2055643
story
Comments: 232 +- IT: Online Billpay Provider Loses Control of Domains on Thursday December 04 2008, @11:51PM
Posted
by
timothy
on Thursday December 04 2008, @11:51PM
from the sell-your-body-to-pay-the-bills dept.
from the sell-your-body-to-pay-the-bills dept.
background: url(//a.fsdn.com/sd/topics/topicsecurity.gif); width:59px; height:78px;
security
background: url(//a.fsdn.com/sd/topics/topicinternet.gif); width:70px; height:73px;
internet
An anonymous reader writes "Several sites are running a story about a domain hijacking at Checkfree, the largest provider of online bill payment services to numerous banks and credit unions. According to Network Solutions, someone logged in to the domain administration page using Checkfree's account, and redirected its domains to a site in the Ukraine configured to serve up malware to unsuspecting users." Things like this make me nervous about switching to otherwise-tempting online bill payment, but checks are dangerous, too.
Related Stories
News: Fraud Threat Halts Knuth's Hexadecimal-Dollar Checks 323 comments
Submission: Online Billpay Provider Loses Control Of Domains by Anonymous Coward
To keep your friends treat them kindly; to kill them, treat them often.
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.
At least this time... (Score:2)
...someone (apparently) didn't manage to socially engineer Network Solutions. That's happened at least a few times that I can recall...
Re:At least this time... (Score:4, Funny)
Parent
Epic Fail (Score:5, Funny)
Summary's analysis doesn't make much sense. (Score:2)
Re: (Score:3, Insightful)
If there were a Slashdot feature to transfer money out of your bank account...
Re:Summary's analysis doesn't make much sense. (Score:4, Interesting)
Parent
Re:Summary's analysis doesn't make much sense. (Score:5, Informative)
The /. HTML was hijacked, and odd jumpy misaligned CSS was put up instead ;-)
Parent
Re:Summary's analysis doesn't make much sense. (Score:5, Funny)
If there were a Slashdot feature to transfer money out of your bank account...
It's called 'subscription'
Parent
Re: (Score:2)
This could happen for any trusted website, even Slashdot.
Slashdot is a trusted website?
Re: (Score:3, Funny)
Slashdot is my trusted supplier of Goatse and GNAA trolling!
Checks are dangerous too? Better avoid money xfer (Score:4, Funny)
Obviously, the only safe solution is to not pay... what, that has problems too?!?
As a customer.... (Score:5, Interesting)
Posting anonymously so I don't get sued.
Re: (Score:2)
Odds are that someone there accessed netsol from an
machine infected with a keylogger.
It was therefore likely caused by their own ineptitude
in using a windows machine for administration.
Re: (Score:2)
I work at UMass Amherst and I'm trying to get this implemented
What would you get sued for? Stating a fact? Surely the US has not gone that crazy (although, I agree, from the news reports and stuff people in the US sue at the drop of a penny).
Re: (Score:2)
Re: (Score:3, Insightful)
I'm sorry, maybe Checkfree handled it poorly, but they're not the ones ultimately to blame here I think. Look at every high-profile domain hijacking that'
Benefits of Paper Checks (Score:5, Interesting)
Things like this make me nervous about switching to otherwise-tempting online bill payment, but checks are dangerous, too.
I'm one of those holdouts who still use paper checks, envelopes, and stamps to pay my bills. Once a month or so I'll bring the stack into the office and take care of it during downtime, and folks look at me like I'm transmitting morse code over a telegraph. I do bank online, but I don't do online bill pay.
One reason I still cling to checks is that they allow me to be the final arbiter and gatekeeper of my money, and I have better fiscal responsibility when I'm directly involved in disbursement. Each time I physically write out a check, there's a bit of mental bookkeeping that takes place. You can't sit down and write "One thousand one hundred ninety-eight and 32/100" without pausing for a moment to think, holy shit, that's X% of my paycheck. If you elect not to use online bill pay, you have to actually look at your credit card statements each month, instead of just setting up a $200 monthly ACH and ignoring the current total.
I'm afraid that if I set everything up to be paid automatically, I'd very quickly wake up to discover that my checking account is overdrawn because I wasn't paying enough attention. Writing checks and licking envelopes is my way of keeping tabs on what's going out the door each month. The potential security benefits don't hurt, as anyone screwing around with mailed bills faces the wrath of the United States Postal Inspection Service. Unlike most online fraud, fucking with the mails will actually get you in trouble, and USPIS doesn't blow you off if you haven't suffered hundreds of thousands of dollars in losses.
