A publication of the Centre for Advancing Journalism, University of Melbourne

Payments ‘bug’ blows the lid on net shoppers’ financial details

A damaging software bug has exposed the financial details of Australians who shop online through websites using a popular payment processor.

Words by Anders Furze

A former web application developer, Michael Cordover, said that the bug had allowed him to view the details of about 600 financial transactions in a minute.

“These transactions contained data that would permit me to gain access to the bank accounts and credit cards of purchasers,” he said.

UPDATED: April 14, 2014

All of the transactions were processed through POLi Payments, an online system that connects shoppers with their online banking account directly.  It is used by a wide range of Australian companies, including airlines, retailers, hotels and online betting agencies.

The problem involved the so-called “heartbleed” bug, which affects all websites that run on OpenSSL, the most popular SSL software on the Internet. SSL relies on encryption technology to secure the confidential details of consumers when banking or shopping. It is used in myriad web applications including email. 

The bug means that information sent to and from websites running OpenSSL can be particularly vulnerable to exposure. This information can include passwords, cookies and credit card details.

POLi Payments chief technical officer Brian Mills said that “once we discovered we were vulnerable to heartbleed we moved to update our servers, confirm we were no longer vulnerable and then replace our SSL certificates”. 

The bug, which first emerged earlier this month, appears to have been patched by many sites but not before the passwords and financial details of thousands of consumers were potentially made public.

According to researchers at Google and the Finnish security firm Codenomicon, who discovered heartbleed, the bug “allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users”.

Writing on a blog alerting Internet users to the risks, the researchers noted: “The heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.”

Millions of websites rely on OpenSS and are potentially vulnerable. Older versions of the SSL technology were mostly at risk. Online anonymity network Tor said in a statement that while the bug was being patched, users “might want to stay away from the Internet entirely for the next few days”.

About The Citizen

THE CITIZEN is a publication of the Centre for Advancing Journalism. It has several aims. Foremost, it is a teaching tool that showcases the work of the students in the University of Melbourne’s Master of Journalism and Master of International Journalism programs, giving them real-world experience in working for publication and to deadline. Find out more →

  • Editor: Jo Chandler
  • Reporter: Petra Stock
  • Audio & Video editor: Louisa Lim
  • Data editor: Craig Butt
  • Editor-In-Chief: Andrew Dodd
  • Business editor: Lucy Smy
Winner — BEST PUBLICATION 2016 Ossie Awards