CheckFree’s Hack Attack Has a Long Tail

For a five-hour period in December, customers accessing CheckFree’s electronic bill payment site instead found themselves unknowingly redirected to the worst neighborhood on the Internet—a bogus malware site manned by Ukrainian hackers. That’s the easy part to figure out. According to a notice recently filed by CheckFree parent Fiserv with the New Hampshire attorney general’s office, about 160,000 customers were exposed to the breach. Yet the firm and a number of its banking clients are alerting a whopping five million consumers to possible exposure.

The reason for that 4.84 million-customer gap between estimated and potential exposure is the inability to determine that actual identities of customers redirected to the Ukraine by hackers, requiring the additional notification of clients of banks that outsource their bill payments to CheckFree. CheckFree would not return a request for comment, but the firm’s notification describes the conditions of possible user exposure and instructs customers that may have been affected to reach out to a contact center. The firm is also deploying software from McAfee to identify and remove malware and is offering two years of free credit monitoring.

In a prepared statement to the media, Fiserv said it warned people who attempted to pay bills during the Dec. 2 hijacking minus customers who actually completed sessions on CheckFree’s site. It also warned customers enrolled in mycheckfree.com. “There’s a lot of interdependencies between banks and CheckFree. So it’s not straightforward to figure out who got affected. It requires a lot of forensics,” says Avivah Litan, a vp and Distinguished Analyst, Gartner. Fiserv didn’t release the names of banks that were exposed, but said the majority of the 5 million warned customers were CheckFree’s own users. The payment company has about 42 million total customers and processes payment for about half of the banks in the U.S.

Despite the size of the warning, Fiserv thinks the number of people actually infected will wind up be relatively small, since a victim would have to be a PC user without anti virus software using an older version of Adobe Acrobat. Still, the takeaway for the payments industry is that crooks are getting very wise to where the real booty is to be found—the payments and funds transfer operations which provide access to the point at which money enters and exits financial institutions. “There’s an emphasis on attacking processors now instead of retailers,” Litan says.

The CheckFree hacking put the cap on a brutal year for security, with Guardium estimating a 50 percent increase in data breaches across all industries in 2008—affecting nearly 36 million Americans—with another 50 percent increase predicted for 2009. Phil Neray, vp of security strategy for Guardium, Waltham, Mass., says the rising tide of breaches gives management little choice but to increase spending. “Part of the problem is upper management not allocating the proper budget to implement the monitoring and prevention controls required to deal with the increased sophistication of the attacks.”

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER