Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Online Billpay Provider Loses Control of Domains

timothy posted more than 5 years ago | from the sell-your-body-to-pay-the-bills dept.

Security 232

An anonymous reader writes "Several sites are running a story about a domain hijacking at Checkfree, the largest provider of online bill payment services to numerous banks and credit unions. According to Network Solutions, someone logged in to the domain administration page using Checkfree's account, and redirected its domains to a site in the Ukraine configured to serve up malware to unsuspecting users." Things like this make me nervous about switching to otherwise-tempting online bill payment, but checks are dangerous, too.

cancel ×

232 comments

Sorry! There are no comments related to the filter you selected.

At least this time... (1)

Sorthum (123064) | more than 5 years ago | (#25999117)

...someone (apparently) didn't manage to socially engineer Network Solutions. That's happened at least a few times that I can recall...

Re:At least this time... (4, Funny)

Anonymous Coward | more than 5 years ago | (#25999197)

In Soviet Ukraine, engineers socialize you! (Oh god did I really just type that?)

Re:At least this time... (0, Offtopic)

Missing_dc (1074809) | more than 5 years ago | (#26000803)

This is probably the funniest in Russia style jokes I have seen here. Too bad you ACd it.

Epic Fail (4, Funny)

NotQuiteReal (608241) | more than 5 years ago | (#25999141)

CheckFree, what can I say? At least now my Nigerian account can be linked in and I will finally get my cut of the money that I fronted 1% for, to get it out of the country...

Re:Epic Fail (0)

Anonymous Coward | more than 5 years ago | (#25999231)

CheckFree, what can I say? At least now my Nigerian account can be linked in and I will finally get my cut of the money that I fronted 1% for, to get it out of the country...

The transfer is ready we just need an additional 1% as a service charge and we'll complete the transfer.

Summary's analysis doesn't make much sense. (2)

JoshuaZ (1134087) | more than 5 years ago | (#25999151)

The OP says "Things like thismake me nervous about switching to otherwise-tempting online bill payment." Nothing here had to do with the site being for online bill paying. This could happen for any trusted website, even Slashdot.

Re:Summary's analysis doesn't make much sense. (3, Insightful)

Onymous Coward (97719) | more than 5 years ago | (#25999209)

If there were a Slashdot feature to transfer money out of your bank account...

Re:Summary's analysis doesn't make much sense. (3, Interesting)

beckerist (985855) | more than 5 years ago | (#25999229)

It's not hard to set up a page that looks exactly like the front page of anything. cfhttp does it for you (if you are for CF.) At the very least, a site could be hijacked, a cfhttp to the IP of the server could easily be set up, and the forms could be hijacked to steal your password. Slashdot isn't probably the most likely target, but I'm sure there are plenty of people here who's /. password is their email (or [insert any service here] password.)

Re:Summary's analysis doesn't make much sense. (5, Informative)

Tablizer (95088) | more than 5 years ago | (#25999351)

If there were a Slashdot feature to transfer money out of your bank account...

The /. HTML was hijacked, and odd jumpy misaligned CSS was put up instead ;-)
       

Re:Summary's analysis doesn't make much sense. (5, Funny)

zoefff (61970) | more than 5 years ago | (#26000155)

If there were a Slashdot feature to transfer money out of your bank account...

It's called 'subscription'

Re:Summary's analysis doesn't make much sense. (1)

Compuser84 (1032400) | more than 5 years ago | (#26000629)

+1

Re:Summary's analysis doesn't make much sense. (1)

M. Baranczak (726671) | more than 5 years ago | (#25999651)

This could happen for any trusted website, even Slashdot.

Slashdot is a trusted website?

Re:Summary's analysis doesn't make much sense. (2, Funny)

lgw (121541) | more than 5 years ago | (#25999987)

Slashdot is my trusted supplier of Goatse and GNAA trolling!

Checks are dangerous too? Better avoid money xfer (4, Funny)

noidentity (188756) | more than 5 years ago | (#25999163)

Things like thismake me nervous about switching to otherwise-tempting online bill payment, but checks are dangerous, too.

Obviously, the only safe solution is to not pay... what, that has problems too?!?

DNS Hijacking (1)

tarunbk (1051880) | more than 5 years ago | (#25999165)

Who needs DNS hijacking if domain registrar accounts can be hacked... maybe RSA keys and biometrics to access registrars ?

Re:DNS Hijacking (4, Interesting)

Tyger (126248) | more than 5 years ago | (#25999203)

Funny thing is it's a step back for Network Solutions security. You USED to be able to set it up to require a RSA key for domain changes, back when everything was done via odd forms over email.

Re:DNS Hijacking (2, Informative)

mlts (1038732) | more than 5 years ago | (#25999667)

This is a feature I also miss. They had a PGP keyserver, and you uploaded your PGP public key you wanted associated with the account. Then, you filled out the funky form that you E-mailed in, signed it with the key, and sent it in.

I know this probably can't be done now, but instead, why not offer keyfobs similar to SecurID? PayPal, eBay, a number of banks, heck, even Blizzard offer this feature, so a compromised password isn't the end of the world.

People use hardware devices to make sure their SSL keys arn't compromised; why not have that functionality guarding an element that arguably is just as important in the security chain.

