Forgot your password?
typodupeerror
Security The Internet

Online Billpay Provider Loses Control of Domains 232

Posted by timothy
from the sell-your-body-to-pay-the-bills dept.
An anonymous reader writes "Several sites are running a story about a domain hijacking at Checkfree, the largest provider of online bill payment services to numerous banks and credit unions. According to Network Solutions, someone logged in to the domain administration page using Checkfree's account, and redirected its domains to a site in the Ukraine configured to serve up malware to unsuspecting users." Things like this make me nervous about switching to otherwise-tempting online bill payment, but checks are dangerous, too.
This discussion has been archived. No new comments can be posted.

Online Billpay Provider Loses Control of Domains

Comments Filter:
  • ...someone (apparently) didn't manage to socially engineer Network Solutions. That's happened at least a few times that I can recall...

  • Epic Fail (Score:5, Funny)

    by NotQuiteReal (608241) on Friday December 05, 2008 @12:59AM (#25999141) Journal
    CheckFree, what can I say? At least now my Nigerian account can be linked in and I will finally get my cut of the money that I fronted 1% for, to get it out of the country...
  • The OP says "Things like thismake me nervous about switching to otherwise-tempting online bill payment." Nothing here had to do with the site being for online bill paying. This could happen for any trusted website, even Slashdot.
    • Re: (Score:3, Insightful)

      by Onymous Coward (97719)

      If there were a Slashdot feature to transfer money out of your bank account...

      • by beckerist (985855) on Friday December 05, 2008 @01:18AM (#25999229) Homepage
        It's not hard to set up a page that looks exactly like the front page of anything. cfhttp does it for you (if you are for CF.) At the very least, a site could be hijacked, a cfhttp to the IP of the server could easily be set up, and the forms could be hijacked to steal your password. Slashdot isn't probably the most likely target, but I'm sure there are plenty of people here who's /. password is their email (or [insert any service here] password.)
      • by Tablizer (95088) on Friday December 05, 2008 @01:37AM (#25999351) Homepage Journal

        If there were a Slashdot feature to transfer money out of your bank account...

        The /. HTML was hijacked, and odd jumpy misaligned CSS was put up instead ;-)
               

      • by zoefff (61970) on Friday December 05, 2008 @04:22AM (#26000155)

        If there were a Slashdot feature to transfer money out of your bank account...

        It's called 'subscription'

      • If someone hijacked slashdot's domain, they could use it to transfer money out of your account by using cross-site request forgery (CSRF).

      • I think GP made the mistake of reading TFA:

        "CheckFree spokeswoman Melanie Tolley said users who visited the sites during the attack would have been redirected to a blank page that tried to install malware."

        As GP says, this can happen at any hijacked site, financial-oriented or not.

        But yes, one can imagine redirecting to a copycat site and stealing someone's financial info. Frighteningly, I use Checkfree for one utility bill, because for that utility, it is the only way to pay the bill other than by check a

      • by mea37 (1201159)

        Why would that matter?

        The attackers routed checkfree.com to a blank page. This wasn't a phishing attack. They didn't replicate checkfree's site and try to get you to send money or give them your checkfree password. They showed you a blank page, and you would say "what the heck? Where's checkfree?"

        But while you were saying "Where's checkfree", your computer was being infected with malware, which would intercept your usernames/passwords. Maybe to checkfree, or maybe to some unrelated site.

        Why is that mod

    • This could happen for any trusted website, even Slashdot.

      Slashdot is a trusted website?

      • Re: (Score:3, Funny)

        by lgw (121541)

        Slashdot is my trusted supplier of Goatse and GNAA trolling!

  • by noidentity (188756) on Friday December 05, 2008 @01:05AM (#25999163)

    Things like thismake me nervous about switching to otherwise-tempting online bill payment, but checks are dangerous, too.

    Obviously, the only safe solution is to not pay... what, that has problems too?!?