I do miss the one benefit that physical checks had up until a couple of years ago, the float. Check21 pretty much ruined that, but maybe it was for the better. Come to think of it, I haven't overdrafted since Check21.
Long live the check, just stay away from my routing numbers.
Re:Benefits of Paper Checks (Score:4, Insightful)
You know, you can pay online without making it automatic.
Parent
Re: (Score:3, Interesting)
That was my thought too... it's a 'throw the baby out with the bathwater' thing.
Firstly, as an Australian I am CONSTANTLY amazed at the US's continued reliance on cheques (yes, that's how the rest of the world spells it). When I lived there for a while in 2001 I was amazed that I couldn't pay the majority of my bills online at all, even if I wanted to. The time consuming, paper wasting, overly complex and error prone thing of handling all those cheques is just insane.
I pay all my bills electronically via th
Aging brain dead old Re:Benefits of Paper Checks (Score:4, Interesting)
The current bill payers in America are getting old.
The credit card companies have a stranglehold on paying by any form of credit card.
Paypal is evil.
There is no nationally accepted payment system where someone or both do not get gouged some fee. Checks are one of the few ways both parties can avoid some of the fees though I've heard that banks are starting to jack up the cost of processing them.
Our banks do not cater to customers, they are hind bound and greedy. They won't do anything unless they can screw their customers or the government for money.
When the banks finally get less incompetent they might be able to pry online payments and credit cards away from the major credit card companies. It won't happen soon because of the long term incestuous symbiotic relationship they have.
Parent
Re:Aging brain dead old Re:Benefits of Paper Check (Score:4, Informative)
Bank of America allows you to pay online via systems that accept it, and mail checks to those who don't. Strangely enough, most of the people I pay bills to here in Massachusetts accept digital billpay through whatever system they use. But even paper checks are automatic and free.
BofA is a bunch of greedy bastards, yet they found a way to make it worthwile and simple. It's slowly filtering over to America.
It's like Cellphones: Companies don't feel like they can change one territory in the US at a time... they have to go all or nothing. So we get systems 10 years after the rest of the world has piecemeal brought themselves into it. Otherwise nationwide rollouts are untennable.
Parent
Re: (Score:2)
Did anyone notice that the major telco's changed their BPay numbers AND client reference numbers recently? Or are they just trying to fuck me over. The whole BPay system works, but if I wasn't an anal retentive bastard I wouldn't have noticed and just relied on the numbers stored in my banks details for the payments.
Re:Benefits of Paper Checks (Score:4, Interesting)
Just what I was thinking...
My wife and I (she's the math major and very detail oriented) pay bills online, manually. I don't like "automatic" because it's easy to set up, but difficult to stop. I'm not sure I see any big difference between writing "1000" on a slip of paper (which is not legal tender) or putting numbers into a field on a form.
I also can't imagine anyone not reconciling their bank and credit card statements against their records each month. We keep a detailed budget that shows every transaction (credit, checking or cash) and we reconcile the bank and credit card statements against it each month. As frequently as banks screw up, it just makes sense.
Of course, our money is in a credit union, not a big national bank, so I like to think we get better service when we do have an issue. It's certainly much better than other big banks where we've had accounts *cough-citibank-*cough and had terrible service.
Parent
Re: (Score:2)
You raise an excellent point. However, they (typically) stop sending paper bills in favor of email notices once you start paying them online. With postfix and spamassassin, email occasionally gets misflagged, misfoldered, or otherwise misrouted. Forgetting that a certain bill is due, or not receiving the email notice for some reason, is IMO even worse than having an automatic payment set up. The physical paper bill is just as much a part of my fiscal
Tax ramifications (Score:5, Insightful)
Each time I physically write out a check, there's a bit of mental bookkeeping that takes place. You can't sit down and write "One thousand one hundred ninety-eight and 32/100" without pausing for a moment to think, holy shit, that's X% of my paycheck.
This is exactly why people should have to pay income tax instead of having it automatically deducted.
If everyone actually had to write that fat check out, they might begin to care about elections and the state of the world.
Parent
Re: (Score:2)
Re: (Score:2)
Yeah, fuck Check21.
