Looks like I'm a victim of the Heartbleed SSL bug!

[rumborak]

I had been on the phone 2 days ago with Barclaycard because their site was vulnerable to the bug, but they had not done anything, not even put a note on the site to notify users to change their password (now they have).

Well, this morning I got a call from them, they detected 2 fraudulent charges on my credit card. The big one (a flight with a Brazilian airline) didn't go through at all, so luckily nothing really happened.

Keep an eye on your money for the next few weeks, folks!

[El Barto]

I don't understand why Barclays would use OpenSSL. Kirk can correct me on this if I'm wrong, but I thought OpenSSL was the free open-source thing that people use who don't have their own proprietary encryption schemes or aren't concerned enough about security to bother buying something more robust. Nothing against open source encryption products, TrueCrypt is still an excellent free, open-source product. Just seems like all financial institutions would be using something a little more specialized.

edit: Oh, and people get fraudulent charges on their cards/checking all the time. Certainly happened plenty before this latest screwup. I wouldn't necessarily say that it's because of Heartbleed that you got hacked. In fact Heartbleed is probably the less likely scenario.

[rumborak]

OpenSSL is used by Apache web servers for example, and it's used by 60% of all web servers in the world. TrueCrpyt is something very different.

[El Barto]

I'm aware that TC is a completely different thing. I was just citing it as an example of excellent open-source encryption, on the assumption that OpenSSL was open-source, as well.

[rumborak]

I think OpenSSL is actually even higher-quality than TrueCrypt. But, bugs is bugs, and they don't stop at commercial software.

[El Barto]

I think OpenSSL is actually even higher-quality than TrueCrypt. But, bugs is bugs, and they don't stop at commercial software.

Fair enough. Bugs is bugs, indeed, and they'll always pop up.

One thing I might surmise though is that larger companies that develop or have developed proprietary software might have some advantage since an exploit isn't going to be as common and useful. Hacking OpenSSL is going to get you a ton of mileage. While Citibanks's encryption might not even be as good as OpenSSL's, there are likely a helluva lot less people, less motivated to spend time scouring it.

[rumborak]

I think you're confusing internal encryption methods with the SSL handshake that was at fault here. I mean, I don't think it gets much more "big gun" then Google, and their Gmail servers were affected by it.

[El Barto]

I'm not confusing the two, but your point about Google is well taken. It would certainly seem that a lot more large companies were using this than I had surmised.