Feeds

Commonwealth Bank in comedy Heartbleed blog FAIL

Bank: 'We are now safely patched.' Customers: 'You were using OpenSSL?'

Remote control for virtualized desktops

An attempt by Australia's Commonwealth Bank to reassure customers that they would not be harmed by the Heartbleed vulnerability has backfired spectacularly after tech-savvy customers made mincemeat out of a badly worded blog post.

A bank representative blogged: “I’m happy to report that our customers can rest assured we are patched against the ‘Heartbleed’ bug and you do not need to change your NetBank password.”

Which is nice to know. Unfortunately the words “we are patched against the ‘Heartbleed’ bug” caused a severe outbreak of FUD as some readers took them to mean the bank had been vulnerable to Heartbleed and had since applied a patch. As we now know, all sorts of nasty attacks were possible before patches arrived.

Astute readers pointed out that problem in comments on the post. The bank replied as follows:

… you do not need to change your NetBank password. We are patched against the Heart Bleed bug. We are dedicated to ensuring our data and that of our customers is safe and secure. We take matters of security very seriously and our security teams are always up to date with all of the latest security developments so that we can continually strengthen the protections we have in place.

Which again confused readers, leading some to ask for a simple “yes or no” answer to the question of whether the bank ever ran the troublesome version of Open SSL.

The bank's response was to copy and paste the above response several times into the comments.

The more technically literate corners of Twitter in Australia have had rather a lot of fun at the bank's expense since, as a Twitter stream of @Commbank mentions demonstrates.

The bank, meanwhile, seems to have stopped publishing comments from readers.

This incident will doubtless be replayed soon by social media “experts” as the kind of thing one should not do with “owned media”. A hundred corporate websites will become even blander and less interesting as a result.

Ironically, the bank has just invited the IT media to meet some of its operations folks. What chance the social media “experts” will join the dots between the bank's bloggers and technology experts for future posts on such matters? ®

Beginner's guide to SSL certificates

More from The Register

next story
Criticism of Uber's journo-Data Analytics plan is an Attack on DIGITAL FREEDOM
First they came for Emil – and I'm damn well SPEAKING OUT
'It is comforting to know where your data centres are.' UK.GOV does NOT
Plus: Anons are 'wannabes', KKK says, before being pwned
Google's whois results say it's a lousy smut searcher
Run whois google.com or whois microsoft.com. We dare you, you PIG◙◙◙◙ER
Holy vintage vehicles! Earliest known official Batmobile goes on sale
Riddle me this: are you prepared to pay US$180k?
'Open source just means big companies can steal your code.' O RLY?
Plus: Flame of the Week returns, for one night only!
NEWSFLASH: It's time to ditch dullard Facebook chums
Everything hot in tech, courtesy of avian anchor Regina Eggbert
Hey, you, PHONE-FACE! Kickstarter in-car mobe mount will EMBED your phone into your MUG
Stick it on the steering wheel and wait for the airbag to fire
prev story

Whitepapers

Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.