Saturday, December 06, 2008

Is the CheckFree Hack a New Information Theft Trend?

It was revealed earlier in the week that hackers had taken command and control of a free e-bill Web site called CheckFree.com. CheckFree offers their customers the ability to collect all their bills and pay them with a few clicks of a mouse.

CheckFree is one the larger companies in e-payment business and serves about 24.7 million customers. Given this, there is little doubt they have a large amount of personal and financial data passing through their site.

The hacking method appeared to be a little less than sophisticated. Someone stole the username and password to the site and put in changes that directed users to a page that installs malware on the user's machine. This was done by changing the address in CheckFree.com's domain name system (DNS) to redirect visitors to an Internet address in the Ukraine. Although CheckFree is still analyzing the malware, Brian Krebs at the Washington Post was able to quote Trend Micro as saying the malware was designed to steal user credentials.

The registrar, Network Solutions, was quick to claim there had been no breach of their system. At this point in the game — since no one knows or is saying -- my guess is that this statement probably means there was one that they don't know of at this time. Network Solutions did warn their customers about a phishing attack on their customers about a month ago. This has led to speculation that the credentials were stolen by information-stealing malware, or by social engineering (someone being tricked into giving them up).

The Washington Post story also mentions that U.S. Bank might have been affected by this attack, but isn't commenting. In a subsequent post in Security Fix (Washington Post), Brian Krebs noted that Internet security firm known as Internet Identity reported that 71 other domains were pointed at the Ukrainian domain in question during the attack.

Thus far, about 5,000 victims have been identified. As in the past, instances where identities were compromised are being offered free identity theft protection for their unfortunate circumstance.

I decided to look at the CheckFree site itself. The reason I did this is because whenever I see the word "free," especially in cyberspace, I've learned to be wary.

According to CheckFree.com, everything is free on their site except for fees charged for the use of credit cards and emergency (rush payments). On the site, they publish in bold phrases like "one easy," "secure location," "no charge," and "100% guarantee."

They even run an ad for FreeCreditReport.com on the main page of their site. Although I have to admit that the guitar dude FreeCreditReport.com uses on their ad is pleasing to the eye, the catch is that you automatically sign up for a service that charges you $14.95 a month. You can get around this by cancelling within the first seven days. If you read the fine print disclaimer on FreeCreditReport.com, it says, "ConsumerInfo.com, Inc. and FreeCreditReport.com are not affiliated with the annual free credit report program. Under a new Federal law, you have the right to receive a free copy of your credit report once every 12 months from each of the three nationwide consumer reporting companies. To request your free annual report under that law, you must go to http://www.annualcreditreport.com/." Most experts agree that a person can do the same thing these services offer for free and that most of them do not protect from all forms of identity theft.

I got a little off-track with the FreeCreditReport.com ad, but it amazes me how few people read the small print on guarantees. Because of this, I decided to check out some of the small print on the CheckFree site.

So far as the fraud guarantee — if you read the disclaimer — you have to notify them within two days of the transactions to limit your liability to $50.00. It's pretty unlikely that anyone falling for a fraud on a financial transaction is going to figure it out in two days.

It also guarantees payments will make it on time, as long as you send them within the time period specified in the service agreement. In looking at the service agreement, this is two days before the bill is due. Of course, they do offer rush payments for a fee.

So far as "secure location" statement, if hackers were able to get the admin username and password to their site, this assertion is, at the very best, questionable.

In a second post about this story in Security Fix (Washington Post), it brings up evidence that registrars have been identified by the cyber-criminal community as lucrative targets. This assertion is backed up by recent security studies on the security of domain registrars. This makes sense because some of these sites like CheckFree are a window to hundreds of financial institutions, protected by a single username and password.

I'm surprised no one has raised the question of whether or not the financial information — which presumably has to be stored for record keeping purposes — might have been compromised.

In my limited experience with domain registrars, I've run into some frustrating experiences when trying to report sites (sometimes laden with malware) that were set up for no other reason than to steal personal and financial information. I've found that if you want to get a quick response with some of them, you need to be persistent to the point of being a pest. Given that most fake sites are designed to only stay in operation for a short period of time before they move on, it's like playing a game of whack-a-mole. Because of these experiences, I'm not confident they will be quick to react to this new security challenge. Let's hope I'm wrong.

In the world where outsourcing and contracting have become the norm, it isn't surprising that financial institutions are using third-party platforms to perform financial transactions. Every time information is given to a third party, it makes protecting it more difficult. The reason for this is different standards for protecting information (especially when international borders are crossed) and the fact that back door access is being given to more and more people. In the end, it is human beings who come up with the schemes to steal, not computers.

Whether or not this becomes a trend or not probably depends on how financially lucrative this method of attack becomes for the hackers who did the dirty deed. Of course, if we learn from it and take immediate action, perhaps we can limit some of the damage that could occur. I guess time will be the best judge of that.

1 comment:

Kristin said...

I sure hope it isn't a trend...I just finally got an email/notice about the issue today from Checkfree, frustrating it took so long as they say it happened on Dec 2nd in their email. I'm online all the time so if they'd informed sooner I definitely would have known.