
MasterCard under DDOS, can't process SecureCode online payments - gasull
http://blog.securetrading.com/2010/12/mastercard-maestro-3-d-secure/
======
danilocampos
Disclaimer: I just finished Accelerando a few days ago (late to the party).
I'm hopped up on futurist vision.

First, let's stipulate that 4chan's Anonymous raids are mostly juvenile and
often ineffective at doing anything meaningful to their targets.

At the same time: The ability of a community to completely self-organize,
without central direction, and instantly execute a publicly-visible plan like
this is without precedent in human history.

It stands to reason that as time goes on, larger groups of people will become
involved in communities that exhibit 4chan-like cohesion. A larger pool means
a higher likelihood of these groups including people with the knowledge and
ability to do ever-increasing damage.

The long-term implications are interesting. Into the future, are we talking
about the instant formation and dissolution of "terrorist" or "dissident"
groups, bound together by transient common interest and gone again within days
or hours? If you're a government or corporation, this is terrifying. You can
keep tabs on other governments, and even traditional terrorist cells, which
each move at the speed of the usual group dynamics, proportional to their
size.

But what the hell do you do about groups you can't predict that are gone
before you even figure out what's wrong? Groups that aren't bound together by
national identity or other easily quantified affiliations – just ideas, ideals
and transient events?

There's something meaningful here that points to how we all get along in the
future, in the same vein as the "post-secrecy world" presaged by Wikileaks-
style activism enabled by network technologies.

Or maybe I just need a nap.

~~~
tvon
> _The ability of a community to completely self-organize, without central
> direction, and instantly execute a publicly-visible plan like this (...)_

I don't see any reason to believe it went down that way.

It's probable it was a group who already had much of the ability in-place to
execute an attack like this, and who decided to target mastercard.com because
it was found to be vulnerable, or because paypal and amazon were out of thier
reach.

~~~
alanh
Not a real group so much as whoever wants in, is in, on a per-effort basis; a
movement is spearheaded by an individual or two and each so-called member
spontaneously decides whether to participate or not. “Anonymous” is hardly a
group or organization, any more than the IRC channel for your favorite
framework. A weak analogy is whenever Redditors decide to contribute to a
certain cause or user. No one decided for the group, and there was no real
vote, but nevertheless without the community most individuals would not have
contributed.

Economist / Babbage:
[http://www.economist.com/blogs/babbage/2010/12/more_wikileak...](http://www.economist.com/blogs/babbage/2010/12/more_wikileaks)
(I think he gets the definition of OP wrong, but everything else seems to jive
with my non-firsthand understanding.)

~~~
steveklabnik
It's relatively accurate.

------
tobtoh
Cyber warfare has always been a staple of sci-fi fiction, but generally
between nation states. I can't help but wonder if the reality is that this
'warfare' won't be so much between nation states, but between governments and
the public and we're witnessing the start of this with a secretive and
paranoid government(s) on one side and a distrusting and increasingly activist
'public' on the other. Corporations are stuck in the middle looking at their
bottom line, but pressured from both sides.

~~~
DanielBMarkham
I read an interesting editorial a few months back -- can't remember where --
that basically made the counter-intuitive point that we are not headed towards
totalitarianism. Far from it. We are headed towards mob rule.

The writer used the various strikes and protests in Europe as an example. His
point was that as the nation-states became less relevant, people would begin
to more closely associate in virtual groups than geographic ones.

I _also_ read the recent leaks about China, which leads me to believe that the
Chinese think they can keep a lid on the internet.

This could be the beginning of a long, drawn-out period of chaos and
overreaction by all sides. Sure would suck to have to choose between that and
totalitarianism (even if, in the end, totalitarianism wouldn't work) Perhaps
this is some author's overactive imagination though. I sure hope so.

~~~
smackay
Public demonstrations in Europe these days are generally well-behaved.
Probably the main motivation for taking to the streets is to ensure that the
government at least acknowledges an issue rather than simply ignoring as was
case in the past.

The anarchist groups active today are a little less troubling than groups like
the Red Army Faction, Red Brigades and the Irish Republican Army that were a
feature of the 1970's and 1980's.

The real danger of mob rule might come from unscrupulous politicians making
capital from social tensions. The recent series of expulsions of Romany from
France and Italy were certainly a very troubling reminder of Europe's recent
history.

