Home » Categories » Alerts

Important Information Regarding Heartbleed Vulnerability

You may have heard about the Heartbleed vulnerability (CVE-2014-0160) that has affected the software that runs most internet web sites. Your NRO site was among them.We have no reason to believe that any NRO sites were compromised as a result of the recently announced vulnerability.However, due to the severe nature of this vulnerability, we have taken precautionary measures to protect your site.

What is Heartbleed?

Heartbleed is the name given to a vulnerability discovered in the encryption technology used by two-thirds of internet web sites. The bug was discovered on April 7th. More details can be found at www.heartbleed.com

What is the Risk?

We believe the risk to your site is low but the potential harm is high. The patch for the Heartbleed vulnerability was released within hours of it being reported and all NCR Retail Online sites were patched by 1:45 AM EDT April 8. Additionally, your site certificate has been updated (free of charge) to cover the event that your certificate key was compromised.

Why are you updating my site certificate?

If your site was compromised by a hacker taking advantage of the Heartbleed vulnerability, that hacker could know the secret key associated with your certificate. Using that secret key, the hacker would be able to eavesdrop on conversations between your web site and your customer’s browser. Although the hacker could not see credit card information because that data is never actually sent through NRO, the hacker would be able to see login and password information. While we believe the risk to your site is low and security experts currently disagreeon how difficult, or even possible, it is to use this exploit to capture a private key; we have nevertheless reissued certificates on all NRO sites.

Is there anything I need to do?

Yes. Now that your site certificate has been updated, you should change all logins to the NROAdmin Panel (the web site that you use to manage your NRO store). In addition, you may want to send your customers an email letting them know that they should change their passwords as well. This is a precautionary measure but a prudent one. Below is a sample email you might want to use:

Dear Acme Customer,

Recently a flaw in the software that runs the majority of internet web sites was discovered. Our ecommerce web site was among them. There is no indication that our site was compromised by this software issue. Within hours of the discovery of this flaw, our servers were patched. However, as a precautionary measure we are encouraging all of our customers to change their password. We sincerely apologize for any inconvenience this might cause you.

Is there any impact to NCR Secure Pay, which NRO uses to process credit cards?

Neither the Secure Pay settlement portal nor the mechanism that NRO uses to connect to Secure Pay was at risk from the Heartbleed vulnerability. However, there was another less known and less used connection into the Secure Pay environment that was at risk. Patches have been applied to address the Heartbleed vulnerability associated with this connection and site certificates reissued similar to what was done with NRO. The Secure Pay team is in the process of updating the Secure Pay portal to allow you to change both your portal password and your POS password (used by NRO). As a precautionary measure, we recommend that you change both as soon as this functionality is available. Instructions for doing so will be provided via email when that capability is in place.

Thank You,
Jack Roberts
NCR Hosted Apps
Attachments Attachments
There are no attachments for this article.
Comments Comments
There are no comments for this article. Be the first to post a comment.
Related Articles RSS Feed
Notice to Gmail, Hotmail, Yahoo and AOL Email Users
Added on Wed, Apr 30, 2014
Counterpoint data not uploading to Customer Connect
Added on Tue, Jun 6, 2017