There, I said it.
In the ongoing story of the Online Employer security incident, the story seems to be dying down in the news, and I'm sure that PAI just wants it to go away. Who wouldn't?
So far I've not seen any evidence that any actually sensitive information has been compromised, and I don't have any information whatsoever that suggests that they're running a sloppy or insecure shop. I wouldn't worry if they had my personal information.
But it's sure become abundantly clear that PAI doesn't care about its customers.
The badware that was part of the attack emails is a password-stealing Trojan horse, and if it gets on a customer machine, it steals passwords used to login to websites. Not just Paychoice logins, but presumably everything: PayPal, eBay, your bank, etc.
These stolen passwords are phoned home to a server in Sweden, and it's still operating as I write this. For the last two weeks I've been working to kill this botnet, and so far have gotten DNS for iicon-metal.org killed twice (if the badware can't find the mothership, it can't phone home the stolen booty).
DNS has moved to a new set of nameservers, and so far I haven't been able to hunt that down, nor have I been successful in getting the mothership taken down. I'm about to get some help from colleagues on that front: perhaps we'll get somewhere.
At every step, I've been told that mine are the only reports they're getting.
Why isn't PAI doing this? ? ?
Answer: because they believe that saying "Please use up-to-date antivirus" is taking care of the problem, and if the customers get hacked anyway, it's not PAI's responsibility — at least legally.
Obviously, securing their own infrastructure is vitally important, and I don't doubt that they're doing a good job at it, but I believe they owe it to their customers (and customers of their customers) to address the entire Paychoice ecosystem, not just CYA for themselves.
Remember: if individual employers get hacked, they don't take it out on Paychoice, they take it out on Paychoice licensees, the service bureaus who process their payrolls.
Paychoice has said repeatedly that the investigation is ongoing, they have engaged the authorities, blah blah blah. If they're working this angle to take down this botnet, I haven't seen it. To date, I've not received any contact whatsoever from Payroll Associates.
I'd sure rather believe that they have gotten bad advice from their consultants: perhaps because they have no experience themselves with this kind of security incident response, they relied on their experts. If this is the case, PAI, please ask your experts why they're not doing the right thing by your customers.
I've heard from many Paychoice licensees complaining about the poor information coming from the company, and though I understand the anxiety of not knowing what's going on, that poor customer-service response doesn't make anybody less safe.
But by not aggressively attacking this botnet, their customers are actually less safe. That is what matters, and as far as I can tell, they're doing a terrible job.
Edit - Note that this attack is still ongoing, the mothership is still up, and there is nothing to prevent Paychoice or its experts from re-engaging in this effort to protect customers. They are welcome to all the information I have on this should they care to pick up the baton.
Payroll Associates Inc, any response to this?
(silence except for sounds of crickets chirping)
Posted by: Marcina | October 07, 2009 at 07:15 AM
I've sent you an email, but one thing I'm concerned about is that the emails were sent with the username and part of the password that end-users use to log into the Paychoice portal. This seems to indicate that the attackers were able to pull at least some data from Paychoice. It also means that passwords are stored, at least partially, as plaintext or by some two-way algorithm instead of a one-way hash as it should be.
So, from my perspective, Paychoice cannot be considered secure.
Posted by: Chris Erwin | October 14, 2009 at 07:59 AM