Slashdot Mirror

← Back to Stories (view on slashdot.org)

Online Billpay Provider Loses Control of Domains

Posted by timothy on from the sell-your-body-to-pay-the-bills dept.

An anonymous reader writes "Several sites are running a story about a domain hijacking at Checkfree, the largest provider of online bill payment services to numerous banks and credit unions. According to Network Solutions, someone logged in to the domain administration page using Checkfree's account, and redirected its domains to a site in the Ukraine configured to serve up malware to unsuspecting users." Things like this make me nervous about switching to otherwise-tempting online bill payment, but checks are dangerous, too.

15 of 232 comments (clear)

  1. As a customer.... by Anonymous Coward · · Score: 5, Interesting
    My company uses Checkfree and Checkfree handled this very poorly. Apparently this happened on Monday and they never notified us. We where notified when one of our own customers notified us and and pointed out the suspicious activity. We had to call Checkfree to get the details. It was caused by their own ineptitude in managing their passwords and accounts.

    Posting anonymously so I don't get sued.

    1. Re:As a customer.... by Anonymous Coward · · Score: 2, Interesting

      As another "customer" (CheckFree is the backend for our billpay vendor), I can confirm that they handled this incredibly poorly.

      Their notifications to us were vague and delayed. They were full of technical inaccuracies. One email referred to the "DNS routing tables". Another said that customers without "Adobe installed" wouldn't be affected. (Adobe ____?)

      We were given misleading information about the nature of the malware, and calls seeking more information were never returned. Apparently there was an Adobe PDF vulnerability that was exploited, but they never clearly explained the process clearly.

      And best of all, they never mentioned HOW this happened in the first place... Now it's obvious that they have something to hide.

      Makes me want to take in incident response class from SANS.

  2. Re:DNS Hijacking by Tyger · · Score: 4, Interesting

    Funny thing is it's a step back for Network Solutions security. You USED to be able to set it up to require a RSA key for domain changes, back when everything was done via odd forms over email.

  3. Benefits of Paper Checks by ShaunC · · Score: 5, Interesting

    Things like this make me nervous about switching to otherwise-tempting online bill payment, but checks are dangerous, too.

    I'm one of those holdouts who still use paper checks, envelopes, and stamps to pay my bills. Once a month or so I'll bring the stack into the office and take care of it during downtime, and folks look at me like I'm transmitting morse code over a telegraph. I do bank online, but I don't do online bill pay.

    One reason I still cling to checks is that they allow me to be the final arbiter and gatekeeper of my money, and I have better fiscal responsibility when I'm directly involved in disbursement. Each time I physically write out a check, there's a bit of mental bookkeeping that takes place. You can't sit down and write "One thousand one hundred ninety-eight and 32/100" without pausing for a moment to think, holy shit, that's X% of my paycheck. If you elect not to use online bill pay, you have to actually look at your credit card statements each month, instead of just setting up a $200 monthly ACH and ignoring the current total.

    I'm afraid that if I set everything up to be paid automatically, I'd very quickly wake up to discover that my checking account is overdrawn because I wasn't paying enough attention. Writing checks and licking envelopes is my way of keeping tabs on what's going out the door each month. The potential security benefits don't hurt, as anyone screwing around with mailed bills faces the wrath of the United States Postal Inspection Service. Unlike most online fraud, fucking with the mails will actually get you in trouble, and USPIS doesn't blow you off if you haven't suffered hundreds of thousands of dollars in losses.

    I do miss the one benefit that physical checks had up until a couple of years ago, the float. Check21 pretty much ruined that, but maybe it was for the better. Come to think of it, I haven't overdrafted since Check21.

    Long live the check, just stay away from my routing numbers.

    --
    Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    1. Re:Benefits of Paper Checks by spoco2 · · Score: 2, Interesting

      That was my thought too... it's a 'throw the baby out with the bathwater' thing.

      Firstly, as an Australian I am CONSTANTLY amazed at the US's continued reliance on cheques (yes, that's how the rest of the world spells it). When I lived there for a while in 2001 I was amazed that I couldn't pay the majority of my bills online at all, even if I wanted to. The time consuming, paper wasting, overly complex and error prone thing of handling all those cheques is just insane.

      I pay all my bills electronically via the BPay system in Australia, there's virtually nothing you can't pay this way.

      I DO have automatic payments for some things, but only those that are a constant amount each month (internet for example)... everything else is manually handled, but jumping onto internet banking and putting in the figures is a WHOLE lot faster and less resource intensive than making out X cheques, putting them in envelopes and mailing them all.

      Pure madness.

    2. Re:Benefits of Paper Checks by blueZ3 · · Score: 3, Interesting

      Just what I was thinking...

      My wife and I (she's the math major and very detail oriented) pay bills online, manually. I don't like "automatic" because it's easy to set up, but difficult to stop. I'm not sure I see any big difference between writing "1000" on a slip of paper (which is not legal tender) or putting numbers into a field on a form.

