Slashdot Mirror

← Back to Stories (view on slashdot.org)

Online Billpay Provider Loses Control of Domains

Posted by timothy on from the sell-your-body-to-pay-the-bills dept.

An anonymous reader writes "Several sites are running a story about a domain hijacking at Checkfree, the largest provider of online bill payment services to numerous banks and credit unions. According to Network Solutions, someone logged in to the domain administration page using Checkfree's account, and redirected its domains to a site in the Ukraine configured to serve up malware to unsuspecting users." Things like this make me nervous about switching to otherwise-tempting online bill payment, but checks are dangerous, too.

3 of 232 comments (clear)

  1. Some more details... by Darth+Muffin · · Score: 4, Informative
    My wife works for a CU, and has been giving me details on this all day. I guess the cats out of the bag now and I can say something :) Your financial institution is not to blame, but in my wife's case they're offering to help clean up infected user's computers.

    Anyhow, what I know is that the malware is new and still being analyzed -- they're not fully sure what it's for yet (capturing accounts, spamming, botnet, or probably all of the above). For now they are recommending that people udate their virus scanners and Acrobat Reader. They must suspect Acrobat as an infection vector somehow.

    --
    Real programmers use "copy con program.exe"
  2. Re:Summary's analysis doesn't make much sense. by Tablizer · · Score: 5, Informative

    If there were a Slashdot feature to transfer money out of your bank account...

    The /. HTML was hijacked, and odd jumpy misaligned CSS was put up instead ;-)
           

    --
    Table-ized A.I.
  3. i 3 usa by Vegeta99 · · Score: 5, Informative

    When I was 16, I discovered that with a ruler, an exacto knife, and some elmer's glue you could make up your own checks. They also had "MAC Check" machines that would scan a check - even from a non-customer - and cash them.

    When I was 19, I worked in a junk mail plant that at times printed the 25% interest rate personal checks that credit card companies send out to new cardholders. All night we would watch "CONGRATULATIONS ON YOUR NEW $100,000 CREDIT LIMIT!" with 6 checks attached go whizzing by at 5MPH. When that roll of checks breaks, printed-but-junk checks dump on the floor, 7 feet per second, and if I wanted, I could pocket the sonsabitches and spend like hell - before the recipient even activated their new card. We sent those out, too.

    Can our banking system really be that insecure? I open an account based on a supposedly unique ID number, hand them a photo ID that doesn't even reference my SSN. Then, they give me another number - my account number - and tell me to keep it private. Three weeks later, I get my checks that ten minimum wage slaves have already gotten to see. Every check I hand out has my private account number printed at the bottom.

    Most banks hold you responsible for any automated clearing house fraud, and yet, to authorize a transfer out, all that is needed are the numbers at the bottom of every personal check you write and the "assurance" from the receiving institution that you have "authorized the transfer".

    When ya think about it, it's no wonder they charge you $2 to withdraw from an ATM, $3 to use a teller, and $35 for an overdraft - it's easier to roll the dice to get an account number than it is to roll the dice and win the lottery!