Slashdot Mirror
Online Billpay Provider Loses Control of Domains
An anonymous reader writes "Several sites are running a story about a domain hijacking at Checkfree, the largest provider of online bill payment services to numerous banks and credit unions. According to Network Solutions, someone logged in to the domain administration page using Checkfree's account, and redirected its domains to a site in the Ukraine configured to serve up malware to unsuspecting users." Things like this make me nervous about switching to otherwise-tempting online bill payment, but checks are dangerous, too.
Anyhow, what I know is that the malware is new and still being analyzed -- they're not fully sure what it's for yet (capturing accounts, spamming, botnet, or probably all of the above). For now they are recommending that people udate their virus scanners and Acrobat Reader. They must suspect Acrobat as an infection vector somehow.
Real programmers use "copy con program.exe"
The /. HTML was hijacked, and odd jumpy misaligned CSS was put up instead ;-)
Table-ized A.I.
For US Bank anyway, when I tried to go to my bill pay when this was going on my browser gave a nice message that the SSL cert was self signed and issued to localhost.localdomain. Any modern browser makes is pretty clear that something bad is happening in this case, although I'm sure there's still plenty of ignorant users willing to click through.
True, my financial institution (US Bank) may or may not be to blame, HOWEVER, you'd think it wouldn't take a bank a full day to let users know or take away the bill pay link or something along those lines. When I saw the invalid certificate, I still needed to cancel an automatic payment so I decided to contact my bank. Their response was basically, "we take security very seriously, please make sure you're using a compatible browser, move along now, nothing here to see." It wasn't until at least a day later that they notified users when logging in that bill pay was down. I wonder how many users clicked through during that one day period, which could have easily been prevented by a faster response?
This is a feature I also miss. They had a PGP keyserver, and you uploaded your PGP public key you wanted associated with the account. Then, you filled out the funky form that you E-mailed in, signed it with the key, and sent it in.
I know this probably can't be done now, but instead, why not offer keyfobs similar to SecurID? PayPal, eBay, a number of banks, heck, even Blizzard offer this feature, so a compromised password isn't the end of the world.
People use hardware devices to make sure their SSL keys arn't compromised; why not have that functionality guarding an element that arguably is just as important in the security chain.
When I was 16, I discovered that with a ruler, an exacto knife, and some elmer's glue you could make up your own checks. They also had "MAC Check" machines that would scan a check - even from a non-customer - and cash them.
When I was 19, I worked in a junk mail plant that at times printed the 25% interest rate personal checks that credit card companies send out to new cardholders. All night we would watch "CONGRATULATIONS ON YOUR NEW $100,000 CREDIT LIMIT!" with 6 checks attached go whizzing by at 5MPH. When that roll of checks breaks, printed-but-junk checks dump on the floor, 7 feet per second, and if I wanted, I could pocket the sonsabitches and spend like hell - before the recipient even activated their new card. We sent those out, too.
Can our banking system really be that insecure? I open an account based on a supposedly unique ID number, hand them a photo ID that doesn't even reference my SSN. Then, they give me another number - my account number - and tell me to keep it private. Three weeks later, I get my checks that ten minimum wage slaves have already gotten to see. Every check I hand out has my private account number printed at the bottom.
Most banks hold you responsible for any automated clearing house fraud, and yet, to authorize a transfer out, all that is needed are the numbers at the bottom of every personal check you write and the "assurance" from the receiving institution that you have "authorized the transfer".
When ya think about it, it's no wonder they charge you $2 to withdraw from an ATM, $3 to use a teller, and $35 for an overdraft - it's easier to roll the dice to get an account number than it is to roll the dice and win the lottery!
Bank of America allows you to pay online via systems that accept it, and mail checks to those who don't. Strangely enough, most of the people I pay bills to here in Massachusetts accept digital billpay through whatever system they use. But even paper checks are automatic and free.