~~~
jacquesm
1989 is only a bit over 20 years ago:

<http://en.wikipedia.org/wiki/Nicolae_Ceau%C5%9Fescu>

And I do not doubt that if some European politician got it in to their heads
to try something really stupid that such 'reminder' demonstrations would turn
violent pretty quickly.

In France it wasn't 5 years ago that 100's of cars were burned every night and
in the Netherlands squatters do battle with the riot police with some
regularity.

Mob violence is never far away.

~~~
landhar
I think that the events in France don't belong to this list. France is dealing
with a lot of youth criminality from ghettoized communities. The burning of
cars was not backed up with any political claims. It only reflects how
authorities are losing control over certain neighborhoods.

~~~
jacquesm
The burning of cars was - as far as I understand it - a direct consequence of
multiple decades of festering trouble that was not adequately recognized or
responded to by politicians. The shortest complete description of the
background on this was something like 'these youths are protesting not against
any specific policy but against being born in to a situation that they find it
almost impossible to escape from in the country that they are nominally a
citizen of'.

If you can do better than that be my guest, but I definitely see them as
motivated by politics, even if not directly attacking a specific policy or
having a concrete goal. It's more an act of frustration with life set off by
the friction between police and these youths, specifically one incidence was
the spark that set off the powder.

------
adriand
It's sort of interesting - maybe even ironic, although I don't know if that
adjective is quite applicable - that when a news story comes out that says
that a major website is down due to DDOS, the first thing I do - and probably
what many others do - is try to go to that website to see if it's still down.
That, of course, must make the situation so much worse.

~~~
jmg
compared to the traffic the servers are seeing from the bots, the single
requests of curious people is pretty negligible.

------
marknutter
I think this is setting a very dangerous precedent. Yes, it was lame what
Mastercard did to Wikileaks, but it wasn't technically illegal. What Anon is
doing to Mastercard, however, is completely illegal and damaging, not only to
MC but to its customers too (who are innocent bystanders in this case).

~~~
carbocation
I'm going to try to articulate a position that I think that I understand but
is not mine, so please bear with me.

Let's put aside what is "legal" and focus on what is "socially desirable"
business behavior from the perspective of Anon. MasterCard, as a private
entity, has wide leeway in how it chooses to deal with other private entities
such as Wikileaks. Is this socially desirable? While I have no special insight
into what Anon is thinking, I would surmise that they are not pleased that
private entities are restricting free-flow of information and acting as a
state's agents even when not compelled to do so by the force of law.

We've heard from many business (Amazon, PayPal, etc) that blocking WikiLeaks
(and consequently inhibiting free distribution of classified US documents and
secret corporate information) is, at its core, a profitable business decision.
I would guess that Anon is trying to send a message that such an "anti-
freedom" decision (scare quotes intentional) can instead become very
expensive.

~~~
corin_
It's not a dissimilar concept to strike action, in that it may well have a
negative effect on customers, but is believed to be neccesary none-the-less.

I fully support unions and strikers, however I'm not sure how I feel about
this kind of action. The similarity ends with differences such as strikers
have names, faces, spokespeople, they decide together if they are for or
against striking, it isn't one or more people with nothing to do with the
company who makes the decision.

~~~
noblethrasher
Strike actions have symmetry and boundedness. Withholding labor obviously
affects both the company and the workers and the action can only go so far
since both sides need each other to survive.

This kind of action is _asymmetric_ and _unbounded_ : Anon can hurt MasterCard
without cost to himself (presumably) and he can theoretically carry it out for
as long as he wants. This can only lead to some kind of escalation if
MasterCard (and similar entities) want to survive.

~~~
corin_
Agreed. My comparison was purely in reply to the concept of "you shouldn't
hurt a company to improve things, because it hurts their customers too."

