The Coming Storm


24
Jan 20

Does Your Domain Have a Registry Lock?

If you’re running a business online, few things can be as disruptive or destructive to your brand as someone stealing your company’s domain name and doing whatever they wish with it. Even so, most major Web site owners aren’t taking full advantage of the security tools available to protect their domains from being hijacked. Here’s the story of one recent victim who was doing almost everything possible to avoid such a situation and still had a key domain stolen by scammers.

On December 23, 2019, unknown attackers began contacting customer support people at OpenProvider, a popular domain name registrar based in The Netherlands. The scammers told the customer representatives they had just purchased from the original owner the domain e-hawk.net — which is part of a service that helps Web sites detect and block fraud — and that they were having trouble transferring the domain from OpenProvider to a different registrar.

The real owner of e-hawk.net is Raymond Dijkxhoorn, a security expert and entrepreneur who has spent much of his career making life harder for cybercrooks and spammers. Dijkxhoorn and E-HAWK’s CEO Peter Cholnoky had already protected their domain with a “registrar lock,” a service that requires the registrar to confirm any requested changes with the domain owner via whatever communications method is specified by the registrant.

In the case of e-hawk.net, however, the scammers managed to trick an OpenProvider customer service rep into transferring the domain to another registrar with a fairly lame social engineering ruse — and without triggering any verification to the real owners of the domain.

Specifically, the thieves contacted OpenProvider via WhatsApp, said they were now the rightful owners of the domain, and shared a short screen grab video showing the registrar’s automated system blocking the domain transfer (see video below).

“The support agent helpfully tried to verify if what the [scammers] were saying was true, and said, ‘Let’s see if we can move e-hawk.net from here to check if that works’,” Dijkxhoorn said. “But a registrar should not act on instructions coming from a random email address or other account that is not even connected to the domain in question.”

Dijkxhoorn shared records obtained from OpenProvider showing that on Dec. 23, 2019, the e-hawk.net domain was transferred to a reseller account within OpenProvider. Just three days later, that reseller account moved e-hawk.net to another registrar — Public Domain Registry (PDR).

“Due to the previously silent move to another reseller account within OpenProvider, we were not notified by the registrar about any changes,” Dijkxhoorn said. “This fraudulent move was possible due to successful social engineering towards the OpenProvider support team. We have now learned that after the move to the other OpenProvider account, the fraudsters could silently remove the registrar lock and move the domain to PDR.”

REGISTRY LOCK

Dijkxhoorn said one security precaution his company had not taken with their domain prior to the fraudulent transfer was a “registry lock,” a more stringent, manual (and sometimes offline) process that effectively neutralizes any attempts by fraudsters to social engineer your domain registrar.

With a registry lock in place, your registrar cannot move your domain to another registrar on its own. Doing so requires manual contact verification by the appropriate domain registry, such as Verisign — which is the authoritative registry for all domains ending in .com, .net, .name, .cc, .tv, .edu, .gov and .jobs. Other registries handle locks for specific top-level or country-code domains, including Nominet (for .co.uk or .uk domains), EURID (for .eu domains), CNNIC for (for .cn) domains, and so on.

According to data provided by digital brand protection firm CSC, while domains created in the top three most registered top-level domains (.com, .jp and .cn) are eligible for registry locks, just 22 percent of domain names tracked in Forbes’ list of the World’s Largest Public Companies have secured registry locks.

Unfortunately, not all registrars support registry locks (a list of top-level domains that do allow registry locks is here, courtesy of CSC). But as we’ll see in a moment, there are other security precautions that can and do help if your domain somehow ends up getting hijacked.

Dijkxhoorn said his company first learned of the domain theft on Jan. 13, 2020, which was the date the fraudsters got around to changing the domain name system (DNS) settings for e-hawk.net. That alert was triggered by systems E-HAWK had previously built in-house that continually monitor their stable of domains for any DNS changes.

By the way, this continuous monitoring of one’s DNS settings is a powerful approach to help blunt attacks on your domains and DNS infrastructure. Anyone curious about why this might be a good approach should have a look at this deep-dive from 2019 on “DNSpionage,” the name given to the exploits of an Iranian group that has successfully stolen countless passwords and VPN credentials from major companies via DNS-based attacks. Continue reading →


6
Jan 20

The Hidden Cost of Ransomware: Wholesale Password Theft

Organizations in the throes of cleaning up after a ransomware outbreak typically will change passwords for all user accounts that have access to any email systems, servers and desktop workstations within their network. But all too often, ransomware victims fail to grasp that the crooks behind these attacks can and frequently do siphon every single password stored on each infected endpoint. The result of this oversight may offer attackers a way back into the affected organization, access to financial and healthcare accounts, or — worse yet — key tools for attacking the victim’s various business partners and clients.