  • As a customer.... (Score:5, Interesting)

    by Anonymous Coward on Friday December 05, 2008 @01:05AM (#25999167)
    My company uses Checkfree and Checkfree handled this very poorly. Apparently this happened on Monday and they never notified us. We where notified when one of our own customers notified us and and pointed out the suspicious activity. We had to call Checkfree to get the details. It was caused by their own ineptitude in managing their passwords and accounts.

    Posting anonymously so I don't get sued.

    • Odds are that someone there accessed netsol from an
      machine infected with a keylogger.

      It was therefore likely caused by their own ineptitude
      in using a windows machine for administration.

    • I work at UMass Amherst and I'm trying to get this implemented

      What would you get sued for? Stating a fact? Surely the US has not gone that crazy (although, I agree, from the news reports and stuff people in the US sue at the drop of a penny).

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      As another "customer" (CheckFree is the backend for our billpay vendor), I can confirm that they handled this incredibly poorly.

      Their notifications to us were vague and delayed. They were full of technical inaccuracies. One email referred to the "DNS routing tables". Another said that customers without "Adobe installed" wouldn't be affected. (Adobe ____?)

      We were given misleading information about the nature of the malware, and calls seeking more information were never returned. Apparently there was an Adobe

    • Not that I blame you for posting anonymously, but truth [wikipedia.org] is the best defense against defamation.

    • Re: (Score:3, Insightful)

      by Eil (82413)

      My company uses Checkfree and Checkfree handled this very poorly. Apparently this happened on Monday and they never notified us. We where notified when one of our own customers notified us and and pointed out the suspicious activity. We had to call Checkfree to get the details. It was caused by their own ineptitude in managing their passwords and accounts.

      I'm sorry, maybe Checkfree handled it poorly, but they're not the ones ultimately to blame here I think. Look at every high-profile domain hijacking that'

  • by ShaunC (203807) on Friday December 05, 2008 @01:15AM (#25999215)

    Things like this make me nervous about switching to otherwise-tempting online bill payment, but checks are dangerous, too.

    I'm one of those holdouts who still use paper checks, envelopes, and stamps to pay my bills. Once a month or so I'll bring the stack into the office and take care of it during downtime, and folks look at me like I'm transmitting morse code over a telegraph. I do bank online, but I don't do online bill pay.

    One reason I still cling to checks is that they allow me to be the final arbiter and gatekeeper of my money, and I have better fiscal responsibility when I'm directly involved in disbursement. Each time I physically write out a check, there's a bit of mental bookkeeping that takes place. You can't sit down and write "One thousand one hundred ninety-eight and 32/100" without pausing for a moment to think, holy shit, that's X% of my paycheck. If you elect not to use online bill pay, you have to actually look at your credit card statements each month, instead of just setting up a $200 monthly ACH and ignoring the current total.

    I'm afraid that if I set everything up to be paid automatically, I'd very quickly wake up to discover that my checking account is overdrawn because I wasn't paying enough attention. Writing checks and licking envelopes is my way of keeping tabs on what's going out the door each month. The potential security benefits don't hurt, as anyone screwing around with mailed bills faces the wrath of the United States Postal Inspection Service. Unlike most online fraud, fucking with the mails will actually get you in trouble, and USPIS doesn't blow you off if you haven't suffered hundreds of thousands of dollars in losses.

    I do miss the one benefit that physical checks had up until a couple of years ago, the float. Check21 pretty much ruined that, but maybe it was for the better. Come to think of it, I haven't overdrafted since Check21.

    Long live the check, just stay away from my routing numbers.

    • by mrchaotica (681592) * on Friday December 05, 2008 @01:35AM (#25999341)

      You know, you can pay online without making it automatic.

      • Re: (Score:3, Interesting)

        by spoco2 (322835)

        That was my thought too... it's a 'throw the baby out with the bathwater' thing.

        Firstly, as an Australian I am CONSTANTLY amazed at the US's continued reliance on cheques (yes, that's how the rest of the world spells it). When I lived there for a while in 2001 I was amazed that I couldn't pay the majority of my bills online at all, even if I wanted to. The time consuming, paper wasting, overly complex and error prone thing of handling all those cheques is just insane.

