security Message - Heartbleed Bug

Date April 21th 2014
A security vulnerability has been detected in the commonly used OpenSSL 1.0.1a-f. The Open Secure Sockets Layer (SSL) provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM), virtual private networks, etc.
Standard Chartered Bank websites and banking services are secure and not affected by this vulnerability. However, please remain vigilant and contact the Bank if you notice any suspicious activity in your account

Cheers

Fletch

[fletchsmile]

Here's BKK bank as at today:

"Following the recent discovery of the Heartbleed bug in OpenSSL software there has been concern about the possible theft of user information. Bangkok Bank would like to reassure our customers that our services do not use OpenSSL and so we are not affected by any security breach. Customers can continue to safely use our services as usual"

BTW For all those people posting "useful links" and "useful services" and "plugins" think about it for a moment... most of us have no idea who each other actually are or the authenticity of what you are claiming, or the risks of using these services

Personally I've no intention of looking at the "useful links" and trying the "useful services" or "plug-ins"you're posting. Certainly not to check if my bank account is safe.

Get real! Trying out links, services and plug-ins from people I've never met who anonymously post on websites and using them to check my bank's services...

I'd much rather read the notifications from the banks as suggested by Jingthing.

Cheers

Fletch

Edited April 24, 2014 by fletchsmile

[rwdrwdrwd]

Like the useful one from SCB above that did not mention anything about whether users are affected, whether their system remains vulnerable, nor what action they should take?

The nature of the vulnerability means the most secure action you can is either to test the server yourself or use a third party to do the same, if you don't know how to do it yourself. Then act upon the result of the test - any login that was used on a compromised site must be changed AFTER the security hole has been fixed.

If you prefer to read notices on the banks website to assure you, that's fine, but it proves nothing, technically.

You obviously did not consider testing the third party websites, but they simply check using public web addresses, you don't need to provide any other info to them, such as username or password - only the publically available login screen of the bank.

Edited April 24, 2014 by rwdrwdrwd