Re:DNS Hijacking (2, Insightful)

lgw (121541) | more than 5 years ago | (#26000011)

You *do* realize that all of those banks allow an attacker to access your account without the keyfob, right? They just need to call the bank, impersonate you (often by simply using the password they keylogged in the first place) and claim they lost it (or just use the automated phone service at most banks, which accepts your password without the added key).

In this specific case, the vulnerability was just that the attacker had to upload his key in your name before you got around to it - but that was still better than nothing!

Re:DNS Hijacking (4, Insightful)

SeaFox (739806) | more than 5 years ago | (#26001127)

You *do* realize that all of those banks allow an attacker to access your account without the keyfob, right? They just need to call the bank, impersonate you (often by simply using the password they keylogged in the first place) and claim they lost it (or just use the automated phone service at most banks, which accepts your password without the added key).

This seems to be what happens when any business tries to implement any sort of account security. It has to be made so it can be easily bypassed, or you end up with customers mad at the company because they locked themselves or relatives/family out and the company wont allow them to simply go through on their word they are authorized. It's like they don't know how to see how it looks from the company's point of view.

Build a better lock, and they'll build a better idiot.

Re:DNS Hijacking (1)

logjon (1411219) | more than 5 years ago | (#25999219)

Nothing anywhere is completely safe. Everything you own is up for grabs at any point in time by anyone who wants it bad enough. Best course of action I can think of is to buy a gun. /me immediately navigates to gunbroker

Re:DNS Hijacking (2, Insightful)

JSBiff (87824) | more than 5 years ago | (#25999633)

"Nothing anywhere is completely safe. Everything you own is up for grabs at any point in time by anyone who wants it bad enough. Best course of action I can think of is to buy a gun."

What if what they want really badly is your gun? By your own admission, "Everything you own is up for grabs at any point in time by anyone who wants it bad enough." That would include the gun, seems like.

Re:DNS Hijacking (1)

M. Baranczak (726671) | more than 5 years ago | (#25999683)

How's a gun going to help against some Ukrainian hijacking your DNS?

Re:DNS Hijacking (1)

logjon (1411219) | more than 5 years ago | (#25999991)

"What if what they want really badly is your gun? By your own admission, "Everything you own is up for grabs at any point in time by anyone who wants it bad enough." That would include the gun, seems like."
>
It's a hell of a lot riskier to try to take my gun than it is to snatch my credit card over the internet. Try it if you don't believe me.
.
"How's a gun going to help against some Ukrainian hijacking your DNS?"
>
I don't recall saying it would.

Re:DNS Hijacking (1)

Onymous Coward (97719) | more than 5 years ago | (#25999233)

We don't yet have details on how the perps got the account credentials.

Welcome to Network Solutions, please log in.
username: hostmaster@checkfree.com
password: nochecks1

As a customer.... (5, Interesting)

Anonymous Coward | more than 5 years ago | (#25999167)

My company uses Checkfree and Checkfree handled this very poorly. Apparently this happened on Monday and they never notified us. We where notified when one of our own customers notified us and and pointed out the suspicious activity. We had to call Checkfree to get the details. It was caused by their own ineptitude in managing their passwords and accounts.

Posting anonymously so I don't get sued.

Re:As a customer.... (1)

SpaceLifeForm (228190) | more than 5 years ago | (#25999751)

Odds are that someone there accessed netsol from an
machine infected with a keylogger.

It was therefore likely caused by their own ineptitude
in using a windows machine for administration.

Re:As a customer.... (1)

larry bagina (561269) | more than 5 years ago | (#25999923)

Or linux and firefox [slashdot.org] .

Re:As a customer.... (1)

Psychotria (953670) | more than 5 years ago | (#25999823)

I work at UMass Amherst and I'm trying to get this implemented

What would you get sued for? Stating a fact? Surely the US has not gone that crazy (although, I agree, from the news reports and stuff people in the US sue at the drop of a penny).

Re:As a customer.... (1)

Psychotria (953670) | more than 5 years ago | (#25999833)

LOL. It seems my ctrl-c did not work and the quote was from another article. Ooops. Sue me.

Re:As a customer.... (0)

Anonymous Coward | more than 5 years ago | (#25999879)

Make them pay. I sincerely hope your company will switch to another company.

Re:As a customer.... (2, Interesting)

Anonymous Coward | more than 5 years ago | (#26000107)

As another "customer" (CheckFree is the backend for our billpay vendor), I can confirm that they handled this incredibly poorly.

Their notifications to us were vague and delayed. They were full of technical inaccuracies. One email referred to the "DNS routing tables". Another said that customers without "Adobe installed" wouldn't be affected. (Adobe ____?)

We were given misleading information about the nature of the malware, and calls seeking more information were never returned. Apparently there was an Adobe PDF vulnerability that was exploited, but they never clearly explained the process clearly.

And best of all, they never mentioned HOW this happened in the first place... Now it's obvious that they have something to hide.

Makes me want to take in incident response class from SANS.

The same thing happened at this site (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25999169)

http://1man1jar.com

I can't believe it happens to sites like this.

Re:The same thing happened at this site (1)

logjon (1411219) | more than 5 years ago | (#25999253)

WTF?!?!

Negroes are not as good as Asians or Whites (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25999171)

Despite the continual drum beat of "diversity" propaganda, in the end we have to base our judgments on our life experience. We have to believe what we experience and observe in our real and everyday lives.