        I pay all my bills electronically via th

        • The current bill payers in America are getting old.

          The credit card companies have a stranglehold on paying by any form of credit card.

          Paypal is evil.

          There is no nationally accepted payment system where someone or both do not get gouged some fee. Checks are one of the few ways both parties can avoid some of the fees though I've heard that banks are starting to jack up the cost of processing them.

          Our banks do not cater to customers, they are hind bound and greedy. They won't do anything unless they can screw their customers or the government for money.

          When the banks finally get less incompetent they might be able to pry online payments and credit cards away from the major credit card companies. It won't happen soon because of the long term incestuous symbiotic relationship they have.

          • by cgenman (325138) on Friday December 05, 2008 @03:16AM (#25999859) Homepage

            Bank of America allows you to pay online via systems that accept it, and mail checks to those who don't. Strangely enough, most of the people I pay bills to here in Massachusetts accept digital billpay through whatever system they use. But even paper checks are automatic and free.

            BofA is a bunch of greedy bastards, yet they found a way to make it worthwile and simple. It's slowly filtering over to America.

            It's like Cellphones: Companies don't feel like they can change one territory in the US at a time... they have to go all or nothing. So we get systems 10 years after the rest of the world has piecemeal brought themselves into it. Otherwise nationwide rollouts are untennable.

            • US Bank will not allow you to pay a credit card from any account other than the checking account "linked" to that account, which means we have to write ourselves a check from our bank account to ourselves at US Bank, drive over, deposit it, wait three days (because they're also notoriously stingy on releasing funds on check deposits, despite the fact that of some 100+ checks deposited in our account over five years, not one has been returned), and then schedule the transfer.

              Also having moved recently from

              • I pay my US Bank CC bill with automatic withdrawal from my WAMU/CHASE bank account. Not sure what state your in, maybe it's a local thing... or maybe it's only if you already have a US Bank checking account, I do not.

                • Actually, you might be on to something there - I have heard my wife and her mother theorizing on that possibility before, too.
          • by Kijori (897770)

            The credit card companies have a stranglehold on paying by any form of credit card.

            Well, yeah. Kinda like how the car companies have a "stranglehold" on car production.

            It just goes to show how uncompetitive America is - you can only buy things from people that sell them.

          • by jonbryce (703250)

            In Britain you can make a payment to pretty much any account, except for some savings accounts, by BACS, provided you know the sort code and account number. And pretty much any bank with an online banking service will let you do this online.

            You can make payments internationally using SWIFT if you have the IBAN number. Generally you can't do this online because most of the phising attacks come from other countries, and most people don't make international payments as a matter of course.

        • Complete non sequitor to the argument, anyone with spare mod points feel free to overrate me.

          Did anyone notice that the major telco's changed their BPay numbers AND client reference numbers recently? Or are they just trying to fuck me over. The whole BPay system works, but if I wasn't an anal retentive bastard I wouldn't have noticed and just relied on the numbers stored in my banks details for the payments.
      • by blueZ3 (744446) on Friday December 05, 2008 @01:52AM (#25999435) Homepage

        Just what I was thinking...

        My wife and I (she's the math major and very detail oriented) pay bills online, manually. I don't like "automatic" because it's easy to set up, but difficult to stop. I'm not sure I see any big difference between writing "1000" on a slip of paper (which is not legal tender) or putting numbers into a field on a form.

        I also can't imagine anyone not reconciling their bank and credit card statements against their records each month. We keep a detailed budget that shows every transaction (credit, checking or cash) and we reconcile the bank and credit card statements against it each month. As frequently as banks screw up, it just makes sense.

        Of course, our money is in a credit union, not a big national bank, so I like to think we get better service when we do have an issue. It's certainly much better than other big banks where we've had accounts *cough-citibank-*cough and had terrible service.