In mid-November 2019, Wisconsin-based Virtual Care Provider Inc. (VCPI) was hit by the Ryuk ransomware strain. VCPI manages the IT systems for some 110 clients that serve approximately 2,400 nursing homes in 45 U.S. states. VCPI declined to pay the multi-million dollar ransom demanded by their extortionists, and the attack cut off many of those elder care facilities from their patient records, email and telephone service for days or weeks while VCPI rebuilt its network.

Just hours after that story was published, VCPI chief executive and owner Karen Christianson reached out to say she hoped I would write a follow-up piece about how they recovered from the incident. My reply was that I’d consider doing so if there was something in their experience that I thought others could learn from their handling of the incident.

I had no inkling at the time of how much I would learn in the days ahead.

EERIE EMAILS

On December 3, I contacted Christianson to schedule a follow-up interview for the next day. On the morning of Dec. 4 (less than two hours before my scheduled call with VCPI and more than two weeks after the start of their ransomware attack) I heard via email from someone claiming to be part of the criminal group that launched the Ryuk ransomware inside VCPI.

That email was unsettling because its timing suggested that whoever sent it somehow knew I was going to speak with VCPI later that day. This person said they wanted me to reiterate a message they’d just sent to the owner of VCPI stating that their offer of a greatly reduced price for a digital key needed to unlock servers and workstations seized by the malware would expire soon if the company continued to ignore them.

“Maybe you chat to them lets see if that works,” the email suggested.

The anonymous individual behind that communication declined to provide proof that they were part of the group that held VPCI’s network for ransom, and after an increasingly combative and personally threatening exchange of messages soon stopped responding to requests for more information.

“We were bitten with releasing evidence before hence we have stopped this even in our ransoms,” the anonymous person wrote. “If you want proof we have hacked T-Systems as well. You may confirm this with them. We havent [sic] seen any Media articles on this and as such you should be the first to report it, we are sure they are just keeping it under wraps.” Security news site Bleeping Computer reported on the T-Systems Ryuk ransomware attack on Dec. 3.

In our Dec. 4 interview, VCPI’s acting chief information security officer — Mark Schafer, CISO at Wisconsin-based SVA Consulting — confirmed that the company received a nearly identical message that same morning, and that the wording seemed “very similar” to the original extortion demand the company received.

However, Schafer assured me that VCPI had indeed rebuilt its email network following the intrusion and strictly used a third-party service to discuss remediation efforts and other sensitive topics. Continue reading →


16
Dec 19

Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up

As if the scourge of ransomware wasn’t bad enough already: Several prominent purveyors of ransomware have signaled they plan to start publishing data stolen from victims who refuse to pay up. To make matters worse, one ransomware gang has now created a public Web site identifying recent victim companies that have chosen to rebuild their operations instead of quietly acquiescing to their tormentors.

The message displayed at the top of the Maze Ransomware public shaming site.

Less than 48 hours ago, the cybercriminals behind the Maze Ransomware strain erected a Web site on the public Internet, and it currently lists the company names and corresponding Web sites for eight victims of their malware that have declined to pay a ransom demand.

“Represented here companies dont wish to cooperate with us, and trying to hide our successful attack on their resources,” the site explains in broken English. “Wait for their databases and private papers here. Follow the news!”

KrebsOnSecurity was able to verify that at least one of the companies listed on the site indeed recently suffered from a Maze ransomware infestation that has not yet been reported in the news media.

The information disclosed for each Maze victim includes the initial date of infection, several stolen Microsoft Office, text and PDF files, the total volume of files allegedly exfiltrated from victims (measured in Gigabytes), as well as the IP addresses and machine names of the servers infected by Maze. Continue reading →


26
Nov 19

It’s Way Too Easy to Get a .gov Domain Name

Many readers probably believe they can trust links and emails coming from U.S. federal government domain names, or else assume there are at least more stringent verification requirements involved in obtaining a .gov domain versus a commercial one ending in .com or .org. But a recent experience suggests this trust may be severely misplaced, and that it is relatively straightforward for anyone to obtain their very own .gov domain.