~~~
ghostDancer
Well the you can compare it with commercial sanctions to Cuba, Irak or North
Korea that the international community don't suffer too much (they're not big
players) but the people of those countries do, not only their governments.

~~~
berntb
OTOH, you can't let dictators use their own population as hostages, when they
buy weapons instead of feeding the populations (Saddam, which you mentioned,
had lots of money from smuggling).

Also, is it better to let those populations suffer in "jail" for generations?
(If I was Eastern European, I'd be pretty pissed to have been left to rot
until 1989.)

If nothing else, the dictators spread their problems (support of terrorists,
atom weapon programs etc).

Look at WW II for what will happen when democracies are pressed. At the start
of the war, British military argued against bombing private property (German
factories). Compare that to a few years later.

(I guess the place where this is closest to happen next, is Israel and the
humongous Hezbollah (/Hamas?) arsenals of rockets optimized for attacks
against civilians.)

Point is, those juntas are arguably a blight on humanity that needs to be
solved, the longer it takes the worse it might be.

Ah well, this is both after the discussion and irrelevant to Wikileaks.

Edit: Made a bit clearer.

------
eli
I'm really not a fan of Internet mob justice. I don't see how this attack
helps Wikileaks in any way. It's only going to make it harder to find anyone
willing to do business with them.

~~~
cryptoz
It doesn't help WikiLeaks and it's not supposed to. What you're seeing is a
group of people who looked at MasterCard's decisions, and reacted to prove
them wrong.

MC thought that preventing money from going to some people who move
information around was a smart business decision. Anonymous replied with,
<<No, trying to prevent the free flow of information is a _bad_ business
decision.>>

They do this, presumably, with the idea that next time MC will think twice
before doing their part in silencing the flow of information.

This is all irrelevant to WikiLeaks. They have nothing to do with this at all,
except that their particular case provides Anon with a clear example to set
for MC.

~~~
eli
You really think cyber terrorism is going to make Mastercard more likely to
want to work with similar groups in the future?

~~~
cryptoz
Woah, don't put words in my mouth like that! I _never_ said I thought that.
That said, I'm not sure I understand your question. Wikileaks and Anon aren't
related. MC can't choose to deal or not deal with Anon. Their choice is about
Wikileaks, who have nothing to do with any of this.

If they continue to choose to ban payments through their system to Wikileaks,
I assume they'll continue losing money from DDoSs. _shrug_ I don't have any
idea what'll happen, but I think you have to accept that Anon has a point,
even if you don't agree with them.

MC slows the flow of information. Anon slows the flow of cash to MC. If MC
doesn't respond, it seems like they'll keep losing money.

~~~
asr
While I understand the logic of your point, I think the assumption you make is
that MasterCard will add in the costs of a possible DDos attack when
considering whether they made the right business decision.

And I think the answer is no, although it's arguable. There is surely a point
at which MC will try to do the "right" thing instead of the profitable thing,
and it's easy to see how that point is between cutting off Wikileaks (which
arguably is harming US national interests) and changing business strategy to
appease hackers.

~~~
kenjackson
I think you missed his point again. He's not speculating as to what MC will
optimize. He's just stating point of fact, as we understand it today. If you
do A then B will happen.

Given that its unclear to me that what Wikileaks even did is illegal
(<http://www.nytimes.com/2010/12/02/world/02legal.html?_r=1>) I have little
sympathy for MC. It just feels like they're a bully in this situation. It does
suck for their customers though. Maybe more customers will drop MC due to
their inefficiency? Who knows.

~~~
eli
How is it being a bully to deny service to a customer who may or may not be
committing a crime? There is no inalienable right to have a credit card
merchant account.

~~~
steveklabnik
That's why we call it 'being a bully' and not 'committing a crime.'

------
Andrew_Quentin
If Private companies, all in concert, deny a party the ability to publish for
whatever reason, is that different from government censorship?

I think not. It is of course if it is only one private company, because the
individual has a choice, but if all private companies deny it, then the
individual has no choice, thus it is no different than the government itself
having denied it.

This that we are seeing, I believe, is the connection between corporations and
government in action, the business-government complex if you like. Private
companies should not have the right to discriminate based on other's beliefs
or opinions.