What everyone of us observe is that Negroes are defective in every way. They are less intelligent. They have less self-control. They have lower IQs. Negroes have a propensity to violence. They tend to be parasites living off the largess and labor of others. They tend to be lazy and shiftless.

The only solution is to eliminate the Negro from our midst. Perhaps the most acceptable solution would be to ship all the Negroes back to their tribal homelands in Africa. There they can live up to their "roots". They can live among their own kind, in a social system which is based upon their own Negro values.

Re:Negroes are not as good as Asians or Whites (0, Offtopic)

logjon (1411219) | more than 5 years ago | (#25999271)

I've known an equal percentage of white people who fit these same descriptions.

Re:Negroes are not as good as Asians or Whites (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#25999567)

Negroes are not as good as Asians or Whites...

I've known an equal percentage of white people who fit these same descriptions.

Conclusion: You are Asian.

Re:Negroes are not as good as Asians or Whites (1)

logjon (1411219) | more than 5 years ago | (#26000003)

Negroes are not as good as Asians or Whites...

I've known an equal percentage of white people who fit these same descriptions.

Conclusion: You are Asian.

Conclusion: you = many lulz

Re:Negroes are not as good as Asians or Whites (-1, Flamebait)

superdave80 (1226592) | more than 5 years ago | (#25999531)

Yeah, and they only get 52% of the vote when becoming president.

Re:Negroes are not as good as Asians or Whites (0)

Anonymous Coward | more than 5 years ago | (#26000723)

No, that's not a negro, that's a suitnigra.

Re:Negroes are not as good as Asians or Whites (0)

Anonymous Coward | more than 5 years ago | (#25999601)

Did . . . like, did someone really post this?

No, like, really? You're just some troll, right? Not serious?

I would sooner believe that I am dead and in some sort of pre-life-extinguishment hallucination than to believe that I am reading this post on Slashdot.

Re:Negroes are not as good as Asians or Whites (1)

callinyouin (1138469) | more than 5 years ago | (#25999689)

How is that bullshit in any way related to the topic?

Re:Negroes are not as good as Asians or Whites (0)

Anonymous Coward | more than 5 years ago | (#25999847)

How is that bullshit in any way related to the topic?

Nigga stole my domain!

Re:Negroes are not as good as Asians or Whites (0)

Anonymous Coward | more than 5 years ago | (#26001233)

You must be new here...

Benefits of Paper Checks (5, Interesting)

ShaunC (203807) | more than 5 years ago | (#25999215)

Things like this make me nervous about switching to otherwise-tempting online bill payment, but checks are dangerous, too.

I'm one of those holdouts who still use paper checks, envelopes, and stamps to pay my bills. Once a month or so I'll bring the stack into the office and take care of it during downtime, and folks look at me like I'm transmitting morse code over a telegraph. I do bank online, but I don't do online bill pay.

One reason I still cling to checks is that they allow me to be the final arbiter and gatekeeper of my money, and I have better fiscal responsibility when I'm directly involved in disbursement. Each time I physically write out a check, there's a bit of mental bookkeeping that takes place. You can't sit down and write "One thousand one hundred ninety-eight and 32/100" without pausing for a moment to think, holy shit, that's X% of my paycheck. If you elect not to use online bill pay, you have to actually look at your credit card statements each month, instead of just setting up a $200 monthly ACH and ignoring the current total.

I'm afraid that if I set everything up to be paid automatically, I'd very quickly wake up to discover that my checking account is overdrawn because I wasn't paying enough attention. Writing checks and licking envelopes is my way of keeping tabs on what's going out the door each month. The potential security benefits don't hurt, as anyone screwing around with mailed bills faces the wrath of the United States Postal Inspection Service. Unlike most online fraud, fucking with the mails will actually get you in trouble, and USPIS doesn't blow you off if you haven't suffered hundreds of thousands of dollars in losses.

I do miss the one benefit that physical checks had up until a couple of years ago, the float. Check21 pretty much ruined that, but maybe it was for the better. Come to think of it, I haven't overdrafted since Check21.

Long live the check, just stay away from my routing numbers.

Re:Benefits of Paper Checks (3, Insightful)

mrchaotica (681592) | more than 5 years ago | (#25999341)

You know, you can pay online without making it automatic.

Re:Benefits of Paper Checks (2, Interesting)

spoco2 (322835) | more than 5 years ago | (#25999401)

That was my thought too... it's a 'throw the baby out with the bathwater' thing.

Firstly, as an Australian I am CONSTANTLY amazed at the US's continued reliance on cheques (yes, that's how the rest of the world spells it). When I lived there for a while in 2001 I was amazed that I couldn't pay the majority of my bills online at all, even if I wanted to. The time consuming, paper wasting, overly complex and error prone thing of handling all those cheques is just insane.

I pay all my bills electronically via the BPay system [bpay.com.au] in Australia, there's virtually nothing you can't pay this way.

I DO have automatic payments for some things, but only those that are a constant amount each month (internet for example)... everything else is manually handled, but jumping onto internet banking and putting in the figures is a WHOLE lot faster and less resource intensive than making out X cheques, putting them in envelopes and mailing them all.

Pure madness.