Earlier this month, KrebsOnSecurity received an email from a researcher who said he got a .gov domain simply by filling out and emailing an online form, grabbing some letterhead off the homepage of a small U.S. town that only has a “.us” domain name, and impersonating the town’s mayor in the application.

“I used a fake Google Voice number and fake Gmail address,” said the source, who asked to remain anonymous for this story but who said he did it mainly as a thought experiment. “The only thing that was real was the mayor’s name.”

The email from this source was sent from exeterri[.]gov, a domain registered on Nov. 14 that at the time displayed the same content as the .us domain it was impersonating — town.exeter.ri.us — which belongs to the town of Exeter, Rhode Island (the impostor domain is no longer resolving).

“I had to [fill out] ‘an official authorization form,’ which basically just lists your admin, tech guy, and billing guy,” the source continued. “Also, it needs to be printed on ‘official letterhead,’ which of course can be easily forged just by Googling a document from said municipality. Then you either mail or fax it in. After that, they send account creation links to all the contacts.”

Technically, what my source did was wire fraud (obtaining something of value via the Internet/telephone/fax through false pretenses); had he done it through the U.S. mail, he could be facing mail fraud charges if caught.

But a cybercriminal — particularly a state-sponsored actor operating outside the United States — likely would not hesitate to do so if he thought registering a .gov was worth it to make his malicious website, emails or fake news social media campaign more believable.

“I never said it was legal, just that it was easy,” the source said. “I assumed there would be at least ID verification. The deepest research I needed to do was Yellow Pages records.”

Earlier today, KrebsOnSecurity contacted officials in the real town of Exeter, RI to find out if anyone from the U.S. General Services Administration — the federal agency responsible for managing the .gov domain registration process — had sought to validate the request prior to granting a .gov in their name.

A person who called back from the town clerk’s office but who asked not to be named said someone from the GSA did phone their office on Nov. 24 — which was four days after I reached out to the federal agency about the domain in question and approximately 10 days after the GSA had already granted the phony request.

WHO WANTS TO BE A GOVERNMENT?

Responding today via email, a GSA spokesperson said the agency doesn’t comment on open investigations.

“GSA is working with the appropriate authorities and has already implemented additional fraud prevention controls,” the agency wrote, without elaborating on what those additional controls might be.

KrebsOnSecurity did get a substantive response from the Cybersecurity and Infrastructure Security Agency, a division of the U.S. Department of Homeland Security which is leading efforts to protect the federal .gov domain of civilian government networks [NB: The head of CISA, Christopher C. Krebs, is of no relation to this author].

The CISA said this matter is so critical to maintaining the security and integrity of the .gov space that DHS is now making a play to assume control over the issuance of all .gov domains.

“The .gov top-level domain (TLD) is critical infrastructure for thousands of federal, state and local government organizations across the country,” reads a statement CISA sent to KrebsOnSecurity. “Its use by these institutions should instill trust. In order to increase the security of all US-based government organizations, CISA is seeking the authority to manage the .gov TLD and assume governance from the General Services Administration.”

The statement continues:

“This transfer would allow CISA to modernize the .gov registrar, enhance the security of individual .gov domains, ensure that only authorized users obtain a .gov domain, proactively validate existing .gov holders, and better secure everyone that relies on .gov. We are appreciative of Congress’ efforts to put forth the DOTGOV bill [link added] that would grant CISA this important authority moving forward. GSA has been an important partner in these efforts and our two agencies will continue to work hand-in-hand to identify and implement near-term security enhancements to the .gov.” Continue reading →


26
Nov 19

Sale of 4 Million Stolen Cards Tied to Breaches at 4 Restaurant Chains

On Nov. 23, one of the cybercrime underground’s largest bazaars for buying and selling stolen payment card data announced the immediate availability of some four million freshly-hacked debit and credit cards. KrebsOnSecurity has learned this latest batch of cards was siphoned from four different compromised restaurant chains that are most prevalent across the midwest and eastern United States.

An advertisement on the cybercrime store Joker’s Stash for a new batch of ~4 million credit/debit cards stolen from four different restaurant chains across the midwest and eastern United States.

Two financial industry sources who track payment card fraud and asked to remain anonymous for this story said the four million cards were taken in breaches recently disclosed by restaurant chains Krystal, Moe’s, McAlister’s Deli and Schlotzsky’s. Krystal announced a card breach last month. The other three restaurants are all part of the same parent company and disclosed breaches in August 2019.

