CheckFree / lack of security notification
Apparently, visitors to the CheckFree site on December 2, 2008 were redirected to a Ukranian site where a trojan was downloaded attempting to steal login IDs, passwords and other private information.
For some reason CheckFree didn't see fit to put a notice in the messages section of their website about this for 10 days. Worse yet, they never sent me an email to alert me that there was an urgent notice there and that I should login immediately to read it. (I have ALL of my incoming messages, including SPAM, archived locally and online.)
Even if I logged in, all I would see initially is the number of messages awaiting me and I would have to click on the Messages link to see the subject line "Important Information Regarding your Bill Payment Service", which doesn't quite convey the urgency of the content.
Perhaps using words such as URGENT, SECURITY or BREACH might have been a little more likely to catch my eye, even if they had been buried in the midst of the subject line, e.g. Important Information Regarding a Security Breach of your Bill Payment Service.
As it stands now, I learned of this on 2/5/2009 and when I called, I was given incorrect information regarding my vulnerability, even after telling the rep that I'm not sure my AV sigs were current at the time. He hadn't even asked what AV software I was using, but assured me that I couldn't have been compromised. He also couldn't tell me exactly which malware might have invaded my PC, although he was so sure I couldn't have it.
When I explained to him that there are many products tested at av-comparatives.com which find less than 50% of certain types of malware, he asked me "If you know so much, then why aren't you better protected", to which I responded, "Are you trying to be a wise ###?" and he said, "No, but you're being one."
I am an IT Security Consultant and I am almost certain at least one of my 7 or 8 layers of protection and other proper security practices, such as logging in from an account without Administrative rights, would have prevented a breach of my system, but he didn't know that.
I have never encountered such an unprofessional handling of a security breach, both on the part of CheckFree, by their lack of email notification and weakly worded subject on the online notice, and on the part of the rude, ignorant (lacking the appropriate knowledge) and unhelpful telephone rep I encountered.