------
chrisbolt
Only SecureCode is affected (the MC equivalent of Verified by Visa), not all
MasterCard online payments.

~~~
gasull
Thanks. I updated the title.

------
faragon
Better attack: reduce the credit card usage, and try to pay more with cash. As
both MasterCard and Visa (the ones against Wikileaks) take the gross of its
revenue from retail and pay by credit, that could really hurt them... but
without doing anything illegal. It's just business: you fuck Wikileaks, I
reduce your profit, dear [put your favourite megacorp name here].

Boycott list:

    
    
        * Amazon (Amazon stops hosting WikiLeaks website [Reuters, 20101202])
        * Tableau Software (Another Falls: Tableau Software Drops Wikileaks Data Visualizations [20101202])
        * Everydns.net (WikiLeaks fights to stay online after US company withdraws domain name [guardian.co.uk, 20101203])
        * Paypal (WikiLeaks loses PayPal revenue service [cnn.com, 20101205])
        * PostFinance (Swiss bank freezes WikiLeaks founder's legal defense fund [rawstory.com, 20101206])
        * MasterCard (MasterCard pulls plug on WikiLeaks payments [cnet.com, 20101206]
        * Visa (WikiLeaks loses PayPal revenue service [ibnlive.in.com, 20101207])
        * Twitter??? (it was or it wasn't censorship?)

~~~
jorgem
Boycotts are good way to go. But for giant companies like Amazon and Paypal,
it is unclear that they would be able to correlate determine ___why_ __their
sales are going down.

Unless the Boycott is huge.

~~~
euccastro
Both Amazon and Paypal ask you why you closed your account with them.

Now, if you just reduce your usage of their services, then you're right, it'll
be hard to attribute.

~~~
jorgem
Is it a checkbox, or do I write in: WikiLeaks?

~~~
euccastro
No Wikileaks checkbox, you have to write it.

------
m_eiman
A better way to show Mastercard that you don't like what they're doing would
be to cancel your Mastercard and/or stop accepting MC payments.

~~~
MikeCapone
This only works if enough people do it AND tell MC (and possibly the media)
why they're doing it, though.

~~~
protomyth
Yes, and that is how it is supposed to work. Boycotts and demonstrations not
working, does not justify attacks.

~~~
jasonlotito
The problem is this isn't how it happens. First, consider that no attack is
really happening. It's merely digital, it harms no one physically. So this is
merely economic harm (indeed, calling it an attack only elicits sympathy for
the victim). Gandhi used an attack on the economy with his salt march. He
broke laws.

Boycotts and demonstration raise awareness, but unless it reaches a critical
mass, they don't work. Boycotts and demonstrations that disrupt (like marches
through the street or strikes) are other forms of economic attacks that cause
real monetary loss.

Voting with your wallet only works so far. Usually you're in the minority. Not
because you're wrong. Even elections understand this: the results are based on
those who voted, not those who could vote.

Review history, and time and time again you'll see economic attacks as parts
of non-violent means.

~~~
xenophanes
It does harm people physically when, say, their sandwich purchase doesn't work
and they become overly hungry -- physical stomach pains. And maybe a diabetic
somewhere will end up in the hospital.

And what about the guy who was buying safety equipment and now he has to do
the first day without it?

~~~
jasonlotito
I can apply the same "what if" logic to Rosa Parks, who caused police to be
sent to arrest her rather than patrolling their location and stopping a
murder. Or someone on the bus that got delayed being late for a job interview,
not getting it. Or that same diabetic not being able to get to his medicine he
left at home.

Edit: I should also remind you that even if you want to accept your arguments,
they aren't impacting actual transactions. Merely SecureCode transactions done
online. So I highly doubt a diabetic in need of medicine now is going to order
online.

