Wednesday, January 7, 2009

CheckFree Warns 5 Million Customers After Hack

I received a couple emails in the last few weeks from CheckFree customers that had read my postings about the Fiserv DNS hack. One such email, whose name I'll leave out to respect his privacy, expressed concern that there was more to this than CheckFree was letting on. He wrote...

..."It is my belief that there was more to this hack that checkfree is 'fessing up too (I am writing you because you alluded to how much worse the attack could have been in your blog post). When I spoke with the checkfree folks, they assured me the only thing that would have happened was I would have been redirected to a blank screen. If the process was different, I would have noticed. Do you have any suggestions as to how I might find others who may have had the experience I had?"

To which I responded:

"First, sorry to hear about your experience with CheckFree. Second, thanks for following the PIN Debit Blog. Unfortunately, I am not aware of any methods to identify other victims of the recent CheckFree hack.

I do agree, (with you) that there is probably more than meets the eye,in terms of the fallout of the hack. Some of these sites like CheckFree are a window to hundreds of financial institutions, protected by a single username and password. I'm surprised no one has raised the question of whether or not the financial information — which presumably has to be stored for record keeping purposes — might have been compromised.

If I hear of anything that might be of help to you, I certainly forward it. In the meantime, your best bet is to work directly with CheckFree. My understanding is that some malware may have been uploaded to your PC, so stay alert and keep an eye on your personal accounts..

Now it seems that he was right about them not totally "fessing up" because today, CheckFree warned 5 million customers to be on alert.

Here's the story from Robert McMillan from ComputerWorld.

CheckFree Corp. and some of the banks that use its electronic bill payment service are notifying more than 5 million customers that criminals took control of several of the company's Internet domains and redirected customer traffic to a malicious Web site hosted in the Ukraine.

The Dec. 2 attack was widely publicized shortly after it occurred, but in a notice filed with the New Hampshire Attorney General, CheckFree disclosed that it was warning many more customers than previously thought.

That's because CheckFree is not only notifying users of its own Web site of the breach, it is also working with banks to contact people who tried to pay bills from banks that use the CheckFree bill payment service.

"The 5 million people who were notified about the CheckFree redirection were a combination of two groups," said Melanie Tolley, vice president of communications at CheckFree's parent company, Fiserv Inc., in a statement. "1.) those who we were able to identify who had attempted to pay bills from our client's bill pay sites and minus those who actually completed sessions on our site, and 2.) anyone enrolled in"

Tolley wouldn't say what banks were affected by the hack... (continue reading at ComputerWorld)

Reblog this post [with Zemanta]

Got Hacked? Bank on It

In December, I posted twice about Fiserv's CheckFree Hack whereby their  domain name was "webjacked."  (see: CheckFree Not Hackfree and/or CheckFree Not Hackfree 2) 

So, for the third time (but only the first time this year) I'm covering an article written about domain name webjacking...this time from USBanker.

I'm sorry to report  that it doesn't look like this will be the last time this year, for lack of an official word,  I'll be talking about webjacking .  Some observers say they've seen signs that  these webjack attacks will become almost as common as a Gulf of Aden pirate attack.

When I wrote in the first post, "Imagine how exponentially more "effective" the "webjacking" would have been if unsuspecting users were "redirected" to what looked to be CheckFree's site vs. a blank page, I was hinting at the fact that it was most likely, only a test.   

After all, why would someone go through the hassle of bringing  CheckFree users to a blank page when they could have brought them to an exact replica of CheckFree's log-in site?   That's probably the easiest part to create in the whole scheme.   I'm purely speculating here, but maybe they were simply running a test  which gave them insight as to how they could take full advantage of  the "httbs" in the "https."  (prior to "researchers" having "let the cat outta the bag" in Berlin last week. 

I mean, who's to say that these "White Hats" (as they are also known) are always beating the "Black Hats" to the starting gate?   What if the opposite is true? Maybe these Black Hat guy's are light years, well maybe not light years, but dark years ahead of us?

One thing I am sure of...I'm sure there's a lot more "Max Vision's" out there than we are led to believe. Keep in mind, that the Max Vision's of the world are working at cracking code "full-time."  They're  hackers, not slackers.  On the flip side of the equation, most "White Hats" are hobbyists  (they used Playstation 3's for chrissakes :)    go to MIT (see: Sorry Charlie, You've Been Hacked) while others have full-time jobs, (for instance, those very same MIT students who were then hired by the MBTA as a reward for hacking into their system)...see related stories, below for more.

Black Hats not only work "full-time"  on hacking...and subsequently wreaking havoc on financial institutions/account holders but there's a bigger picture, beyond just the hack itself.  Where do you think a good portion of the money goes?  Suffice it to say, that unlike the Chicago White Sox mantra, good guys don't wear black.

That said, let's see what we're up against here...

There's unsafe web browsers  there's: webjacking, phishing, whaling, wardriving, malware, keylogging, screen capturing, skimming, pharming, spyware, botnets, worms, viruses, DoS attacks, packet-sniffers...(you starting to get the picture?)  So what is an online shopper to do?

I once again state, the best way to purchase via the internet is with your own personal card swiping device.  It could even be used to log on to your online bank.  Just swipe and enter your PIN.  

Hey...maybe the banks, whom are already at huge risk...could mitigate some of that very same risk, and at the same time, keep their customers from getting burnt.  I have a toast.  Here's to a campaign similar to the one they ran back in the 50's and 60's, only this time...they give away our personal swiping devices.   Otherwise, if this continues,  which it will, they're toast...

Sorry, kinda got off on a tangent's more on "when hackers take control of a bank domain  name" with more instances to follow...I'm sure of it...(said the same thing about skimming last year) 

From American Banker publication, usbanker:

Security experts are warning financial companies of a relatively new type of computer attack in which hackers gain control of a bank's domain name.

The technique gained widespread attention last month when hackers briefly took over the domain names of Fiserv Inc.'s CheckFree bill payment unit, and observers say they have seen signs that this form of attack will be used more widely this year.

The domain name system, or DNS, attack "in late 2008 has started getting a lot of attention from attackers, as opposed to past years, when this area was pretty quiet," Amit Klein, the chief technology officer at Trusteer Ltd. of Tel Aviv, said in an interview.

"The major reason" for the trend, he said, "is that attackers found out that it's much easier to get users to browse to so-called legitimate sites rather than direct users to sites that are obviously not legitimate."

Most phishing attacks involve fake sites that replicate a bank's site but must be hosted elsewhere. In some cases, fraudsters are able to register domain names that include the brand of the site they are imitating, but people who type banks' domain names into the browser each time they visit would typically not be directed to fake sites.

Because consumers are aware of such ways to avoid false sites, "the effect of phishing, at large, is somewhat less than it used to be," which has prompted attackers to seek new methods, Mr. Klein said.

A DNS attack "does take a bit more expertise" than phishing does "but not a lot more," he said, especially since expertise can be bought. "Everything that's very sophisticated today becomes a kit within a year or two … if it's proven successful enough."

Reblog this post [with Zemanta]

Disqus for ePayment News