The Green Sheet Online Edition
December 27, 2010 • Issue 10:12:02
MasterCard, Visa, PayPal thwart DDoS attacks
Recent cyber attacks on the major payment network websites reportedly caused a disruption Dec. 8, 2010, of MasterCard World-wide's SecureCode service for secure online transactions.
The attacks by a band of hackers calling itself "Anonymous" were reportedly in retaliation for Visa Inc., MasterCard and PayPal Inc. dropping WikiLeaks from their client rosters after the controversial website refused to stop publishing hundreds of thousands of pages of confidential cables between U.S. embassies and Washington.
The distributed denial-of-service (DDoS) attacks by the "hacktivists" involved the use of software Anonymous offered to supply free to supporters.
Downloading the software connects the user to a network of hacker machines known as a botnet, which is used to flood websites with requests until the sites are unable to cope with the traffic.
The primary result of the attacks was to make the websites of PayPal, MasterCard and Visa temporarily unavailable due to the magnitude of the web traffic generated.
SecureCode service out briefly
Also unavailable was MasterCard's SecureCode service, apparently because verification relies on loading pages from the company's web server, which was one of the targets of the DDoS attacks. MasterCard SecureCode allows cardholders to create a private code for use in shopping online as added protection against fraud.
Mike Monsivais, a Security Analyst for SecurityMetrics Inc., a company that provides Payment Card Industry (PCI) Data Security Standard (DSS) compliance consulting and tools, pointed out that disruption of the SecureCode system didn't mean users couldn't make purchases online.
Monsivais said, "It means the system defaulted, or 'failed over' to asking them for the normal credentials needed to use your credit card online: credit card number, security code and expiration date."
MasterCard posted a statement on its website stating, "Our core processing capabilities have not been compromised, and cardholder account data has not been placed at risk. While we have seen limited interruption in some web-based services, cardholders can continue to use their cards for secure transactions globally."
DDoS attacks a fact of life
Security analysts suggest that the DDoS attacks vary in intent, method and impact from those launched by "financially" motivated hackers.
When a financially motivated hacker launches an attack, "he's attacking weaknesses in the protocols and applications on the vulnerable server to try and access it," said Chad Horton, PenetrationTesting Manager at SecurityMetrics. "In a DDoS case, they're flooding the pipelines that feed into websites with legitimate traffic so that other legitimate traffic can't get through."
Security experts admit DDoS attacks cannot be prevented; they advise the best way to protect against intrusions from financially motivated hackers is to be vigilant and adhere to security best practices.
"Part of security is an appreciation that these sorts of things can and will happen," said Tim Cranny, President and Chief Executive Officer of Panoptic Security Inc., a technology security company specializing in PCI compliance.
"You do everything you can to prevent it, but then you also do everything you can to mitigate the effects and consequences of it."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.