KrebsOnSecurity heard the same conclusion from Gemini Advisory, a New York-based fraud intelligence company.

“Gemini found that the four breached restaurants, ranked from most to least affected, were Krystal, Moe’s, McAlister’s and Schlotzsky’s,”  Gemini wrote in an analysis of the New World Order batch shared with this author. “Of the 1,750+ locations belonging to these restaurants, nearly 50% were breached and had customer payment card data exposed. These breached locations were concentrated in the central and eastern United States, with the highest exposure in Florida, Georgia, South Carolina, North Carolina, and Alabama.”

McAlister’s (green), Schlotzsky’s (blue), Moe’s (gray), and Krystal (orange) locations across the United States. There is an additional Moe’s location in Hawaii that is not depicted. Image: Gemini Advisory.

Focus Brands (which owns Moe’s, McAlister’s, and Schlotzsky’s) was breached between April and July 2019, and publicly disclosed this on August 23. Krystal claims to have been breached between July and September 2019, and disclosed this in late October.

The stolen cards went up for sale at the infamous Joker’s Stash carding bazaar. The most recent big breach marketed on Joker’s Stash was dubbed “Solar Energy,” and included more than five million cards stolen from restaurants, fuel pumps and drive-through coffee shops operated by Hy-Vee, a supermarket chain based in Iowa.

According to Gemini, Joker’s Stash likely delayed the debut of the New World Order cards to keep from flooding the market with too much stolen card data all at once, which can have the effect of lowering prices for stolen cards across the board.

“Joker’s Stash first announced their breach on November 11, 2019 and published the data on November 22,” Gemini found. “This delay between breaches occurring as early as July and data being offered in the dark web in November appears to be an effort to avoid oversaturating the dark web market with an excess of stolen payment records.” Continue reading →


23
Nov 19

110 Nursing Homes Cut Off from Health Records in Ransomware Attack

A ransomware outbreak has besieged a Wisconsin based IT company that provides cloud data hosting, security and access management to more than 100 nursing homes across the United States. The ongoing attack is preventing these care centers from accessing crucial patient medical records, and the IT company’s owner says she fears this incident could soon lead not only to the closure of her business, but also to the untimely demise of some patients.

Milwaukee, Wisc. based Virtual Care Provider Inc. (VCPI) provides IT consulting, Internet access, data storage and security services to some 110 nursing homes and acute-care facilities in 45 states. All told, VCPI is responsible for maintaining approximately 80,000 computers and servers that assist those facilities.

At around 1:30 a.m. CT on Nov. 17, unknown attackers launched a ransomware strain known as Ryuk inside VCPI’s networks, encrypting all data the company hosts for its clients and demanding a whopping $14 million ransom in exchange for a digital key needed to unlock access to the files. Ryuk has made a name for itself targeting businesses that supply services to other companies — particularly cloud-data firms — with the ransom demands set according to the victim’s perceived ability to pay.

In an interview with KrebsOnSecurity today, VCPI chief executive and owner Karen Christianson said the attack had affected virtually all of their core offerings, including Internet service and email, access to patient records, client billing and phone systems, and even VCPI’s own payroll operations that serve nearly 150 company employees.

The care facilities that VCPI serves access their records and other systems outsourced to VCPI by using a Citrix-based virtual private networking (VPN) platform, and Christianson said restoring customer access to this functionality is the company’s top priority right now.

“We have employees asking when we’re going to make payroll,” Christianson said. “But right now all we’re dealing with is getting electronic medical records back up and life-threatening situations handled first.”

Christianson said her firm cannot afford to pay the ransom amount being demanded — roughly $14 million worth of Bitcoin — and said some clients will soon be in danger of having to shut their doors if VCPI can’t recover from the attack.

“We’ve got some facilities where the nurses can’t get the drugs updated and the order put in so the drugs can arrive on time,” she said. “In another case, we have this one small assisted living place that is just a single unit that connects to billing. And if they don’t get their billing into Medicaid by December 5, they close their doors. Seniors that don’t have family to go to are then done. We have a lot of [clients] right now who are like, ‘Just give me my data,’ but we can’t.” Continue reading →


7
Nov 19

Study: Ransomware, Data Breaches at Hospitals tied to Uptick in Fatal Heart Attacks

Hospitals that have been hit by a data breach or ransomware attack can expect to see an increase in the death rate among heart patients in the following months or years because of cybersecurity remediation efforts, a new study posits. Health industry experts say the findings should prompt a larger review of how security — or the lack thereof — may be impacting patient outcomes.