I still gotta wait 5 days for an out of state check to clear, but the damn check I wrote a business 3 states away clears overnight? Fuck, not cool.
Some more details... (Score:5, Informative)
Anyhow, what I know is that the malware is new and still being analyzed -- they're not fully sure what it's for yet (capturing accounts, spamming, botnet, or probably all of the above). For now they are recommending that people udate their virus scanners and Acrobat Reader. They must suspect Acrobat as an infection vector somehow.
Single point of failure (Score:2)
It seems to me that part of the problem is that too many websites that service too many customers are all using a *single* payment service. Hijack that one payment service, and you can potentially hit 10's of millions of customers.
I don't see why giant national banks, and even mid-size regional banks, can create their *own* online payment services. Heck, they might even be able to generate new streams of revenue for themselves, instead of giving all that revenue to Checkfree. If nothing else, it helps to li
Don't be stupid... (Score:3, Informative)
True, my financial institution (US Bank) may or may not be to blame, HOWEVER, you'd think it wouldn't take a bank a full day to let users know or take away the bill pay link or something along those lines. When I saw the invalid certificate, I still needed to cancel an automatic payment so I decided to contact my bank. Their response was basically, "we take security very seriously, please make sure you're using a compatible browser, move along now, nothing here to see." It wasn't until at least a day later that they notified users when logging in that bill pay was down. I wonder how many users clicked through during that one day period, which could have easily been prevented by a faster response?
Don't be stupid...Most users are. (Score:3, Interesting)
Not a banking issue (Score:2, Interesting)
I've been involved w/ online/PC banking for 15 years or so and can tell you it's been a huge time + postage savings for me. I have no idea what the cost of a stamp is because the only reason I'd ever need them is for bills. Give
Re: (Score:2, Insightful)
oh the irony... (Score:2, Funny)
i 3 usa (Score:5, Informative)
When I was 16, I discovered that with a ruler, an exacto knife, and some elmer's glue you could make up your own checks. They also had "MAC Check" machines that would scan a check - even from a non-customer - and cash them.
When I was 19, I worked in a junk mail plant that at times printed the 25% interest rate personal checks that credit card companies send out to new cardholders. All night we would watch "CONGRATULATIONS ON YOUR NEW $100,000 CREDIT LIMIT!" with 6 checks attached go whizzing by at 5MPH. When that roll of checks breaks, printed-but-junk checks dump on the floor, 7 feet per second, and if I wanted, I could pocket the sonsabitches and spend like hell - before the recipient even activated their new card. We sent those out, too.
Can our banking system really be that insecure? I open an account based on a supposedly unique ID number, hand them a photo ID that doesn't even reference my SSN. Then, they give me another number - my account number - and tell me to keep it private. Three weeks later, I get my checks that ten minimum wage slaves have already gotten to see. Every check I hand out has my private account number printed at the bottom.
Most banks hold you responsible for any automated clearing house fraud, and yet, to authorize a transfer out, all that is needed are the numbers at the bottom of every personal check you write and the "assurance" from the receiving institution that you have "authorized the transfer".
When ya think about it, it's no wonder they charge you $2 to withdraw from an ATM, $3 to use a teller, and $35 for an overdraft - it's easier to roll the dice to get an account number than it is to roll the dice and win the lottery!
Checkfree? (Score:3, Informative)
My gas company offered the option of using Checkfree.
Had I opted in, it cost an additional 8$ to pay with my credit card, rather than sending in a personal check.
Instead I just use US Banks online Billpay option. Free, and cuts out the middle man.
Re: (Score:3, Informative)
If I'm not mistaken, US Bank uses Checkfree as the middle man!
Payment processing and aggregation isn't simple. (Who do you send the check to? How do you aggregate ACH transactions to save money versus mailing hundreds of paper checks? How do you get electronic versions of the bills from the creditor if requested by your customer?)
Many banks and bill pay providers use Checkfree because they take care of the details. You can
Use a better registrar (Score:4, Informative)
Domain registrars come in several tiers.
MarkMonitor is in the business of protecting "brands", so they have lawyers and technicians on staff to swing into action if somebody pulls something. If you have to ask how much they cost, you can't afford them.
Re: (Score:3, Informative)
I think GANDI [gandi.net] have a good model. Their ethic is that they pretty much sell at cost. The service is great. I am just a customer, I'm not affiliated to them in any way.
