Online Billpay Provider Loses Control of Domains

An anonymous reader writes "Several sites are running a story about a domain hijacking at Checkfree, the largest provider of online bill payment services to numerous banks and credit unions. According to Network Solutions, someone logged in to the domain administration page using Checkfree's account, and redirected its domains to a site in the Ukraine configured to serve up malware to unsuspecting users." Things like this make me nervous about switching to otherwise-tempting online bill payment, but checks are dangerous, too.

Re:Summary's analysis doesn't make much sense.

[Onymous Coward]

If there were a Slashdot feature to transfer money out of your bank account...

Re:Benefits of Paper Checks

[mrchaotica]

You know, you can pay online without making it automatic.

Tax ramifications

[daemonenwind]

Each time I physically write out a check, there's a bit of mental bookkeeping that takes place. You can't sit down and write "One thousand one hundred ninety-eight and 32/100" without pausing for a moment to think, holy shit, that's X% of my paycheck.

This is exactly why people should have to pay income tax instead of having it automatically deducted.

If everyone actually had to write that fat check out, they might begin to care about elections and the state of the world.

Re:Not a banking issue

[iteyoidar]

I feel like domain security should be a much larger concern for banks than it probably is for newspapers.

Re:DNS Hijacking

[JSBiff]

"Nothing anywhere is completely safe. Everything you own is up for grabs at any point in time by anyone who wants it bad enough. Best course of action I can think of is to buy a gun."

What if what they want really badly is your gun? By your own admission, "Everything you own is up for grabs at any point in time by anyone who wants it bad enough." That would include the gun, seems like.

Re:DNS Hijacking

[lgw]

You *do* realize that all of those banks allow an attacker to access your account without the keyfob, right? They just need to call the bank, impersonate you (often by simply using the password they keylogged in the first place) and claim they lost it (or just use the automated phone service at most banks, which accepts your password without the added key).

In this specific case, the vulnerability was just that the attacker had to upload his key in your name before you got around to it - but that was still better than nothing!

Re:DNS Hijacking

[SeaFox]

You *do* realize that all of those banks allow an attacker to access your account without the keyfob, right? They just need to call the bank, impersonate you (often by simply using the password they keylogged in the first place) and claim they lost it (or just use the automated phone service at most banks, which accepts your password without the added key).

This seems to be what happens when any business tries to implement any sort of account security. It has to be made so it can be easily bypassed, or you end up with customers mad at the company because they locked themselves or relatives/family out and the company wont allow them to simply go through on their word they are authorized. It's like they don't know how to see how it looks from the company's point of view.

Build a better lock, and they'll build a better idiot.

Re:As a customer....

[Eil]

My company uses Checkfree and Checkfree handled this very poorly. Apparently this happened on Monday and they never notified us. We where notified when one of our own customers notified us and and pointed out the suspicious activity. We had to call Checkfree to get the details. It was caused by their own ineptitude in managing their passwords and accounts.

I'm sorry, maybe Checkfree handled it poorly, but they're not the ones ultimately to blame here I think. Look at every high-profile domain hijacking that's happened in the last year or two and you'll notice a common element: Network Solutions. Now in this instance, someone actually got a hold of Checkfree's username and password, but in many previous cases NetSol was directly responsible for handing over their customers' account information to malicious attackers with practically zero questions asked.

If I were a big business that depended on the security of important online assets, I'd be running away from NetSol at this point to some registrar that required more than a single username and password in order to cause millions upon millions of dollars worth of damage and irreparable reputational harm.

I wonder what it's going to take for NetSol to wise up and take notice of the fact that their inept security policies are damaging not only their own business but the business of their customers. Not to mention the scores innocent users who get tricked into submitting their private and/or financial information to fraudsters as a result.

Re:Use a better registrar

[Anonymous Coward]

Sorry, your list contains Network Solutions. Therefore, you lose all credibility. Perhaps someone else could offer a list without those bozos?

Thanks.