In a second post about this story in Security Fix (Washington Post), it brings up evidence that registrars have been identified by the cyber-criminal community as lucrative targets. This assertion is backed up by recent security studies on the security of domain registrars. This makes sense because some of these sites like CheckFree are a window to hundreds of financial institutions, protected by a single username and password.
I'm surprised no one has raised the question of whether or not the financial information — which presumably has to be stored for record keeping purposes — might have been compromised.
In my limited experience with domain registrars, I've run into some frustrating experiences when trying to report sites (sometimes laden with malware) that were set up for no other reason than to steal personal and financial information. I've found that if you want to get a quick response with some of them, you need to be persistent to the point of being a pest. Given that most fake sites are designed to only stay in operation for a short period of time before they move on, it's like playing a game of whack-a-mole. Because of these experiences, I'm not confident they will be quick to react to this new security challenge. Let's hope I'm wrong.
In the world where outsourcing and contracting have become the norm, it isn't surprising that financial institutions are using third-party platforms to perform financial transactions. Every time information is given to a third party, it makes protecting it more difficult. The reason for this is different standards for protecting information (especially when international borders are crossed) and the fact that back door access is being given to more and more people. In the end, it is human beings who come up with the schemes to steal, not computers.
Whether or not this becomes a trend or not probably depends on how financially lucrative this method of attack becomes for the hackers who did the dirty deed. Of course, if we learn from it and take immediate action, perhaps we can limit some of the damage that could occur. I guess time will be the best judge of that.
Article comments
1 - User
CheckFree is paid by thousands of banks, credit unions, and portals to operate their "Bill Payment" operations. That's where they make their money, not from consumers.
2 - bliffle
Most of the hacking exploits have been primitive, like this one: "The hacking method appeared to be a little less than sophisticated. Someone stole the username and password to the site..."
Most exploits have been performed by tinkering neophytes, too.
But now, with all manner of high-level and experienced software professionals being laid-off and fired there is a great danger of really sophisticated exploits that are difficult to detect and nearly impossible to stop.
Compound that with the difficulty of getting police agencies interested in exploits that a person may find and you can predict utter chaos in the financial community.
Society may collapse like the Tower of Babel.