Welcome to WebmasterWorld Guest from

Forum Moderators: buckworks

Message Too Old, No Replies

DDoS against MasterCard's sites and the SecureCode Directory Server.

Big problems for online Meastro acceptance...

6:36 pm on Dec 8, 2010 (gmt 0)

New User

5+ Year Member

joined:July 1, 2008
posts: 29
votes: 0

MasterCard pulls plug on WikiLeaks payments [news.cnet.com]
Anonymous Mastercard attack 'hits payments' [bbc.co.uk]

MasterCard finally acknowledging the current ongoing issue for the last few hours:
"Please be advised that MasterCard SecureCode Support has detected a service disruption to the MasterCard Directory Server. The Directory Server service has been failed over to a secondary site however customers may still be experiencing intermittent connectivity issues. More information on the estimated time of recovery will be shared in due course."

I feel very sorry for many merchants who have for some hours been unable to accept Maestro online.

Those merchants with SecureCode may be getting dinged for downgraded transactions too.
7:18 pm on Dec 8, 2010 (gmt 0)

New User

5+ Year Member

joined:July 1, 2008
posts: 29
votes: 0

See also: Mastercard Site Hit By 'Hacktivists' Over Wikileaks [webmasterworld.com...]
8:48 pm on Dec 8, 2010 (gmt 0)

Senior Member

joined:Dec 29, 2003
votes: 0

MasterCard should re-reimburse merchants but I doubt they will. It was a corp decision to cut off wikileaks so they should pay, not the merchants during their busiest week of the year.
4:26 pm on Dec 9, 2010 (gmt 0)

New User

5+ Year Member

joined:July 1, 2008
posts: 29
votes: 0

MasterCard state on their front page (the message was released on the 8th Dec) [mastercard.com]:
MasterCard has made significant progress in restoring full-service to its corporate website. Our core processing capabilities have not been compromised and cardholder account data has not been placed at risk. While we have seen limited interruption in some web-based services, cardholders can continue to use their cards for secure transactions globally.

The reason for this wording seems to be that certain members of 'Anonymous' had an idea for a follow-on attack - spreading false rumours of a data breach happening at the same time as the DDoS attack [latimesblogs.latimes.com...] :

Operation: Payback [the DDoS attack] is being followed by Operation Bank-Troll -- an online effort to spread a rumor through e-mail, Twitter, Facebook and other social media websites that MasterCard has been hacked and credit-card numbers have been leaked.

On Twitter, some messages claiming that MasterCard numbers had been leaked included links to a PasteBin.com, a file sharing website where hundreds of numbers and dates were posted -- numbers MasterCard says are fake.
12:55 pm on Dec 10, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 23, 2005
posts: 1076
votes: 0

I read an article today that said that it was the corporate site that was targeted, NOT payments, that Anonymous deliberately focused on the corporate sites--of Paypal, Mastercard, and whatnot--not the payment acceptance systems. So it's all a tempest in a teakettle.
2:15 pm on Dec 10, 2010 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Aug 13, 2003
posts: 1029
votes: 0

I got an email from a payment provider to state disruption to payments was happening.

It only affected Mastercard payments where SecureCode was set up on the card. Other Mastercard transactions were going through as normal.
3:16 pm on Dec 10, 2010 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 30, 2002
votes: 1

The chances of success could be boosted by a new version of LOIC written in web programming language Javascript that allows anyone with a browser, including on a mobile phone, to launch attacks.

5:13 pm on Dec 10, 2010 (gmt 0)

New User

5+ Year Member

joined:July 1, 2008
posts: 29
votes: 0

HRoth wrote:
I read an article today that said that it was the corporate site that was targeted, NOT payments

As I wrote in another thread [webmasterworld.com] on 8th Dec:
...we can expect a lot of breathless misunderstandings from the worldwide press in the coming hours, not understanding that 3D Secure is an additional authentication layer on top of the card-not-present authorisation system for credit cards.

Problem is, there are a number of debit cards issued that will only work if SecureCode (3D Secure) is working and available.

As part of the DDoS attack the MasterCard SecureCode Directory Server was affected and as a result merchants worldwide were not able to perform SecureCode authentication on MasterCard transactions.

This had two main side effects:

i) Online sales using Maestro (a leading debit card brand in Europe, especially important in the UK) were not possible during the time the SecureCode server was unavailable, thus affecting sales to British customers, in particular, wanting to pay that way.

This is because since July 2007 it has been mandatory to attempt SecureCode (3-D Secure) authentication when processing a Maestro debit card online.

ii) While in general online merchants processing (non-Maestro) MasterCard credit or debit cards in all countries *could* get authorisations as usual through their acquirers, there is the issue of downgraded transactions.

Specifically, will acquiring banks charge merchants a downgraded rate for MasterCard transactions where the merchant was enrolled for SecureCode, but unable to attempt payer authentication, because the SecureCode Authentication Server was unavailable?

Although less commonly understood in Europe, the use of SecureCode generally attracts interchange relief, i.e. a reduced processing rate.

MasterCard has encouraged use of SecureCode authentication in general by making merchants eligible for a reduction in the range of 22-59 basis points (i.e. 0.22-0.59% off your processing cost) on MasterCard transactions processed with the UCAF (Universal Cardholder Authentication Field) field included.

The reduction depends on the MasterCard type and whether the cardholder has enrolled the card in the SecureCode system.

So given all that is going on, it is not unreasonable to expect that SecureCode might be attacked again.

Therefore it might be appropriate for online merchants to ask for a specific policy from their acquiring bank about this.

If you have done so (either as a MasterCard merchant based in the UK, or in the US, or elsewhere) I am sure the general response from each acquiring bank would be read with interest by many online merchants and retailers that read here at WebmasterWorld.