Mastercard problems

andrew.wallace · December 8, 2010, 5:00pm

It appears the site is under a sustained attack, CNET reports.

http://news.cnet.com/8301-13578_3-20024966-38.html

Andrew

William_Warren2 · December 8, 2010, 5:14pm

It's only their main website it has not affected their ability to process payments as of yet.

John_Peach · December 8, 2010, 5:14pm

> It appears the site is under a sustained attack, CNET reports.
>
>
> http://news.cnet.com/8301-13578_3-20024966-38.html
>
>
> Andrew
>
>
>
>
>
It's only their main website it has not affected their ability to
process payments as of yet.

Yes it has:

http://blog.securetrading.com/2010/12/mastercard-maestro-3-d-secure/

Joseph_Prasad · December 8, 2010, 5:18pm

google = "Operation: Payback"

Jack_Bates · December 8, 2010, 5:24pm

Sadly, our ineffective government probably won't bring these perpetrators to justice. I have no real opinion concerning wikileaks, but DOS attacks cannot be justified.

Jack

William_McCall · December 8, 2010, 5:28pm

Are you prepared for "informaton terrorism" laws?

Jack_Bates · December 8, 2010, 5:34pm

DOS attacks are already illegal. I question the ability to track responsible parties down and have appropriate proof to actually prosecute.

Let's be honest. Even in the 20th century, more people had been caught by bragging in public than by backtracking.

Jack

Christopher_Morrow · December 8, 2010, 6:47pm

so... the loic tool uses the host's local address, the attacks are all
HTTP based, or tcp/80 with malformed HTTP... someone with server logs
could certainly get a list of the ips involved and hand that over to
the FBI for proper action.

I know that the folks involved on the MC side already have this data,
and that the fbi is interested in it.

-chris

Philip_Dorr · December 8, 2010, 8:06pm

The problem is that they were also slashdotted. The logs would also have a
large number of unrelated.

Are you prepared for "informaton terrorism" laws?

DOS attacks are already illegal. I question the ability to track

responsible

Olof_Johansson · December 8, 2010, 8:37pm

"so... the loic tool uses the host's local address, the attacks are all
HTTP based, or tcp/80 with malformed HTTP..."

That should be easy to grep by...?

Jack_Bates · December 8, 2010, 8:42pm

Of course, it's debatable if use of LOIC is enough to convict. You'd have to first prove the person installed it themselves, and then you'd have to prove that they knew it would be used for illegal purposes.

The hive controller, and the actual operator(s) are who they want, and that's a little more work. This has been an issue in the past, even when we knew exactly where botnet controllers were, concerning the legality of taking control to shut it down.

Jack

Christopher_Morrow · December 8, 2010, 9:04pm

pro-tip: the tool has a pretty easy to spot signature.

-chris

jmamodio · December 8, 2010, 10:05pm

Yes it has:

http://blog.securetrading.com/2010/12/mastercard-maestro-3-d-secure/

I've been processing cards all day for my wife's biz without any problems.

-J

Paul_Ferguson · December 8, 2010, 10:09pm

At least some processing ops are experiencing problems:

http://heartbeat.skype.com/2010/12/problems_with_mastercard_payme.html

- - ferg

Ken1 · December 8, 2010, 10:10pm

there are other payment processors out there for mastercard and visa,
im sure in canada I dont bother clearing the charges I put through with
a single master server in the US, they're probably also distributed
for various reasons (fibre cuts speed of transaction, etc). When I hit
the bigger grocery stores, the approval is almost instantaneous. Not
sure what they're using for backhaul to where, but it aint DSL or a phone
line.

Taking out that kinda distributed architecture would require attacking the
protocol with a self propagating attack (~Stuxnet), not the individual
sites that do the processing.

Im sure Mastercard has some skills on how to run an internal 'cloud'.

/kc

Ben_McGinnes · December 9, 2010, 7:34am

What is that signature?

Regards,
Ben

William_Pitcock · December 9, 2010, 8:49am

The tool makes HTTP/1.0 requests, most browsers make HTTP/1.1 requests.

William

Paul_Thornton3 · December 9, 2010, 9:37am

Earlier this morning there were two people interviewed on the BBC radio 4 Today program (this is considered the BBC's flagship morning news/current affairs show on their serious nationwide talk radio station) about this - one was a security consultant and another was a member of/spokesman for the 'operation payback' group. One wonders why the Met Police didn't have someone waiting to have a quiet chat with the latter when he left the studio.

Both of them said that people had been voluntarily downloading and installing botnet clients on their PCs in order to take part in these DDoS attacks. Ignoring, for a moment, the stupidity of such action it is hard to see how you'd be able to argue that this was *not* going to be used for illegal purposes.

The other amusing part of the interview was when the security consultant started off very well explaining a DDoS in layman's terms, but then veered off using the terms HTTP, UDP and IP in one sentence causing the presenter to intervene as it "was getting a tad too technical there".

Paul.

Ben_McGinnes · December 9, 2010, 10:08am

Is there anything else to it, or just the protocol version?

Regards,
Ben

Adrian_Chadd · December 9, 2010, 10:12am

Be careful - plenty of Squid's make HTTP/1.0 version.

ProTip: be careful.

Adrian