BofA is a bunch of greedy bastards, yet they found a way to make it worthwile and simple. It's slowly filtering over to America.
It's like Cellphones: Companies don't feel like they can change one territory in the US at a time... they have to go all or nothing. So we get systems 10 years after the rest of the world has piecemeal brought themselves into it. Otherwise nationwide rollouts are untennable.
The ______ Agenda
My gas company offered the option of using Checkfree.
Had I opted in, it cost an additional 8$ to pay with my credit card, rather than sending in a personal check.
Instead I just use US Banks online Billpay option. Free, and cuts out the middle man.
Here in Australia the BPay system is ubiquitous.
Every online banking system I've used has a 'pay bills' function, that lets you plug in the BPay details (biller, account code) and pay the bill that way.
As it's a standard approach, you can pay your bills from any bank.
As it's using your actual online banking, it's not a single target.
BPay is wonderful, the US really needs an equivalent.
Domain registrars come in several tiers.
MarkMonitor is in the business of protecting "brands", so they have lawyers and technicians on staff to swing into action if somebody pulls something. If you have to ask how much they cost, you can't afford them.
As a European I too am amazed that an allegedly technological and advance society that the USA is purported to be still is stuck in the 1870's when it comes to banking. Here in the UK the direct debit system works without grief. You set up the direct debit between your bank and whoever and the money flows automatically. Whoever you are paying can't change the amount without telling you first and giving you a chance to stop the debit and if there is a mistake THE BANK has to make good your account and chase who they paid in error. Because the bank looses when things go wrong they're bloody quick at getting things sorted.
I haven't paid regular bills (electricity, phone, mortgage etc.) by cheque (correct spelling) since 1994 and in that time I've had 2 direct debits go wrong. Each time the bank had got the incorrect payments back to my account before the close of trading the day the error was made. I have complete confidence in the system and it just works.
The more I read about the USA the more it appears that apart from a bit of glitz around New York and LA, the whole place is like some backward 3rd world country populated by peasants in SUVs demanding that their way is right and everyone else is out of step. Not only have your banks royally fucked up the entire world's economic systems but it seems that their service to their customers hasn't advanced much beyond the days when Jesse James and his commrades rode into town on horseback and held them up.
How the fuck the USA rose to it's position of world preeminence is truly fucking mind-boggling.
A. Bullwinkle, Esq.
I'm one of those holdouts who still use paper checks, envelopes, and stamps to pay my bills
FWIW, in the US you get federal protection when using the Post Office / first class mail. Not use what (if any) legal protection you get using the WEB for paying bills Jack
Have you looked at all the people rationalizing their use of paper checks in the comments? That's one reason (or rather a symptom of the same reason).
Truly, the US is way behind a lot of the rest of the world in payments. We're getting there (I work in the payment industry), and banks and other FIs are adopting more payment strategies over time, but we as a country are perhaps too(?) conservative on these things.
Too, we don't (yet?) have only 3-5 gigundus "country banks" in the country like a lot do, nor huge quasi-gov't entities governing and aggregating payments like Brazil's CIP or Australia's B-Pay.
This makes adoption harder since it's harder to get critical mass with a slew of smaller entities that need to "buy-in". Chicken and egg, that.
So, the US will have person to person wire payments, but it will be awhile, and come in discrete, fragmented steps.
Interestingly, a few months ago, my financial services company (Merrill Lynch) changed the way their online login works to make this attack very hard. They required me to select an image from a large catalog, and a phrase I made up to go with it. Now, when I log in, I am presented the image and the phrase. Since these images come from a huge catalog, and the phrase is entirely up to the user, the probability that a hijacked page would have the same information is very small. In effect, the site is presenting _me_ with a pasword, before I present it with a password. (Cue, on 3, In Soviet Russia, sites log onto you)
I think this makes these pages fairly secure against the various DNS and other redirect attacks people have come up with. Someone would have to get very deep access to the main server, to figure out the image everyone chose, to successfully hijack a site.