Researchers at Vanderbilt University‘s Owen Graduate School of Management took the Department of Health and Human Services (HHS) list of healthcare data breaches and used it to drill down on data about patient mortality rates at more than 3,000 Medicare-certified hospitals, about 10 percent of which had experienced a data breach.

As PBS noted in its coverage of the Vanderbilt study, after data breaches as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined.

The researchers found that for care centers that experienced a breach, it took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram.

“Breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes,” the authors found. “Remediation activity may introduce changes that delay, complicate or disrupt health IT and patient care processes.”

Leo Scanlon, former deputy chief information security officer at the HHS, said the findings in this report practically beg for a similar study to be done in the United Kingdom, whose healthcare system was particularly disrupted by the Wannacry virus, a global contagion in May 2017 that spread through a Microsoft Windows vulnerability prevalent in older healthcare systems.

“The exploitation of cybersecurity vulnerabilities is killing people,” Scanlon told KrebsOnSecurity. “There is a lot of possible research that might be unleashed by this study. I believe that nothing less than a congressional investigation will give the subject the attention it deserves.”

A post-mortem on the impact of WannaCry found the outbreak cost U.K. hospitals almost $100 million pounds and caused significant disruption to patient care, such as the cancellation of some 19,000 appointments — including operations — and the disruption of IT systems for at least a third of all U.K. National Health Service (NHS) hospitals and eight percent of general practitioners. In several cases, hospitals in the U.K. were forced to divert emergency room visitors to other hospitals.

But what isn’t yet known is how Wannacry affected mortality rates among heart attack and stroke patients whose ambulances were diverted to other hospitals because of IT system outages related to the malware. Or how many hospitals and practices experienced delays in getting test results back needed to make critical healthcare decisions.

Scanlon said although he’s asked around quite a bit over the years to see if any researchers have taken up the challenge of finding out, and that so far he hasn’t found anyone doing that analysis.

“A colleague who is familiar with large scale healthcare data sets told me that unless you are associated with a research institution, it would be almost impossible to pry that kind of data out of the institutions that have it,” Scanlon said. “The problem is this data is hard to come by — nobody likes to admit that death can be attributable to a non-natural cause like this — and is otherwise considered sensitive at a very high and proprietary level by the institutions that have the facts.”

A study published in the April 2017 edition of The New England Journal of Medicine would seem to suggest applying the approach used by the Vanderbilt researchers to measuring patient outcomes at U.K. hospitals in the wake of Wannacry might be worth carrying out.

In the NEJM study, morbidity and mortality data was used to show that there is a measurable impact when ambulances and emergency response teams are removed from normal service and redirected to standby during public events like marathons and other potential targets of terrorism.

The study found that “medicare beneficiaries who were admitted to marathon-affected hospitals with acute myocardial infarction or cardiac arrest on marathon dates had longer ambulance transport times before noon (4.4 minutes longer) and higher 30-day mortality than beneficiaries who were hospitalized on nonmarathon dates.” Continue reading →


3
Nov 19

NCR Barred Mint, QuickBooks from Banking Platform During Account Takeover Storm

Banking industry giant NCR Corp. [NYSE: NCR] late last month took the unusual step of temporarily blocking third-party financial data aggregators Mint and QuickBooks Online from accessing Digital Insight, an online banking platform used by hundreds of financial institutions. That ban, which came in response to a series of bank account takeovers in which cybercriminals used aggregation sites to surveil and drain consumer accounts, has since been rescinded. But the incident raises fresh questions about the proper role of digital banking platforms in fighting password abuse.

Part of a communication NCR sent Oct. 25 to banks on its Digital Insight online banking platform.

On Oct. 29, KrebsOnSecurity heard from a chief security officer at a U.S.-based credit union and Digital Insight customer who said his institution just had several dozen customer accounts hacked over the previous week.

My banking source said the attackers appeared to automate the unauthorized logins, which took place over a week in several distinct 12-hour periods in which a new account was accessed every five to ten minutes.

Most concerning, the source said, was that in many cases the aggregator service did not pass through prompts sent by the credit union’s site for multi-factor authentication, meaning the attackers could access customer accounts with nothing more than a username and password.