        • I don't like "automatic" because it's easy to set up, but difficult to stop. I'm not sure I see any big difference between writing "1000" on a slip of paper (which is not legal tender)

          What are you talking about? Of course it's legal tender. If you don't think it's legal then feel free to send me a check for $22000 so I can buy a new graphics card. Thanks.

          • by ais523 (1172701)
            Legal tender [wikipedia.org] does not mean what you think it is. Legal tender is money that has to be accepted to settle a debt; if you're in debt and you pay in legal tender, that settles it even if the person you were in debt to wanted payment via some other method. There are plenty of things which are valuable despite not being legal tender; checks are an obvious example. (If you're in debt, the person you're in debt to can insist you pay in cash or other legal tender rather than check, if they want to; they can't insis
            • Really, when I applied for my firearms permit I was told by the officer that my payment must be made in the form of money order or cashiers check. No cash would be accepted.

              I wonder if I could of sued them and made them take cash.

              • Really, when I applied for my firearms permit I was told by the officer that my payment must be made in the form of money order or cashiers check. No cash would be accepted.

                Some forms of legal tender can be refused in some jurisdictions if there was not a pre-existing debt obligation prior to the time of the transaction. That's why for example gas stations can legally refuse large denomination bills. If you had to pay at the time of the transaction then they probably were within their rights to restrict forms of payment. Annoying but probably legal.

        • by cparker15 (779546)

          I also can't imagine anyone not reconciling their bank and credit card statements against their records each month. We keep a detailed budget that shows every transaction (credit, checking or cash) and we reconcile the bank and credit card statements against it each month. As frequently as banks screw up, it just makes sense.

          There are quite a few stores and restaurants in Boston that give you a hard time concerning your receipt. At the McDonald's on Washington Street, for example, the employees crumple up and throw away your receipt instead of offering it to you. When you ask for your receipt, they give you dirty looks and print up another one. When asked why they don't just offer the receipts to their customers like any good business does, they avoid the question and ask the next person for their order. (I know, I know, I expe

      • by ShaunC (203807)

        You know, you can pay online without making it automatic.

        You raise an excellent point. However, they (typically) stop sending paper bills in favor of email notices once you start paying them online. With postfix and spamassassin, email occasionally gets misflagged, misfoldered, or otherwise misrouted. Forgetting that a certain bill is due, or not receiving the email notice for some reason, is IMO even worse than having an automatic payment set up. The physical paper bill is just as much a part of my fiscal

        • You raise an excellent point. However, they (typically) stop sending paper bills in favor of email notices once you start paying them online.

          Why would "they" do that if you do not use "them" for payments. How do they know or care where payments come from if you do not set up up with them?

          Get a bank that allows you as many free online payments as you would like, and just pay from your account - just like a real check, only online. They either send a real check or pay electronically, depending on what they

          • Actually, about a month ago I would have thought this, too. I use mycheckfree (got a little shock at first when the article said checkfree) to pay several utilities. They don't take credit cards, and I wanted to rack up cashback by putting the utility on the card (which I always pay on time).

            So I went to the utility's website and clicked to sign up to their own payment system. They give me a screen saying something like "We see you're already signed up with another bill paying service to pay our bill. C

        • by Blkdeath (530393)

          You raise an excellent point. However, they (typically) stop sending paper bills in favor of email notices once you start paying them online. With postfix and spamassassin, email occasionally gets misflagged, misfoldered, or otherwise misrouted. Forgetting that a certain bill is due, or not receiving the email notice for some reason, is IMO even worse than having an automatic payment set up. The physical paper bill is just as much a part of my fiscal responsibility process as is the physical paper check.

          Question; you know a bill is going to arrive every month, typically on the same day each month. You further know that you must pay said bill every month, typically the same amount at the same time. Why is it excusable to neglect to pay said bill not only once, but perchance to make a habit of not doing so?