Aging brain dead old Re:Benefits of Paper Checks (3, Interesting)

mrmeval (662166) | more than 5 years ago | (#25999705)

The current bill payers in America are getting old.

The credit card companies have a stranglehold on paying by any form of credit card.

Paypal is evil.

There is no nationally accepted payment system where someone or both do not get gouged some fee. Checks are one of the few ways both parties can avoid some of the fees though I've heard that banks are starting to jack up the cost of processing them.

Our banks do not cater to customers, they are hind bound and greedy. They won't do anything unless they can screw their customers or the government for money.

When the banks finally get less incompetent they might be able to pry online payments and credit cards away from the major credit card companies. It won't happen soon because of the long term incestuous symbiotic relationship they have.

Re:Aging brain dead old Re:Benefits of Paper Check (3, Informative)

cgenman (325138) | more than 5 years ago | (#25999859)

Bank of America allows you to pay online via systems that accept it, and mail checks to those who don't. Strangely enough, most of the people I pay bills to here in Massachusetts accept digital billpay through whatever system they use. But even paper checks are automatic and free.

BofA is a bunch of greedy bastards, yet they found a way to make it worthwile and simple. It's slowly filtering over to America.

It's like Cellphones: Companies don't feel like they can change one territory in the US at a time... they have to go all or nothing. So we get systems 10 years after the rest of the world has piecemeal brought themselves into it. Otherwise nationwide rollouts are untennable.

Re:Aging brain dead old Re:Benefits of Paper Check (1)

Achromatic1978 (916097) | more than 5 years ago | (#26000103)

US Bank will not allow you to pay a credit card from any account other than the checking account "linked" to that account, which means we have to write ourselves a check from our bank account to ourselves at US Bank, drive over, deposit it, wait three days (because they're also notoriously stingy on releasing funds on check deposits, despite the fact that of some 100+ checks deposited in our account over five years, not one has been returned), and then schedule the transfer.

Also having moved recently from Australia, I am amazed at the ass-backwardness of some things like that. I'm fairly sure too, that it's far more likely to be collusion, passive or otherwise, the number of things you can't pay with a credit card.

I'm also of the belief that there's a reason it takes so many steps to schedule a payment on most online account. You know, "Make Payment", "Select Amount", "Confirm" (hell, one of mine had a "Verify" after "Confirm"?!?) that I'm sure is largely designed to make you think you've confirmed your payment, and well, shit, what do you know, you didn't confirm it "enough", late fee and default APR for you, pal!

Or Toyota / Lexus Financial site... change from a recurring payment to one-times. If you can do that without being double charged at least once, I congratulate you. (For nowhere in the book is it written that the recurring option generates a scheduled payment several days out, and when you cancel recurring payments, if the scheduled payment is made, it'll not be canceled - note that I'm not talking about a payment in the "in process" sense, I'm talking about "calendar entry generated to make ACH transaction in 7 days time" scheduling). When changing jobs and pay schedules, we got burnt by this one twice before we realized what had happened (and don't even start me on how TFS actually tried to convince me it was in my best interest to just take the hit of the double lease payment and 'be ahead next month').

(rant over)

Re:Aging brain dead old Re:Benefits of Paper Check (1)

MoeDrippins (769977) | more than 5 years ago | (#26001211)

And guess who BofA's ebill pay provider is.

Re:Aging brain dead old Re:Benefits of Paper Check (1)

Kijori (897770) | more than 5 years ago | (#26001385)

The credit card companies have a stranglehold on paying by any form of credit card.

Well, yeah. Kinda like how the car companies have a "stranglehold" on car production.

It just goes to show how uncompetitive America is - you can only buy things from people that sell them.

Re:Benefits of Paper Checks (1)

Architect_sasyr (938685) | more than 5 years ago | (#25999835)

Complete non sequitor to the argument, anyone with spare mod points feel free to overrate me.

Did anyone notice that the major telco's changed their BPay numbers AND client reference numbers recently? Or are they just trying to fuck me over. The whole BPay system works, but if I wasn't an anal retentive bastard I wouldn't have noticed and just relied on the numbers stored in my banks details for the payments.

Re:Benefits of Paper Checks (1, Informative)

Anonymous Coward | more than 5 years ago | (#26000447)

As a European I too am amazed that an allegedly technological and advance society that the USA is purported to be still is stuck in the 1870's when it comes to banking. Here in the UK the direct debit system works without grief. You set up the direct debit between your bank and whoever and the money flows automatically. Whoever you are paying can't change the amount without telling you first and giving you a chance to stop the debit and if there is a mistake THE BANK has to make good your account and chase who they paid in error. Because the bank looses when things go wrong they're bloody quick at getting things sorted.

I haven't paid regular bills (electricity, phone, mortgage etc.) by cheque (correct spelling) since 1994 and in that time I've had 2 direct debits go wrong. Each time the bank had got the incorrect payments back to my account before the close of trading the day the error was made. I have complete confidence in the system and it just works.

The more I read about the USA the more it appears that apart from a bit of glitz around New York and LA, the whole place is like some backward 3rd world country populated by peasants in SUVs demanding that their way is right and everyone else is out of step. Not only have your banks royally fucked up the entire world's economic systems but it seems that their service to their customers hasn't advanced much beyond the days when Jesse James and his commrades rode into town on horseback and held them up.

