IMGCAP(1)]
The temporary redirection of some CheckFree Corp. customers from legitimate CheckFree Web sites to a fraudulent site on Dec. 2 (CardLine, 12/10) suggests domain-name registrars are a weak security link in online commerce and financial services, says a Javelin Strategy & Research Inc. analyst. How fraudsters were able to change CheckFree's Web site domain records maintained by Network Solutions is unclear. The Herndon, Va.-based domain registrar serves CheckFree and thousands of other businesses, nonprofits and individuals with Web site addresses. Network Solutions has not responded to CardLine requests for information and comment. A representative of CheckFree, an online bill-payment services company owned by Brookfield, Wis.-based processor Fiserv Inc., says that due to an ongoing investigation she cannot comment beyond a statement the company released earlier this week. Published reports say someone provided Network Solutions with the correct credentials necessary to access and change CheckFree's Web site records. However the attack occurred, banks, credit unions, online bill-payment services, e-commerce merchants and the payments-technology vendors who serve them are required to follow strict security practices mandated by banking laws, the Payment Card Industry Data Security Standard and other regulations, notes Tom Wills, senior analyst for security, fraud and compliance at Pleasanton, Calif.-based Javelin. But domain-name registrars, which are companies that collect and maintain the Web site name and address registrations of any entity with an online presence, do not face the same level of security scrutiny as do entities handling consumer financial and personal data, he says. "They're a critical part of the value chain, but they haven't been included in security design," Wills tells CardLine. The banking and payments industries should pressure domain registrars to develop and maintain "banking-grade security," he adds.
