The Heartbleed Bug

heartbleed

As you might have heard, there is a bug called Heartbleed, which affects an encryption technology (called OpenSSL) which is used for a variety of online communication. The bug could allow for the theft of data, normally protected by SSL-encryption.

We continuously and proactively scan for this sort of thing and we have (among other things) patched all systems that could have been affected and also re-issued all of our security certificates.

What should PayFast users do?

We don’t believe it is necessary, but you could go and change your password and enable two-factor authentication on your account. Other than that, you can test if a website is actually vulnerable to the exploit.

Here is a simple, open-source script to test a server for vulnerabilities: http://filippo.io/Heartbleed/#www.payfast.co.za

We also recommend doing a more thorough (also free) scan with Qualys, who is one of the leading authorities on Internet security:  https://www.ssllabs.com/ssltest/analyze.html?d=payfast.co.za

It is interesting to note the number of banks/gateways that get a lower grade than PayFast. Go ahead and check for yourself  ;-)

Also, should your account have gotten compromised (Heartbleed or otherwise), we have a couple of fail-safes in place to make sure you (as seller) won’t lose money in your account. If anyone changed your details (such as the bank account for when a Payout is requested), they would have to re-submit the documentation to prove ownership or identity.

What else can I do (with regards to other sites)?

Not much, unfortunately. The bug has been around (and undetected) for over two years. It is possible that someone has been exploiting the problem before its detection, but it’s also entirely possible that nobody has exploited anything before it was announced earlier this week.

A few things to consider:

  • Don’t change your passwords on sites that haven’t been patched yet (to repeat: PayFast has)
  • If you send sensitive content over other websites, you should consider enabling two-factor authentication on them (if available)

A few good things that are always of relevance for your online accounts are to:

  • Consider using a trusted password manager tool like LastPass or RoboForm
  • Always use strong passwords
  • Don’t ever use the same password on more than one site (this article is well worth a read)