How the fuck the USA rose to it's position of world preeminence is truly fucking mind-boggling.

A. Bullwinkle, Esq.

Re:Benefits of Paper Checks (3, Interesting)

blueZ3 (744446) | more than 5 years ago | (#25999435)

Just what I was thinking...

My wife and I (she's the math major and very detail oriented) pay bills online, manually. I don't like "automatic" because it's easy to set up, but difficult to stop. I'm not sure I see any big difference between writing "1000" on a slip of paper (which is not legal tender) or putting numbers into a field on a form.

I also can't imagine anyone not reconciling their bank and credit card statements against their records each month. We keep a detailed budget that shows every transaction (credit, checking or cash) and we reconcile the bank and credit card statements against it each month. As frequently as banks screw up, it just makes sense.

Of course, our money is in a credit union, not a big national bank, so I like to think we get better service when we do have an issue. It's certainly much better than other big banks where we've had accounts *cough-citibank-*cough and had terrible service.

Re:Benefits of Paper Checks (1)

Psychotria (953670) | more than 5 years ago | (#25999881)

I don't like "automatic" because it's easy to set up, but difficult to stop. I'm not sure I see any big difference between writing "1000" on a slip of paper (which is not legal tender)

What are you talking about? Of course it's legal tender. If you don't think it's legal then feel free to send me a check for $22000 so I can buy a new graphics card. Thanks.

Re:Benefits of Paper Checks (1)

ais523 (1172701) | more than 5 years ago | (#26000461)

Legal tender [wikipedia.org] does not mean what you think it is. Legal tender is money that has to be accepted to settle a debt; if you're in debt and you pay in legal tender, that settles it even if the person you were in debt to wanted payment via some other method. There are plenty of things which are valuable despite not being legal tender; checks are an obvious example. (If you're in debt, the person you're in debt to can insist you pay in cash or other legal tender rather than check, if they want to; they can't insist you pay by check rather than by cash.)

Re:Benefits of Paper Checks (1)

MoeDrippins (769977) | more than 5 years ago | (#26001217)

How exactly is it "difficult to stop"? From a UI perspective, or from an "I'm addicted" perspective?

If the latter, then the problem isn't with the service.

Re:Benefits of Paper Checks (1)

ShaunC (203807) | more than 5 years ago | (#25999441)

You know, you can pay online without making it automatic.

You raise an excellent point. However, they (typically) stop sending paper bills in favor of email notices once you start paying them online. With postfix and spamassassin, email occasionally gets misflagged, misfoldered, or otherwise misrouted. Forgetting that a certain bill is due, or not receiving the email notice for some reason, is IMO even worse than having an automatic payment set up. The physical paper bill is just as much a part of my fiscal responsibility process as is the physical paper check.

An odd aside. My utility company, Memphis Light Gas & Water [mlgw.com] , allows customers to register online to view their current statement. I did this once after I received an erroneous Cut-Off notice [shaunc.com] . Now, every month, their online billing system sends me two emails:

a) "Your MLGW Bill is Ready" ... then, two weeks later, after they've already cashed my check...

b) "Your MLGW Bill is Overdue!"

Their system assumes that if you're signed up to receive your statement online, then you must also be paying online. The online system doesn't talk to the offline system. So if you're set up to receive e-statements, but you pay by check via mail, the online system never registers a payment and will email a late notice every freaking month.

It's clunky, and doesn't do much to inspire my confidence in online bill-pay.

You're paying from the wrong source (1)

SuperKendall (25149) | more than 5 years ago | (#25999903)

You raise an excellent point. However, they (typically) stop sending paper bills in favor of email notices once you start paying them online.

Why would "they" do that if you do not use "them" for payments. How do they know or care where payments come from if you do not set up up with them?

Get a bank that allows you as many free online payments as you would like, and just pay from your account - just like a real check, only online. They either send a real check or pay electronically, depending on what they payer accepts - but I have NEVER had a payer alter my bills from paper to electronic no matter how my bank payment goes out.

Again, ditch the paper checks and envelopes but continue paying the same way - manually, from your own account, each month. The bonus is less risk of mail interception and duplication of your check...

Re:Benefits of Paper Checks (1)

Mateorabi (108522) | more than 5 years ago | (#25999917)

They are a utility. They could give a rats ass what your confidence in their online bill-pay is. What are you going to do, switch water companies? But yes, there is nothing like a stapled and filed stack of paper statements from all utilities/CC/morgage when Arp 15th rolls arround. So I'm in the stoneage too and like it.

Tax ramifications (4, Insightful)

daemonenwind (178848) | more than 5 years ago | (#25999465)

Each time I physically write out a check, there's a bit of mental bookkeeping that takes place. You can't sit down and write "One thousand one hundred ninety-eight and 32/100" without pausing for a moment to think, holy shit, that's X% of my paycheck.

This is exactly why people should have to pay income tax instead of having it automatically deducted.

If everyone actually had to write that fat check out, they might begin to care about elections and the state of the world.

Re:Tax ramifications (1, Funny)

Anonymous Coward | more than 5 years ago | (#25999515)

Might help if everyone had to pay their health insurance and other employment benefits too. Oh, and also, for sex.

Re:Tax ramifications (1)

janrinok (846318) | more than 5 years ago | (#25999561)

What's this 'sex' thing that you are talking about?

