CityPay can confirm that, since the public release of Heartbleed (CVE-2014-0160) our public facing secure services were fully patched with the OpenSSL fix immediately that the information was made available.
Due to the time lines of public disclosure this patch occurred on the 9th April at 2:23 AM.
The potential affect of Heartbleed is that an attacker could read the memory of an affected system which could potentially lead to the compromise of web server private keys, identity information such as usernames, passwords and any given content.
As a standard method of secure processing, card data is sent over these channels. Coupled with the nature of the flaw, this could potentially lead to disclosure of card data. All front facing products are delivered over TLS/SSL and therefore were affected by this flaw including Paylink, PayPOST, BIS, PayPOS and the Merchant Control Panel.
To this affect, CityPay have analysed our logs and are pleased to confirm that no suspicious activity related to this issue has been found.
Whilst this is the case, we are treating the seriousness of this issue as very high.
Whilst, Heartbleed affected only our front end web servers, CityPay handle card security on many levels and not just SSL. For instance
- all of our HTTP calls are controlled by access control lists.
- web application firewalls are deployed to ensure that any known web hacking techniques are blocked, logged and alerted
- card data is protected as soon as it enters our network using high grade ciphers - not with OpenSSL!.
Clients who are also running OpenSSL on their network should run a test with the online test tool at https://filippo.io/Heartbleed
As a prevention CityPay have asked all customers to change their password on the next login of the Merchant Control Panel.