      I also can't imagine anyone not reconciling their bank and credit card statements against their records each month. We keep a detailed budget that shows every transaction (credit, checking or cash) and we reconcile the bank and credit card statements against it each month. As frequently as banks screw up, it just makes sense.

      Of course, our money is in a credit union, not a big national bank, so I like to think we get better service when we do have an issue. It's certainly much better than other big banks where we've had accounts *cough-citibank-*cough and had terrible service.

      --
      Interested in a Flash-based MAME front end? Visit mame.danzbb.com
  4. Re:Summary's analysis doesn't make much sense. by beckerist · · Score: 3, Interesting

    It's not hard to set up a page that looks exactly like the front page of anything. cfhttp does it for you (if you are for CF.) At the very least, a site could be hijacked, a cfhttp to the IP of the server could easily be set up, and the forms could be hijacked to steal your password. Slashdot isn't probably the most likely target, but I'm sure there are plenty of people here who's /. password is their email (or [insert any service here] password.)

  5. Not a banking issue by drew30319 · · Score: 2, Interesting

    This isn't an online banking issue, this is an issue of domain-stealing. The fact that it's banking-related is immaterial. If the domains stolen were instead several newspaper domains we wouldn't call into question the credibility of the news (at least not more than we do now).

    I've been involved w/ online/PC banking for 15 years or so and can tell you it's been a huge time + postage savings for me. I have no idea what the cost of a stamp is because the only reason I'd ever need them is for bills. Give it a shot w/ just one bill for a month or two.

    That said, CheckFree is fairly notorious for their poor service and it's not surprising to me if they turn out to be at blame here. Especially disturbing is the apparently slapshod response.

    --
    JAGga.me ----> Producing video games addressing emotional health and wellness issues affecting teens.
  6. Aging brain dead old Re:Benefits of Paper Checks by mrmeval · · Score: 3, Interesting

    The current bill payers in America are getting old.

    The credit card companies have a stranglehold on paying by any form of credit card.

    Paypal is evil.

    There is no nationally accepted payment system where someone or both do not get gouged some fee. Checks are one of the few ways both parties can avoid some of the fees though I've heard that banks are starting to jack up the cost of processing them.

    Our banks do not cater to customers, they are hind bound and greedy. They won't do anything unless they can screw their customers or the government for money.

    When the banks finally get less incompetent they might be able to pry online payments and credit cards away from the major credit card companies. It won't happen soon because of the long term incestuous symbiotic relationship they have.

    --
    I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
  7. Don't be stupid...Most users are. by Mateorabi · · Score: 2, Interesting

    At least they pay security lip service. My mother was having trouble enabling online Suntrust banking from her OS X machine months back (we tried three browser types, all failed differently.) The Suntrust rep on the phone actualy made the suggestion that my mother go to a public library with a Windows machine since it would work there*. It's at this point I went from anoyed to extremely cross and chewed the person out. I wonder how many other customers with out Windows PCs and tech-savy children were following this advice.

    *For some reason the software lets you manage your account fine from a Mac, but won't let you do the first time setup.

    --
    "You saved 1968." - Ms. Valerie Pringle to the crew of Apollo 8

  8. Re: Checks are dangerous too! by Vskye · · Score: 2, Interesting

    Mod the parent up. Seriously. So what if he is an Anonymous Coward. frick'in stupid moderators. :P

    What is so wrong paying cash? For example, I have a AT&T dsl account that I'm "suppose" to have
    a CC attached to it for payment. Wtf? Why should I have to go through these loopholes to pay my bill?

    Do I have options to pay the account locally? Yes, I finally found that out. Automated payments are
    evil, end of story. When has it became so evil to pay by cash? If I can't have a option to pay by
    cash, without loopholes then said companies need to be sued, period. Oh, and I'm billed a month
    ahead of my usage. Nice.....

    --
    Life was hell, then I discovered Linux...
  9. Re:Use a better registrar by Anonymous Coward · · Score: 1, Interesting

    Really? Why do you rate Enom below GoDaddy? I'm too light a user to have any real experience personally. I've heard gripes about NetSol and GoDaddy on places like Slashdot, but not much about Enom. What is their problem?

  10. Wire transfer by tmk · · Score: 3, Interesting

    Why don't Americans use wire transfer more often? In Europe it is a fast and relatively safe method.

  11. Re:Don't be stupid... by Anonymous Coward · · Score: 1, Interesting

    From what I understand of events, if you were getting that message then YOUR bank did not know. CheckFree did not notify anyone, even banks, until well after the domain was recovered and the Ukrainian IP was down.

  12. Checks here is not accepted anymore by TheDarkMaster · · Score: 2, Interesting

    On my country, in pratice checks - electronic or real ones - is not accepted anymore. Too many frauds

    --
    Religion: The greatest weapon of mass destruction of all time