CheckFree hack sets off alarm bells

The Washington Post's Security Fix blog has dug a little deeper into the attack on CheckFree's bill payment Website last week.

CheckFree has admitted that hackers had, for several hours, redirected visitors to its customer login page to a Web site in Ukraine that tried to install password-stealing software.

But the company has said little else about the attack and has yet to divulge any further details.

Security Fix cites an anonymous source involved in the investigation who suggests that up to 5000 users were directed to the bogus site during the attack.

More worryingly, both for CheckFree and the bank's that rely on its platforms, is the ease with which the assailants perpetrated the assault.

It appears that the Eastern European crime gang behind the scam obtained the user name and password needed to make account changes at the Web site of Network Solutions, CheckFree's domain registrar.

We can speculate about how this happened - as a result of an inside job, a sophisticated phishing expedition, or a password-stealing Trojan on an infected employee computer.

Network Solution's, Checkfree's domain registrar, will not enter into discussions about the additional security measures in place to protect against such Web site hijackings.

Which raises the distinct possibility that all you need to take ownership of a legitimate, trusted and high-profile Web domain is a single set of user credentials.

As Gartner's Avivah Litan tells Security Fix: "If all that's protecting a bank's Web site is a user name and password, that's kind of like having a massive vulnerability in the core of the Internet. This could have been a lot worse, and if they can do it to CheckFree, they can do it to other banks."