“The weird part is sometimes the attackers are getting the multi-factor challenge, and sometimes they aren’t,” said the source, who added that he suspected a breach at Mint and/QuickBooks because NCR had just blocked the two companies from accessing bank Web sites on its platform.

In a statement provided to KrebsOnSecurity, NCR said that on Friday, Oct. 25, the company notified Digital Insight customers “that the aggregation capabilities of certain third-party product were being temporarily suspended.”

“The notification was sent while we investigated a report involving a single user and a third-party product that aggregates bank data,” reads their statement, which was sent to customers on Oct. 29. After confirming that the incident was contained, NCR restored connectivity that is used for account aggregation. “As we noted, the criminals are getting aggressive and creative in accessing tools to access online information, NCR continues to evaluate and proactively defend against these activities.””

What were these sophisticated methods? NCR wouldn’t say, but it seems clear the hacked accounts are tied to customers re-using their online banking passwords at other sites that got hacked.

As I noted earlier this year in The Risk of Weak Online Banking Passwords, if you bank online and choose weak or re-used passwords, there’s a decent chance your account could be pilfered by cyberthieves — even if your bank offers multi-factor authentication as part of its login process. Continue reading →


24
Oct 19

Cachet Financial Reeling from MyPayrollHR Fraud

When New York-based cloud payroll provider MyPayrollHR unexpectedly shuttered its doors last month and disappeared with $26 million worth of customer payroll deposits, its payment processor Cachet Financial Services ended up funding the bank accounts of MyPayrollHR client company employees anyway, graciously eating a $26 million loss which it is now suing to recover.

But on Oct. 23 — less than 24 hours before another weekly payroll rush — Pasadena, Calif.-based Cachet threw much of its customer base into disarray when it said its bank was no longer willing to risk another MyPayrollHR debacle, and that customers would need to wire payroll deposits instead of relying on the usual method of automated clearinghouse (ACH) payments (essentially bank-to-bank checks).

Cachet processes some $150 billion in payroll payments annually for more than 110,000 employers. But payroll experts say this week’s actions by Cachet’s bank may well soon put the 22-year-old company out of business.

“We apologize for the inconvenience of this message,” reads the communication from Cachet that went out to customers just after 6:30 PM ET on Oct. 23. It continued:

“Due to ongoing fraud protocol with our bank, they are requiring pre-funding via Direct Wire for all batches that were uploaded this week, unless employees were already paid or tax payments were already transmitted. This includes all batch files moving forward.”

All files that were uploaded today for collection and disbursement will not be processed. In order to process disbursement, we will need to receive a wire first thing tomorrow in order to release the disbursements.

All collections that were processed prior to today will be reviewed by the bank and disbursements will be released once the funds are cleared. Credit trans

Deadline for wires is 1 P.M. PST.

This will be the process until further notice. If you need a backup processor, please contact us.

If you require wire instructions, please respond to this email and they will be sent to you.

We welcome and anticipate your phone calls and inquiries. We remain committed to our clients and are determined to see this through. We appreciate and thank you for your patience and understanding.”

In a follow-up communication sent Thursday evening, Cachet said all debit transactions with a settlement date of Oct. 23 had been processed, but that any transactions uploaded after Oct. 23 were not being processed at all, and that wires are no longer being accepted.

Cachet’s financial institution, Wilmington, Del. based The Bancorp Bank (NASDAQ: TBBK), did not respond to requests for comment.

Cachet also did not respond to requests for comment. But in an email Thursday evening, the company sought to offer customers a range of alternatives — including other providers — to help process payrolls this week.

Steve Friedl, an IT consultant in the payroll service bureau industry, said the Cachet announcement has sent payroll providers scrambling to cut and mail or courier paper checks to client employees.  But he said many payroll providers also use Cachet to process tax withholdings for client employees, and that this, too, could be disrupted by the funding changes.

“There’s a lot of same day stuff that goes on in the payroll industry that depends on people being honest and having money available at certain times,” Friedl said. “When that’s not possible because a bank in that process says it doesn’t want to be stuck in the middle that can create problems for a lot of people who are then stuck in the middle.”

Another payroll expert at a company that uses Cachet but who asked not to be named said, “everyone I know at payroll providers is scrambling to get it done another way this week” as a result of the decision by Cachet’s bank.

“Those bureaus will do whatever they can to keep their clients happy because something like this can quickly put them out of business,” the source said. “Unlike what happened with MyPayrollHR — which harmed consumers directly — the payment service bureaus are the ones potentially getting hurt here.” Continue reading →