December 7th, 2008

Security fail!

I've been using for years to pay my utility bills. So tonight, I get an email that purports to be from them informing me that if I had attempted to access online bill payment between 12:30 a.m. and 10:10 a.m. Eastern time on Tuesday, December 2, 2008 using Windows, their site may have redirected me to a site that might have infected me with malware which may have escaped detection by virus scanners. I use Opera and Chrome, not IE, so I'm probably safe, but I have no idea if I accessed the site during that time (I quickly log in and schedule payments when I get notification that bills have arrived, so I don't really remember when I used it), and they say they're working with McAfee to provide more information and assessment.

So, assuming this is legit, it's good of them to let customers know about the potential problem, though it would have been nice if they'd included a bit more detail on the malware in question. But they obviously have very little clue about how to handle this sort of thing.

The email they sent was mailed from, and the return address is Links in the mail go to That may be a legit bulk mailing company, but who knows?

They have a mechanism in place to deliver messages via the web site after you log in, so I check that; no copy of the message there, and no info on the site about the breach.

I go look up their customer service 888 number and call that; it's already closed for the night, and the message there says nothing about the problem.

There's an 877 number in the email I got, but the only google hit for that is a copy of this very email, and the guy who answers it admits it was newly registered to deal with this problem. So, um, how do I know I'm talking to Checkfree?

The email did contain my name and the out-of-date address I have on file with them, but of course, if their site was actually hacked, that doesn't tell me anything - and that much is public record anyways.

So, it's great they sent out a timely message about their breach. But I got it on Saturday night, and it appears there's no authenticatable method of contacting them for further information until Monday.

Checkfree Corp obviously has no clue about security and social engineering. Unfortunately I'm not sure there are any better options, since most billpay sites end up using Checkfree on the back-end. Anyone have any suggestions for other sites that do bill presentment and payment for Duke Energy and AT&T that don't use Checkfree?

ETA: Here's an article about the breach. So it would seem a Checkfree employee fell prey to a phishing attack and leaked their password with Network Solutions for domain registration. And now they're sending out emails to customers that are indistinguishable from a phishing attack. That's some astounding incompetence.

Daily tweets

Yesterday's tweets:

  • 13:39 I hate it when sites exceed planned maintenance windows, but don't bother to update the outage page with new info. Bad bloglines, no cookie.
  • 18:05 After many months of searching finally found at Pope's True Value. Water filter now replaced, and water pressure restored.
  • 23:00 Enjoyed Jaap ter Linden's performance of the Bach Cello Suites 2,3&6 at the Nelson Music Room. Some of the most perfect music ever written.
Automatically shipped by LoudTwitter