          In more than a decade of managing my finances I've managed to miss exactly two monthly payments. One was a miscommunication with the person with whom I shared the loan who believed I was supposed to be m

    • Tax ramifications (Score:5, Insightful)

      by daemonenwind (178848) on Friday December 05, 2008 @01:57AM (#25999465)

      Each time I physically write out a check, there's a bit of mental bookkeeping that takes place. You can't sit down and write "One thousand one hundred ninety-eight and 32/100" without pausing for a moment to think, holy shit, that's X% of my paycheck.

      This is exactly why people should have to pay income tax instead of having it automatically deducted.

      If everyone actually had to write that fat check out, they might begin to care about elections and the state of the world.

      • Heh.
        If everyone knew about the additional cut that the Feds are getting from your employer's payroll funds...

        • by fractalus (322043)

          Anyone who's self-employed finds out about that cut, usually sometime before April 15, when they fill out their taxes and discover how much they're screwed over.

    • by Vegeta99 (219501)

      Yeah, fuck Check21.

      I still gotta wait 5 days for an out of state check to clear, but the damn check I wrote a business 3 states away clears overnight? Fuck, not cool.

    • Re: (Score:2, Informative)

      by jmccue (834797)

      I'm one of those holdouts who still use paper checks, envelopes, and stamps to pay my bills

      FWIW, in the US you get federal protection when using the Post Office / first class mail. Not use what (if any) legal protection you get using the WEB for paying bills Jack

    • by jonbryce (703250)

      I pay my bills manually for the same reason that you do, but I do pay some of them online by BACS rather than post a cheque because there is less chance of the payment going missing or being delayed.

      I live in England, so some of the terms used are a bit different to what you have in your posting.

    • by eison (56778)

      I had a guy walk into my bank and turn over a check with my account number on it (and nothing at all like my signature) and I lost five hundred bucks and couldn't sort out a way to convince them that it wasn't my signature so give me my darned money back. I ended up losing the money. I probably could have fought more, but you have no idea how miserable and frustrating this was - as far as the bank was concerned, they had a signed check so they turned over cash so it was done.
      As near as I can tell, there i

    • I pay mine through my banks online bill paying service; no automatic debits (except for the mortgage), I can sit down and figure out what needs to be spent where at what time.

      I'm with you regarding letting people pull money out of my bank account without my knowledge, but you can still do away with the stamps.

    • by Blkdeath (530393)

      I'm one of those holdouts who still use paper checks, envelopes, and stamps to pay my bills. Once a month or so I'll bring the stack into the office and take care of it during downtime, and folks look at me like I'm transmitting morse code over a telegraph. I do bank online, but I don't do online bill pay.

      Ugh! A stack of bills alone is enough to make me cringe in horror. I used to do that until I realized I'd collected an enormous 4" thick sheaf of stapled statements that required a physical filing system and manual parsing. Now I have everything organized chronologically going back several years in a sub-folder off my home directory which is backed up weekly.

      Now every two weeks, on pay day, I sit at my computer, download all available PDF statements and update my budget spreadsheet with my cheque amount a

    • by IronChef (164482)

      You could get the best of both worlds by using online bill pay services but not setting up _automatic_ payments. That's what I do. The system tells me when a bill comes in, and then I log in and pay it by typing in a number and choosing a date to send it. (I have only one bill that comes to my house any more.)

      Some of the payments are sent electronically. Some are sent by check. It depends on the bill. Comcast takes electronic funds transfers. My gardener doesn't.

      That way I am in touch with every cent that l

  • Some more details... (Score:5, Informative)

    by Darth Muffin (781947) on Friday December 05, 2008 @01:22AM (#25999273) Homepage
    My wife works for a CU, and has been giving me details on this all day. I guess the cats out of the bag now and I can say something :) Your financial institution is not to blame, but in my wife's case they're offering to help clean up infected user's computers.

    Anyhow, what I know is that the malware is new and still being analyzed -- they're not fully sure what it's for yet (capturing accounts, spamming, botnet, or probably all of the above). For now they are recommending that people udate their virus scanners and Acrobat Reader. They must suspect Acrobat as an infection vector somehow.