Re:Tax ramifications (0)

Anonymous Coward | more than 5 years ago | (#25999673)

Well, it all goes back to Adam and Eve and the Garden of Eden, which is in the fertile crescent somewhere, and also a song from the 70s. What it all boils down to, is that we are all descendants of inbred hippies.

Re:Tax ramifications (1)

ion.simon.c (1183967) | more than 5 years ago | (#26000129)

Heh.
If everyone knew about the additional cut that the Feds are getting from your employer's payroll funds...

Re:Benefits of Paper Checks (1)

Vegeta99 (219501) | more than 5 years ago | (#25999831)

Yeah, fuck Check21.

I still gotta wait 5 days for an out of state check to clear, but the damn check I wrote a business 3 states away clears overnight? Fuck, not cool.

Re:Benefits of Paper Checks (2, Informative)

jmccue (834797) | more than 5 years ago | (#26000881)

I'm one of those holdouts who still use paper checks, envelopes, and stamps to pay my bills

FWIW, in the US you get federal protection when using the Post Office / first class mail. Not use what (if any) legal protection you get using the WEB for paying bills Jack

Some more details... (4, Informative)

Darth Muffin (781947) | more than 5 years ago | (#25999273)

My wife works for a CU, and has been giving me details on this all day. I guess the cats out of the bag now and I can say something :) Your financial institution is not to blame, but in my wife's case they're offering to help clean up infected user's computers.

Anyhow, what I know is that the malware is new and still being analyzed -- they're not fully sure what it's for yet (capturing accounts, spamming, botnet, or probably all of the above). For now they are recommending that people udate their virus scanners and Acrobat Reader. They must suspect Acrobat as an infection vector somehow.

Single point of failure (1)

JSBiff (87824) | more than 5 years ago | (#25999575)

It seems to me that part of the problem is that too many websites that service too many customers are all using a *single* payment service. Hijack that one payment service, and you can potentially hit 10's of millions of customers.

I don't see why giant national banks, and even mid-size regional banks, can create their *own* online payment services. Heck, they might even be able to generate new streams of revenue for themselves, instead of giving all that revenue to Checkfree. If nothing else, it helps to limit the scope of damage from one provider getting compromised.

For small banks and CUs, I could see that they might not have the resources to create their own online payment service, but if the larger banks were creating more online payment services, maybe there'd at least be a little more diversity in the systems being used by the small banks.

Re:Single point of failure (2, Informative)

F'Nok (226987) | more than 5 years ago | (#25999909)

Here in Australia the BPay system is ubiquitous.

Every online banking system I've used has a 'pay bills' function, that lets you plug in the BPay details (biller, account code) and pay the bill that way.

As it's a standard approach, you can pay your bills from any bank.
As it's using your actual online banking, it's not a single target.

BPay is wonderful, the US really needs an equivalent.

Clickjacking (1)

tarunbk (1051880) | more than 5 years ago | (#25999281)

Wondering about how the attackers got the credentials... Clickjacking, rootkits or something ? technically you cannot get a password using click jacking, but maybe something like email the password whatever...

Re:Clickjacking (0)

Anonymous Coward | more than 5 years ago | (#25999377)

Probably an insider or outsourced technical person with more access than they should have had. Post it notes and text files full of logins and passwords are still depressingly common.

The memories (1)

Tablizer (95088) | more than 5 years ago | (#25999339)

I used Checkfree's service back in the early 90's via DOS & dialup for personal online bill paying. People gave me an odd look whenever I mentioned it. "You do what?"

Re:The memories (1)

sunset (182117) | more than 5 years ago | (#26000225)

Same here. But I dropped them fast when they refused to let me send alimony payments through their service. I thought it very unprofessional of them... just imagine a bank having arbitrary restrictions like that.

Don't be stupid... (3, Informative)

NoKaOi (1415755) | more than 5 years ago | (#25999399)

For US Bank anyway, when I tried to go to my bill pay when this was going on my browser gave a nice message that the SSL cert was self signed and issued to localhost.localdomain. Any modern browser makes is pretty clear that something bad is happening in this case, although I'm sure there's still plenty of ignorant users willing to click through.

True, my financial institution (US Bank) may or may not be to blame, HOWEVER, you'd think it wouldn't take a bank a full day to let users know or take away the bill pay link or something along those lines. When I saw the invalid certificate, I still needed to cancel an automatic payment so I decided to contact my bank. Their response was basically, "we take security very seriously, please make sure you're using a compatible browser, move along now, nothing here to see." It wasn't until at least a day later that they notified users when logging in that bill pay was down. I wonder how many users clicked through during that one day period, which could have easily been prevented by a faster response?

Don't be stupid...Most users are. (2, Interesting)

Mateorabi (108522) | more than 5 years ago | (#25999967)

At least they pay security lip service. My mother was having trouble enabling online Suntrust banking from her OS X machine months back (we tried three browser types, all failed differently.) The Suntrust rep on the phone actualy made the suggestion that my mother go to a public library with a Windows machine since it would work there*. It's at this point I went from anoyed to extremely cross and chewed the person out. I wonder how many other customers with out Windows PCs and tech-savy children were following this advice.

*For some reason the software lets you manage your account fine from a Mac, but won't let you do the first time setup.