Edit 2: And seriously, a guy get's a bit more hungry because he has to wait a
tad longer because he can't order Fat Man's Pizza online because SC is down,
and that's violent? Heck, then I guess Gandhi wasn't so peaceful after all,
what with his salt march causing less money for people, and therefore, less
money to buy food with, and therefore, less food to eat.

~~~
xenophanes
It's hard to think of a plausible way that Rosa Parks hurt anyone but it's
very easy to think of plausible ways that having your credit card denied could
hurt you.

But I didn't know it was online only. In that case it's hard to think of
plausible ways it would do physical harm.

I didn't say "violent" so don't complain about me calling stuff "violent". All
I said is that economic harm can cause physical harm, it's not harmless
(contrary to the person who said it is harmless. not low on harm but literally
harmless).

You should not be upset with people who make corrections without expressing
any opinion. Factual, literal-minded minor corrections are no threat to your
side unless your side is mistaken.

~~~
jasonlotito
> It's hard to think of a plausible way that Rosa Parks hurt anyone but it's
> very easy to think of plausible ways that having your credit card denied
> could hurt you.

No. I can't think of a way having my CC being denied online is going to
physically hurt me. Maybe you can give an example.

Seriously though, your logic is flawed.

> I didn't say "violent" so don't complain about me calling stuff "violent".

Sorry, but what would you call an attack that causes physical harm? Peaceful?

You don't have to say the word violent, but you can still describe it.

> All I said is that economic harm can cause physical harm

And a butterflies wing could flap because of it can cause a hurricane causing
the deaths of millions. Yes, everything is connected. I can create all sorts
of crazy scenarios. Let's stick to reality.

Anon is doing a DDoS. Twisting that round and saying "Anon is attacking people
causing physical harm" is dumb.

> Factual, literal-minded minor corrections are no threat to your side unless
> your side is mistaken.

I'm fine with factual, logical minded corrections. Your comment was void of
that. You should remember context.

Until you can show anon attacking people causing physical harm, your actually
not saying anything.

~~~
xenophanes
Why so hateful?

------
andrewingram
I'm fairly naive about the specifics of a DDOS, but it's such an obvious
vector of attack that I'm surprised it's a major vulnerability.

Could anyone explain what it would take to minimise vulnerability to such
attacks? I would have expected the standard load on SecureCode to be pretty
high anyway, so I'm surprised that an attack brought it down. I welcome anyone
to fix my reasoning :)

~~~
nikcub
The program that is being used is a multi-threaded .NET app that opens a lot
of connections and then allows them to timeout.

Easiest form of DoS to carry out and easiest to defend.

Prevention:

a) Upstream forwarding proxy that will block all requests from an IP that
hammers the server

b) Low timeouts (5-10 seconds)

c) Intelligent upstream router than can drop the routes

d) They are hitting mastercard.com, which should be distributed on a CDN

e) Separate the public website from the application, don't even but them in
the same IP address block

At Techcrunch we survived a 4chan DoS attempt. Surprised Mastercard didn't (I
think the scale of this attack is larger, but still)

~~~
wildmXranat
>At Techcrunch we survived a 4chan DoS attempt

I wouldn't mention it; just my friendly advice. _Anon_ is a fickle beast.

------
user24
I'll be interested to see if Mastercard's stock takes a dive as a result of
this. Not that I don't expect it to recover quickly of course. But it does
make me wonder who first suggested 'operation payback', and what exactly their
motives were...

~~~
user24
there's been no impact on their price that I can see so far.

------
ars
So basically if you help wikileaks you'll be DDOSd by the (presumably)
government. If you cut them off you'll be DDOSd by other parties.

The only solution is to have nothing to do with them. Not exactly an optimum
solution - I'd much rather be cut off and constantly find new hosts than have
people afraid to have anything at all to do with me.

These attacks are not helping wikileaks.

------
motters
As an organisation Wikileaks should distance themselves as far from this sort
of activity as possible. If they condone it, or even merely appear to condone
it, then their fate is most certainly sealed.

------
tshtf
I wonder if the perpetrators of this attack realize an attack against
e-commerce may attract the attention of federal authorities more than one
against a quasi-religious group.

~~~
fluidcruft
Yeah, it's almost as if the government and large businesses only care about
each other.

------
marknutter
The really sad part about this is the people who are probably getting most
hurt by this are the web developers who maintain mastercard.com; probably a
few fellow HNers. I'd hate to be in their shoes right now.