    • It seems to me that part of the problem is that too many websites that service too many customers are all using a *single* payment service. Hijack that one payment service, and you can potentially hit 10's of millions of customers.

      I don't see why giant national banks, and even mid-size regional banks, can create their *own* online payment services. Heck, they might even be able to generate new streams of revenue for themselves, instead of giving all that revenue to Checkfree. If nothing else, it helps to li

      • Re: (Score:2, Informative)

        by F'Nok (226987) *

        Here in Australia the BPay system is ubiquitous.

        Every online banking system I've used has a 'pay bills' function, that lets you plug in the BPay details (biller, account code) and pay the bill that way.

        As it's a standard approach, you can pay your bills from any bank.
        As it's using your actual online banking, it's not a single target.

        BPay is wonderful, the US really needs an equivalent.

  • Don't be stupid... (Score:3, Informative)

    by NoKaOi (1415755) on Friday December 05, 2008 @01:47AM (#25999399)
    For US Bank anyway, when I tried to go to my bill pay when this was going on my browser gave a nice message that the SSL cert was self signed and issued to localhost.localdomain. Any modern browser makes is pretty clear that something bad is happening in this case, although I'm sure there's still plenty of ignorant users willing to click through.

    True, my financial institution (US Bank) may or may not be to blame, HOWEVER, you'd think it wouldn't take a bank a full day to let users know or take away the bill pay link or something along those lines. When I saw the invalid certificate, I still needed to cancel an automatic payment so I decided to contact my bank. Their response was basically, "we take security very seriously, please make sure you're using a compatible browser, move along now, nothing here to see." It wasn't until at least a day later that they notified users when logging in that bill pay was down. I wonder how many users clicked through during that one day period, which could have easily been prevented by a faster response?
    • At least they pay security lip service. My mother was having trouble enabling online Suntrust banking from her OS X machine months back (we tried three browser types, all failed differently.) The Suntrust rep on the phone actualy made the suggestion that my mother go to a public library with a Windows machine since it would work there*. It's at this point I went from anoyed to extremely cross and chewed the person out. I wonder how many other customers with out Windows PCs and tech-savy children were fo
  • Not a banking issue (Score:2, Interesting)

    by drew30319 (828970)
    This isn't an online banking issue, this is an issue of domain-stealing. The fact that it's banking-related is immaterial. If the domains stolen were instead several newspaper domains we wouldn't call into question the credibility of the news (at least not more than we do now).

    I've been involved w/ online/PC banking for 15 years or so and can tell you it's been a huge time + postage savings for me. I have no idea what the cost of a stamp is because the only reason I'd ever need them is for bills. Give
    • Re: (Score:2, Insightful)

      by iteyoidar (972700)
      I feel like domain security should be a much larger concern for banks than it probably is for newspapers.
  • ... clearing something was a little TOO "check free". maybe they should change their name to "Checkalittlemore"
  • i 3 usa (Score:5, Informative)

    by Vegeta99 (219501) <rjlynn@[ ]il.com ['gma' in gap]> on Friday December 05, 2008 @03:05AM (#25999801)

    When I was 16, I discovered that with a ruler, an exacto knife, and some elmer's glue you could make up your own checks. They also had "MAC Check" machines that would scan a check - even from a non-customer - and cash them.

    When I was 19, I worked in a junk mail plant that at times printed the 25% interest rate personal checks that credit card companies send out to new cardholders. All night we would watch "CONGRATULATIONS ON YOUR NEW $100,000 CREDIT LIMIT!" with 6 checks attached go whizzing by at 5MPH. When that roll of checks breaks, printed-but-junk checks dump on the floor, 7 feet per second, and if I wanted, I could pocket the sonsabitches and spend like hell - before the recipient even activated their new card. We sent those out, too.

    Can our banking system really be that insecure? I open an account based on a supposedly unique ID number, hand them a photo ID that doesn't even reference my SSN. Then, they give me another number - my account number - and tell me to keep it private. Three weeks later, I get my checks that ten minimum wage slaves have already gotten to see. Every check I hand out has my private account number printed at the bottom.

