VietNamNet Bridge – About 15 e-banking websites run by commercial banks and payment portals in Vietnam were hacked on Tuesday. Hackers had managed to exploit a recently revealed security bug called OpenSSL Heartbleed, experts said.

When asked about the number of cards and accounts that may have been victimized, experts said it is “unestimable”.

Shortly before the attacks, Reddit and Heartbleed.com on Monday evening reported that security researchers had found a security flaw in OpenSSL, a popular data encryption standard. The flaw offers hackers who are aware of it the ability to extract massive amounts of data from the services that users rely upon every day.

Sources said the Heartbleed exploit had affected millions of online transaction accounts and banks’ websites.

According to Business Insider, web servers store a lot of information in their active memory, including usernames, passwords, and even the content that users have uploaded to a service. These items are made vulnerable by Heartbleed. Even credit card numbers could be pulled out of the data sitting in memory on the servers that power some services.

But worse than that, the flaw has made it possible for hackers to steal encryption keys — the codes used to turn gibberish-looking encrypted data into readable information.

The world’s IT bulletins said a lot of big websites, including yahoo.com, became the victims of hackers who attacked through HeartBleed on April 8. It took Yahoo 24 hours to fix the problem.

According to Nguyen Hong Phuc, an expert from HVA Online, a security forum in Vietnam, OpenSSL Heartbleed is very dangerous because it relates to the security systems’ infrastructure.

“The flaw lies in the most basic encryption platform. This means that if a system has the flaw, the other encryption layers will be broken,” Phuc said.

Also according to Phuc, it is not difficult to fix the problem, as a patch was immediately provided on the Internet on April 7. However, fixing big, complex systems takes time.

The information about HeartBleed was passed on to HVA Online on Monday night, and HVA noted that some large service websites had already fixed the problem by noon Tuesday. However, by Tuesday afternoon, reports were coming in revealing that about 15 e-banking websites of commercial banks and payment portals had been hacked.

Most of the home pages of the banks’ websites had been patched by noon Wednesday, but it is unclear if all the problems of the e-banking system have been fixed.

In general, it takes 24-48 hours to apply the patch version to the outer layers of [data] equipment. However, since the banks’ infrastructure systems are very big, and all the transactions are encoded, it may take more time for them to fix the problem.

HVA Online confirmed that smartlink, 123pay, paygate, and sohapay had completed fixing problems by Tuesday afternoon.

Securities experts have advised banks to immediately update OpenSSL to the latest version, reboot their systems and change their SSL digital certificate immediately.

According to Phuc, all of the most knowledgeable experts have the same advice: users should refrain from all online transactions through e-banking and payment portals until the banks affirm their websites are safe.

E-banking service users have been told to change their passwords, in case their information has leaked out.

BIDV, Vietcombank and LienViet Post Bank have asserted that their e-banking systems are still safe, but that they will nevertheless continue to check the systems.

T. Mai