Network Solutions have a long history of slightly bizarre business practices. Just because they're more expensive, the ultimate product (an entry in a DB that points to your DNS servers) is ridiculously cheap when you have big volume and decent automation. MarkMonitor add value by protecting you, maybe they're good. NetSol add marketing glitz v
Wire transfer (Score:4, Interesting)
More secure pages... (Score:3, Informative)
Interestingly, a few months ago, my financial services company (Merrill Lynch) changed the way their online login works to make this attack very hard. They required me to select an image from a large catalog, and a phrase I made up to go with it. Now, when I log in, I am presented the image and the phrase. Since these images come from a huge catalog, and the phrase is entirely up to the user, the probability that a hijacked page would have the same information is very small. In effect, the site is presenting _me_ with a pasword, before I present it with a password. (Cue, on 3, In Soviet Russia, sites log onto you)
I think this makes these pages fairly secure against the various DNS and other redirect attacks people have come up with. Someone would have to get very deep access to the main server, to figure out the image everyone chose, to successfully hijack a site.
Re:More secure pages... (Score:4, Informative)
Someone figured that out, and some sites now register your IP address or a cookie and if it is different they ask you for your mother's maiden name or whatnot. Guess what? My IP address and cookies change all the time. So now I have my mother's maiden name and favorite movie flowing around everywhere, and malicious sites can simply pass these questions and answers on, then get to the serious business of forwarding the pictures, then get involved in the boring financial transactions.
Parent
Re:DNS Hijacking (Score:5, Interesting)
Funny thing is it's a step back for Network Solutions security. You USED to be able to set it up to require a RSA key for domain changes, back when everything was done via odd forms over email.
Parent
Re: (Score:3, Informative)
This is a feature I also miss. They had a PGP keyserver, and you uploaded your PGP public key you wanted associated with the account. Then, you filled out the funky form that you E-mailed in, signed it with the key, and sent it in.
I know this probably can't be done now, but instead, why not offer keyfobs similar to SecurID? PayPal, eBay, a number of banks, heck, even Blizzard offer this feature, so a compromised password isn't the end of the world.
People use hardware devices to make sure their SSL keys a
Re: (Score:3, Insightful)
You *do* realize that all of those banks allow an attacker to access your account without the keyfob, right? They just need to call the bank, impersonate you (often by simply using the password they keylogged in the first place) and claim they lost it (or just use the automated phone service at most banks, which accepts your password without the added key).
In this specific case, the vulnerability was just that the attacker had to upload his key in your name before you got around to it - but that was still
Re:DNS Hijacking (Score:5, Insightful)
This seems to be what happens when any business tries to implement any sort of account security. It has to be made so it can be easily bypassed, or you end up with customers mad at the company because they locked themselves or relatives/family out and the company wont allow them to simply go through on their word they are authorized. It's like they don't know how to see how it looks from the company's point of view.
Build a better lock, and they'll build a better idiot.
Parent
Re: (Score:3, Insightful)
"Nothing anywhere is completely safe. Everything you own is up for grabs at any point in time by anyone who wants it bad enough. Best course of action I can think of is to buy a gun."
What if what they want really badly is your gun? By your own admission, "Everything you own is up for grabs at any point in time by anyone who wants it bad enough." That would include the gun, seems like.
Re: (Score:2)
How's a gun going to help against some Ukrainian hijacking your DNS?
Re: (Score:2)
you young whippersnappers... back in my day we didn't have a uniform currency. we had to invent our own money using clam shells and animal scat. the rear end of an incontinent mammoth was our ATM machine.
oh, and we were happy to have it--up hill, both ways, in the snow, barefoot, with a full orchestra strapped to our backs, and Roman phalanxes chasing us the entire way while the orchestra played Wagner to goad them on.
Re: (Score:3, Interesting)
Mod the parent up. Seriously. So what if he is an Anonymous Coward. frick'in stupid moderators. :P
What is so wrong paying cash? For example, I have a AT&T dsl account that I'm "suppose" to have
a CC attached to it for payment. Wtf? Why should I have to go through these loopholes to pay my bill?
Do I have options to pay the account locally? Yes, I finally found that out. Automated payments are
evil, end of story. When has it became so evil to pay by cash? If I can't have a option to pay by
cash, without loo