    Most banks hold you responsible for any automated clearing house fraud, and yet, to authorize a transfer out, all that is needed are the numbers at the bottom of every personal check you write and the "assurance" from the receiving institution that you have "authorized the transfer".

    When ya think about it, it's no wonder they charge you $2 to withdraw from an ATM, $3 to use a teller, and $35 for an overdraft - it's easier to roll the dice to get an account number than it is to roll the dice and win the lottery!

    • Re: (Score:2, Informative)

      by Dahan (130247)

      Most banks hold you responsible for any automated clearing house fraud

      Hmm, I was under the impression that NACHA [nacha.org] says that consumers have 60 days to challenge an unauthorized ACH debit. Bank of America certainly didn't hassle me at all when I reported four counterfeit checks totalling about $1400 drawn from my account (two were processed the old-fashioned way, two were converted to ACH debits). They credited me the two paper checks immediately. For the ACH conversions, I had to send in an affidavit saying the debits were unauthorized, and they credited me about a week later.

  • Checkfree? (Score:3, Informative)

    by Beowulf_Boy (239340) on Friday December 05, 2008 @03:22AM (#25999887)

    My gas company offered the option of using Checkfree.
    Had I opted in, it cost an additional 8$ to pay with my credit card, rather than sending in a personal check.

    Instead I just use US Banks online Billpay option. Free, and cuts out the middle man.

    • Re: (Score:3, Informative)

      by oasisbob (460665)

      Instead I just use US Banks online Billpay option. Free, and cuts out the middle man.

      If I'm not mistaken, US Bank uses Checkfree as the middle man!

      Payment processing and aggregation isn't simple. (Who do you send the check to? How do you aggregate ACH transactions to save money versus mailing hundreds of paper checks? How do you get electronic versions of the bills from the creditor if requested by your customer?)

      Many banks and bill pay providers use Checkfree because they take care of the details. You can

    • by tompaulco (629533)
      My local electric company does that, too. It's called a "convenience fee" for automatic monthly billing. In other words, for the convenience of them knowing that the amount will be drawn out automatically on a set date with no effort on their part, they charge you a fee. Deathstogoodforem.
      Our local DMV has an extra charge if you use credit cards instead of cash or check. Someone should read their CC processing agreement aloud to them so that they will realize that they are in violation.
  • by Animats (122034) on Friday December 05, 2008 @03:34AM (#25999951) Homepage

    Domain registrars come in several tiers.

    • Enom and its many other identities - use only for bulk junk domains
    • GoDaddy - low-end service; use for unimportant blogs.
    • Network Solutions - use for general business domains (ibm.com)
    • MarkMionitor - use for high value domains (gm.com, ubs.com)

    MarkMonitor is in the business of protecting "brands", so they have lawyers and technicians on staff to swing into action if somebody pulls something. If you have to ask how much they cost, you can't afford them.

    • Re: (Score:3, Informative)

      by fruey (563914)

      I think GANDI [gandi.net] have a good model. Their ethic is that they pretty much sell at cost. The service is great. I am just a customer, I'm not affiliated to them in any way.

      Network Solutions have a long history of slightly bizarre business practices. Just because they're more expensive, the ultimate product (an entry in a DB that points to your DNS servers) is ridiculously cheap when you have big volume and decent automation. MarkMonitor add value by protecting you, maybe they're good. NetSol add marketing glitz v

  • Wire transfer (Score:4, Interesting)

    by tmk (712144) on Friday December 05, 2008 @06:50AM (#26000927)
    Why don't Americans use wire transfer more often? In Europe it is a fast and relatively safe method.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      Have you looked at all the people rationalizing their use of paper checks in the comments? That's one reason (or rather a symptom of the same reason).