Re:Don't be stupid... (1, Interesting)

Anonymous Coward | more than 5 years ago | (#26001055)

From what I understand of events, if you were getting that message then YOUR bank did not know. CheckFree did not notify anyone, even banks, until well after the domain was recovered and the Ukrainian IP was down.

RE: Checks are dangerous too! (0)

Anonymous Coward | more than 5 years ago | (#25999405)

Back in my day... we used.. C A S H... and we were happy to have it... up hill, both ways, in the snow, with an accordian strapped to our backs, with the clasp broken, so the wolves and bears knew each step we made by the sound of the HRHAHhhaa h Hrrhahhaaa the accordian would make...

Re: Checks are dangerous too! (0)

Anonymous Coward | more than 5 years ago | (#25999585)

What is this C A S H of which you speak? In my day, we used pigs and chickens, both ways, in the snow, with an accordian, in every sense of the word "use". And they liked it.

Re: Checks are dangerous too! (1)

lysergic.acid (845423) | more than 5 years ago | (#25999771)

you young whippersnappers... back in my day we didn't have a uniform currency. we had to invent our own money using clam shells and animal scat. the rear end of an incontinent mammoth was our ATM machine.

oh, and we were happy to have it--up hill, both ways, in the snow, barefoot, with a full orchestra strapped to our backs, and Roman phalanxes chasing us the entire way while the orchestra played Wagner to goad them on.

Re: Checks are dangerous too! (1)

Iamthecheese (1264298) | more than 5 years ago | (#26000039)

You had shells and animal scat? You lads don't know how easy you had it. Giovanni Gabrieli paid me in dried moss and sea-weed, which is how you paid for things in the old times. Up the sacrificial pyramid both ways singing In Ecclesiis less the Scutellosaurus get you, the little knee-biters.

Re: Checks are dangerous too! (2, Interesting)

Vskye (9079) | more than 5 years ago | (#26000195)

Mod the parent up. Seriously. So what if he is an Anonymous Coward. frick'in stupid moderators. :P

What is so wrong paying cash? For example, I have a AT&T dsl account that I'm "suppose" to have
a CC attached to it for payment. Wtf? Why should I have to go through these loopholes to pay my bill?

Do I have options to pay the account locally? Yes, I finally found that out. Automated payments are
evil, end of story. When has it became so evil to pay by cash? If I can't have a option to pay by
cash, without loopholes then said companies need to be sued, period. Oh, and I'm billed a month
ahead of my usage. Nice.....

Not a banking issue (2, Interesting)

drew30319 (828970) | more than 5 years ago | (#25999449)

This isn't an online banking issue, this is an issue of domain-stealing. The fact that it's banking-related is immaterial. If the domains stolen were instead several newspaper domains we wouldn't call into question the credibility of the news (at least not more than we do now).

I've been involved w/ online/PC banking for 15 years or so and can tell you it's been a huge time + postage savings for me. I have no idea what the cost of a stamp is because the only reason I'd ever need them is for bills. Give it a shot w/ just one bill for a month or two.

That said, CheckFree is fairly notorious for their poor service and it's not surprising to me if they turn out to be at blame here. Especially disturbing is the apparently slapshod response.

Re:Not a banking issue (2, Insightful)

iteyoidar (972700) | more than 5 years ago | (#25999593)

I feel like domain security should be a much larger concern for banks than it probably is for newspapers.

Re:Not a banking issue (0)

Anonymous Coward | more than 5 years ago | (#26000809)

slapshod response

The word is "slipshod" [google.com] , not "slapshod".

HTH. HAND.

oh the irony... (2, Funny)

timmarhy (659436) | more than 5 years ago | (#25999463)

... clearing something was a little TOO "check free". maybe they should change their name to "Checkalittlemore"

Erg.. (0)

Anonymous Coward | more than 5 years ago | (#25999511)

AND he prob'ly sued the jar company...

i 3 usa (5, Informative)

Vegeta99 (219501) | more than 5 years ago | (#25999801)

When I was 16, I discovered that with a ruler, an exacto knife, and some elmer's glue you could make up your own checks. They also had "MAC Check" machines that would scan a check - even from a non-customer - and cash them.

When I was 19, I worked in a junk mail plant that at times printed the 25% interest rate personal checks that credit card companies send out to new cardholders. All night we would watch "CONGRATULATIONS ON YOUR NEW $100,000 CREDIT LIMIT!" with 6 checks attached go whizzing by at 5MPH. When that roll of checks breaks, printed-but-junk checks dump on the floor, 7 feet per second, and if I wanted, I could pocket the sonsabitches and spend like hell - before the recipient even activated their new card. We sent those out, too.

Can our banking system really be that insecure? I open an account based on a supposedly unique ID number, hand them a photo ID that doesn't even reference my SSN. Then, they give me another number - my account number - and tell me to keep it private. Three weeks later, I get my checks that ten minimum wage slaves have already gotten to see. Every check I hand out has my private account number printed at the bottom.

Most banks hold you responsible for any automated clearing house fraud, and yet, to authorize a transfer out, all that is needed are the numbers at the bottom of every personal check you write and the "assurance" from the receiving institution that you have "authorized the transfer".

