GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Payments 2010: Fast forward to the future

News

Industry Update

Black Friday, Cyber Monday post promising sales

MasterCard, Visa, PayPal thwart DDoS attacks

Dwolla P2P goes national

Chip and PIN versus mag stripe debated

Discover's Zip cards ready for prime time

Trade Association News

Selling Prepaid

Prepaid in brief

Has gift card industry reached turning point?

GAO on why prepaid needs regulation

Views

Checks give way to debit cards

Patti Murphy
The Takoma Group

Keys to driving merchant retention

Jeffrey Shavitz
Charge Card Systems Inc.

Education

Street SmartsSM:
Are you awake to mobile payments?

Ken Musante
Eureka Payments LLC

Paperless merchant acquiring: A legal perspective

Adam Atlas
Attorney at Law

Experts weigh in on social media marketing - Part I

Bill Pirtle
MPCT Publishing Co.

E-commerce fraud: Identifying and reducing risk

Nicholas Cucci
Network Merchants Inc.

Company Profile

CheckAlt Payment Solutions

New Products

Virtual testing for ATM and POS networks

QuickStart System
Lexcel Solutions Inc.

Inspiration

It's a fine life, isn't it?

Departments

Forum

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

December 27, 2010  •  Issue 10:12:02

previous next

MasterCard, Visa, PayPal thwart DDoS attacks

Recent cyber attacks on the major payment network websites reportedly caused a disruption Dec. 8, 2010, of MasterCard World-wide's SecureCode service for secure online transactions.

The attacks by a band of hackers calling itself "Anonymous" were reportedly in retaliation for Visa Inc., MasterCard and PayPal Inc. dropping WikiLeaks from their client rosters after the controversial website refused to stop publishing hundreds of thousands of pages of confidential cables between U.S. embassies and Washington.

The distributed denial-of-service (DDoS) attacks by the "hacktivists" involved the use of software Anonymous offered to supply free to supporters.

Downloading the software connects the user to a network of hacker machines known as a botnet, which is used to flood websites with requests until the sites are unable to cope with the traffic.

The primary result of the attacks was to make the websites of PayPal, MasterCard and Visa temporarily unavailable due to the magnitude of the web traffic generated.

SecureCode service out briefly

Also unavailable was MasterCard's SecureCode service, apparently because verification relies on loading pages from the company's web server, which was one of the targets of the DDoS attacks. MasterCard SecureCode allows cardholders to create a private code for use in shopping online as added protection against fraud.

Mike Monsivais, a Security Analyst for SecurityMetrics Inc., a company that provides Payment Card Industry (PCI) Data Security Standard (DSS) compliance consulting and tools, pointed out that disruption of the SecureCode system didn't mean users couldn't make purchases online.

Monsivais said, "It means the system defaulted, or 'failed over' to asking them for the normal credentials needed to use your credit card online: credit card number, security code and expiration date."

MasterCard posted a statement on its website stating, "Our core processing capabilities have not been compromised, and cardholder account data has not been placed at risk. While we have seen limited interruption in some web-based services, cardholders can continue to use their cards for secure transactions globally."

DDoS attacks a fact of life

Security analysts suggest that the DDoS attacks vary in intent, method and impact from those launched by "financially" motivated hackers.

When a financially motivated hacker launches an attack, "he's attacking weaknesses in the protocols and applications on the vulnerable server to try and access it," said Chad Horton, PenetrationTesting Manager at SecurityMetrics. "In a DDoS case, they're flooding the pipelines that feed into websites with legitimate traffic so that other legitimate traffic can't get through."

Security experts admit DDoS attacks cannot be prevented; they advise the best way to protect against intrusions from financially motivated hackers is to be vigilant and adhere to security best practices.

"Part of security is an appreciation that these sorts of things can and will happen," said Tim Cranny, President and Chief Executive Officer of Panoptic Security Inc., a technology security company specializing in PCI compliance.

"You do everything you can to prevent it, but then you also do everything you can to mitigate the effects and consequences of it."

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

USAePay | Impact Paysystems | Electronic Merchant Systems | Inovio