      Truly, the US is way behind a lot of the rest of the world in payments. We're getting there (I work in the payment industry), and banks and other FIs are adopting more payment strategies over time, but we as a country are perhaps too(?) conservative on these things.

      Too, we don't (yet?) have only 3-5 gigundus "country banks" in the country like a lot do, nor

    • by jvkjvk (102057)

      The fees for wire transfers out of your accounts generally range from $20 to $30 per transaction.

      Perhaps that's the reason?

    • Why don't Americans use wire transfer more often? In Europe it is a fast and relatively safe method.

      Lots of reasons.

      1. It's what people know how to use (don't dismiss the importance of that)
      2. The infrastructure is in place for checks and not as much for direct debit - this is however steadily changing
      3. Millions of people in the US do not have bank accounts and checks are still useful if you don't have a counter party financial institution
      4. Checks mostly work just fine despite their problems and there is little compelling need for a switch for most people.
      5. Direct debit IS available and widely used, but it's going t
      • The US is bigger than any single European country and like getting the entire EU on a single system, getting the US to change a working (if imperfect) financial system doesn't happen overnight.

        Actually Europe does have a single system for bank transfers (IBAN [wikipedia.org]). It's even been adopted by other countries outside Europe (Turkey, Saudi Arabia, Israel, Mauritius etc.)

        "The IBAN was originally developed to facilitate payments within the European Union but the format is flexible enough to be applied globally. Custo

  • On my country, in pratice checks - electronic or real ones - is not accepted anymore. Too many frauds
  • More secure pages... (Score:3, Informative)

    by Mendenhall (32321) on Friday December 05, 2008 @08:23AM (#26001389)

    Interestingly, a few months ago, my financial services company (Merrill Lynch) changed the way their online login works to make this attack very hard. They required me to select an image from a large catalog, and a phrase I made up to go with it. Now, when I log in, I am presented the image and the phrase. Since these images come from a huge catalog, and the phrase is entirely up to the user, the probability that a hijacked page would have the same information is very small. In effect, the site is presenting _me_ with a pasword, before I present it with a password. (Cue, on 3, In Soviet Russia, sites log onto you)

    I think this makes these pages fairly secure against the various DNS and other redirect attacks people have come up with. Someone would have to get very deep access to the main server, to figure out the image everyone chose, to successfully hijack a site.

    • by PetriBORG (518266)

      That sounds like the OpenId system honestly, kind of funny - I'm sure of course that it isn't using that at all, but the idea seems similar.

      Considering how many times this always needs to be implemented on so many sites, I wonder how there isn't an OpenSSL, OpenSSh, equivalent library for web-login stuff of a drop in that is that is insanely secure... I guess the whole mess of PHP, JSP, and other bloody scripting frame works is really the problem? And the interaction with the insane user databases that c

    • by LunaticTippy (872397) on Friday December 05, 2008 @12:33PM (#26003879)
      This scheme does nothing. Let's pretend you are, through whatever means, on a malicious copy of your Merrill Lynch site. Merril1-Lynch.com just logs in to merill-lynch.com and hands everything back and forth. They give your real site your username. The real site gives a picture. They give you the picture. Etc. Nothing is gained. It is security theater.

      Someone figured that out, and some sites now register your IP address or a cookie and if it is different they ask you for your mother's maiden name or whatnot. Guess what? My IP address and cookies change all the time. So now I have my mother's maiden name and favorite movie flowing around everywhere, and malicious sites can simply pass these questions and answers on, then get to the serious business of forwarding the pictures, then get involved in the boring financial transactions.
  • There certainly are major differences between the US and Europe in terms of banking. I have never even heard of a "bill paying" service before, when I want to pay my bills I log on to my bank.

    In fact I don't actually receive invoices in the mail any longer, they're all automatically available in my bank regardless of what bank I use or who sent the invoice. And I don't mean PDFs in the email either, I'm one click away from paying/scheduling the bill.

    It's probably another case of Americans getting screwed by

We are Microsoft. Unix is irrelevant. Openness is futile. Prepare to be assimilated.

Working...