When ya think about it, it's no wonder they charge you $2 to withdraw from an ATM, $3 to use a teller, and $35 for an overdraft - it's easier to roll the dice to get an account number than it is to roll the dice and win the lottery!

Re:i 3 usa (2, Informative)

Dahan (130247) | more than 5 years ago | (#25999915)

Most banks hold you responsible for any automated clearing house fraud

Hmm, I was under the impression that NACHA [nacha.org] says that consumers have 60 days to challenge an unauthorized ACH debit. Bank of America certainly didn't hassle me at all when I reported four counterfeit checks totalling about $1400 drawn from my account (two were processed the old-fashioned way, two were converted to ACH debits). They credited me the two paper checks immediately. For the ACH conversions, I had to send in an affidavit saying the debits were unauthorized, and they credited me about a week later.

Checkfree? (2, Informative)

Beowulf_Boy (239340) | more than 5 years ago | (#25999887)

My gas company offered the option of using Checkfree.
Had I opted in, it cost an additional 8$ to pay with my credit card, rather than sending in a personal check.

Instead I just use US Banks online Billpay option. Free, and cuts out the middle man.

Re:Checkfree? (2, Informative)

oasisbob (460665) | more than 5 years ago | (#26000135)

Instead I just use US Banks online Billpay option. Free, and cuts out the middle man.

If I'm not mistaken, US Bank uses Checkfree as the middle man!

Payment processing and aggregation isn't simple. (Who do you send the check to? How do you aggregate ACH transactions to save money versus mailing hundreds of paper checks? How do you get electronic versions of the bills from the creditor if requested by your customer?)

Many banks and bill pay providers use Checkfree because they take care of the details. You can code up a website that lets your account holder say "give $80 to Comcast", and it just does.

Re:Checkfree? (1)

MoeDrippins (769977) | more than 5 years ago | (#26001227)

I think that's your gas company's charge, not checkfree's.

Use a better registrar (3, Informative)

Animats (122034) | more than 5 years ago | (#25999951)

Domain registrars come in several tiers.

  • Enom and its many other identities - use only for bulk junk domains
  • GoDaddy - low-end service; use for unimportant blogs.
  • Network Solutions - use for general business domains (ibm.com)
  • MarkMionitor - use for high value domains (gm.com, ubs.com)

MarkMonitor is in the business of protecting "brands", so they have lawyers and technicians on staff to swing into action if somebody pulls something. If you have to ask how much they cost, you can't afford them.

Re:Use a better registrar (1, Interesting)

Anonymous Coward | more than 5 years ago | (#26000831)

Really? Why do you rate Enom below GoDaddy? I'm too light a user to have any real experience personally. I've heard gripes about NetSol and GoDaddy on places like Slashdot, but not much about Enom. What is their problem?

Re:Use a better registrar (2, Informative)

fruey (563914) | more than 5 years ago | (#26001053)

I think GANDI [gandi.net] have a good model. Their ethic is that they pretty much sell at cost. The service is great. I am just a customer, I'm not affiliated to them in any way.

Network Solutions have a long history of slightly bizarre business practices. Just because they're more expensive, the ultimate product (an entry in a DB that points to your DNS servers) is ridiculously cheap when you have big volume and decent automation. MarkMonitor add value by protecting you, maybe they're good. NetSol add marketing glitz value, but nothing good IMHO.

Wire transfer (3, Interesting)

tmk (712144) | more than 5 years ago | (#26000927)

Why don't Americans use wire transfer more often? In Europe it is a fast and relatively safe method.

Re:Wire transfer (2, Informative)

Anonymous Coward | more than 5 years ago | (#26001253)

Have you looked at all the people rationalizing their use of paper checks in the comments? That's one reason (or rather a symptom of the same reason).

Truly, the US is way behind a lot of the rest of the world in payments. We're getting there (I work in the payment industry), and banks and other FIs are adopting more payment strategies over time, but we as a country are perhaps too(?) conservative on these things.

Too, we don't (yet?) have only 3-5 gigundus "country banks" in the country like a lot do, nor huge quasi-gov't entities governing and aggregating payments like Brazil's CIP or Australia's B-Pay.

This makes adoption harder since it's harder to get critical mass with a slew of smaller entities that need to "buy-in". Chicken and egg, that.

So, the US will have person to person wire payments, but it will be awhile, and come in discrete, fragmented steps.

Checks here is not accepted anymore (2, Interesting)

TheDarkMaster (1292526) | more than 5 years ago | (#26001263)

On my country, in pratice checks - electronic or real ones - is not accepted anymore. Too many frauds

More secure pages... (2, Informative)

Mendenhall (32321) | more than 5 years ago | (#26001389)

Interestingly, a few months ago, my financial services company (Merrill Lynch) changed the way their online login works to make this attack very hard. They required me to select an image from a large catalog, and a phrase I made up to go with it. Now, when I log in, I am presented the image and the phrase. Since these images come from a huge catalog, and the phrase is entirely up to the user, the probability that a hijacked page would have the same information is very small. In effect, the site is presenting _me_ with a pasword, before I present it with a password. (Cue, on 3, In Soviet Russia, sites log onto you)

I think this makes these pages fairly secure against the various DNS and other redirect attacks people have come up with. Someone would have to get very deep access to the main server, to figure out the image everyone chose, to successfully hijack a site.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?