A sophisticated ransomware assault on IT company Kaseya sent shockwaves through the global payments sector last month. The case has underlined just how vulnerable the ecosystem has become
The inexorable rise of cybercrime has made it a risky time to be running a business that depends on the internet. When that business is dealing with payments, brokering financial transactions for potentially millions of customers, the stakes are even higher.
One cyber attack in July, targeting a global network of payments terminals using software supplied by US firm Kaseya, amply illustrates the risks facing the sector. It was mounted by a hacking gang using a ransomware strain known as REvil.
In the statement it made after the attack, Kaseya reported that only 60 of its customers were affected – which, while correct, demonstrates the concentration of power in the payments industry. Those 60 customers were supporting about 1,500 other businesses, which were rendered incapable of taking payments.
Real-world ramifications of cyberattacks
More than a third of the affected enterprises were branches of Swedish supermarket chain Coop. The ransomware disabled its tills, forcing the closure of most stores. A small number tried to continue trading using an alternative payments method that they had tested before the attack, but that system would also later fail, unable to withstand the sudden surge in demand. Some perishable foods were given away to prevent spoilage.
Natalie Page, cyber threat intelligence analyst at Talion, a specialist in network security, observes that only 0.1% of Kaseya’s clients were affected.
“This attack could have been a lot worse – the god-level access mode that REvil ransomware operators achieved was extremely worrying,” she says. “Unfortunately, this won’t be the last supply-chain attack we shall witness. Next time we may not get off so lightly. It’s a matter of when, not if, there will be a similar case. Owing to the spreading mechanism that an attack of this nature can provide, such incidents have the potential to be little short of disastrous.”
Kevin Curran, professor of cybersecurity at the University of Ulster, believes that the sector “has a long way to go to keep up with sophisticated techniques used by fraudsters. Although a cashless society is on the horizon, moving that way presents major risks for the payments industry.”
It’s therefore vital that the sector applies artificial intelligence as a threat-hunting tool, says Page, who notes that Visa has been using AI-based systems for well over two decades to safeguard transactions. This technology can analyse more than 500 risk attributes every millisecond.
“AI has been the driving force in helping companies worldwide to improve the customer experience, boost their growth and, most crucially, mitigate threats to payment security,” she says.
But Page adds that further work is still needed to keep the ever-more sophisticated cybercriminals at bay. This includes the development of an approach known as zero-trust architecture, which requires every request made on an organisation’s network to prove its integrity before it can be permitted.
Is consolidation to blame?
Some observers have observed that the recent pandemic-fuelled uptick in M&A activity and increasing centralisation in the payments industry have been making the situation riskier. These trends have caused points of failure to be bunched more closely among a decreasing number of payment providers.
This concentration of power is a potential concern for businesses operating critical infrastructure such as payment services, as Page explains: “With many payment providers now centralising and merging, a smaller group of targets are being created, with a much larger client base than ever before. This means that the security of payments systems has never been so crucial.”
She continues: “There are real disparities in the quality and security offered by various payment systems. With no governing body to set and maintain standards, the industry could be heading for disaster. The development of a real authority to monitor this area would therefore be an extremely positive step to ensure the future security of the payments industry.”
Taking steps to prevent disaster
Curran is concerned that the sector, as currently structured, is ill-equipped to handle another crisis on the scale of the Kaseya attack.
“Even though the growth of mobile payments has been explosive, security controls and enterprise management tools have not matured in the same way,” he notes.
Within days of the attack on its system, Kaseya managed to come up with a software patch to plug the vulnerability that the hackers had exploited.
Curran stresses that businesses need to update their software whenever they are prompted to do so. This is particularly important in the case of payments systems, which process highly sensitive private information, including the security codes on customers’ bank cards that are required to verify online and telephone transactions.
“All software has vulnerabilities, so the quicker an update can be distributed, the more secure it is,” he says. “The longer a system remains outdated with known vulnerabilities, the greater the risk.”
It’s important for companies to back up their systems regularly and maintain cybersecurity awareness among their employees. From a business-continuity perspective, it’s also advisable not to rely on a single payments provider if at all possible.
The Kaseya attack has been useful in that it has warned all players in the sector that they need to take prompt and effective action, or risk becoming the next victims.
“Although the pandemic has made many people feel that time is standing still”, Page says, “the global economy certainly isn’t.”
As a result, neither should the payments industry.