Skip to main content
close search
site logo

Payments industry makes a tempting target for hackers

The industry might not be experiencing a major uptick in cyberattacks as a result of Russia's war on Ukraine, but that doesn't mean it shouldn't be on high alert, cybersecurity professionals say.

Published March 18, 2022
By
Jonathan Berr ,
Caitlin Mullen ,
and
Sean Gallup via Getty Images

Payments companies haven't seen any significant uptick in cyberattacks since Russia's invasion of Ukraine increased threats, but security analysts say the industry is an attractive target and should be on high alert.

Russian hackers tend to focus on attacking sensitive and economically important networks, like payment networks, given their high public profile and economic importance. Attacking payments companies also offers plenty of targets, such as card networks, processors and gateways.

Ralph Dangelmaier, the CEO of Waltham, Massachusetts-based business-to-business payments service provider BlueSnap, said his company is abiding by the international sanctions, which has reduced e-commerce with the affected regions, but his company hasn't been impacted by increased cyberattacks.

"We're ready," Dangelmaier said in an interview this week, regarding any possible cyber incursions. "This is a payments company. This stuff happens all the time. We get tagged 100 times a day." 

He suspected that other companies might be more vulnerable to such attacks. "We're really well defended for this stuff," said Dangelmaier, whose company caters to merchants and vendors to facilitate their e-commerce. "We haven't seen any uptick in the attacks, personally. I think what they're doing is they're probably attacking weaker types of businesses, municipalities and schools."

Hackers 'punch back' at West

Cliff Gray, a senior associate with industry consulting firm Strawhecker Group, echoed those sentiments, saying payments companies were already a big target for hackers. But now, partly because the West is attacking Russia's regional economy through financial sanctions, hackers in that Russian region "want to punch back at similar targets" in the U.S., he said in an interview.

For payment networks and multinational corporations like Visa and Mastercard, the danger posed by hackers is real. U.K.-based payroll provider Parasol and Indonesia’s central bank were targeted in recent years by hackers. The outage at Parasol in January delayed payments to thousands of contractors. Indonesia was attacked by ransomware in January, though its public services were not affected.

And they're rich targets. According to industry research firm The Nilson Report, Visa, Mastercard, American Express and Discover credit, debit and prepaid cards generated a combined $6.164 trillion in U.S. purchase volume in the first nine months of 2021. Consultancy EY estimates that global cross border payment flows are expected to reach $1 trillion in 2022.

The Ukrainian war poses unique challenges to processors, according to Dror Liwer, co-founder and chief marketing officer of Coro, a security software company with offices in the U.S. and Israel. "The West is shutting down payments in Russia and Russia is trying to retaliate by hurting European and American payments companies," Liwer said.

Professor Branden R. Williams of the University of Dallas said the assault could be a little less direct. "I doubt that payment processors would be directly targeted outside of normal criminal activity, however, the payments going through those processors could absolutely end up causing financial harm through either chargeback risk or the inability to claw back funds sent," Williams said in an email. "The fraud I would expect to see here would be related to humanitarian-related scams, from fake funds that collect payments in various capacities."

Merchant trouble, too?

On the merchant side, the major trend is removing the sensitive data from merchants’ hands, so they don’t have to touch a primary account number (PAN), and instead only deal with a token, which is worthless if stolen. Tokenization is "super common, and growing," Gray said. 

With merchants, "that’s far and away the biggest trend, as far as cybersecurity: Just don’t give them dangerous data in the first place," Gray said.  

Payments processors and networks do have to deal with sensitive data, however. They employ obfuscation techniques and have multiple layers of both encryption and firewalls, "and they’re pretty good at this," Gray said.

More companies, however, should employ dual custodian procedures, similar in concept to two-factor authentication. "Two-factor would solve a lot of hacks, but the reality is, a lot of scenarios don’t employ two-factor because it’s inconvenient," Gray said. "Some of them do it, but they don’t do it enough, and a lot of them don’t do it at all," he added.

Recommendation: Be on high alert

Like legitimate business owners, hackers also innovate to maintain an edge over their competitors in the criminal world, said Dean Weber, a senior vice president at AlixPartners who specializes in cybersecurity. Whereas ransomware previously was an effort to extract money from targets, now those requests are weaponized with malware that jam systems, he said.

In light of that and cyber evolution generally, Weber and his AlixPartners colleague Beth Musumeci, global head of cybersecurity and data privacy, said they are telling their payments clients, among others, to be on high alert for cyberattacks, even if they aren't currently experiencing increased threats. 

"We are telling our customers to be very aggressive in their cybersecurity practices,” Musumeci said in commenting on the recent increase in threats.

Editors' picks

Company Announcements

View all | Post a press release
Cybrid Responds to Market Demand for Stable, Efficient Cross-Border Payments with Enhanced Sta…
From Cybrid
November 20, 2024
SendAbroad Launches To Help Save Money And Hassle on International Currency Transfers
From SendAbroad
October 31, 2024
Do Stocks/Forex Trading Strategies Also Apply to Crypto Trading?
From newsreaver.com
November 08, 2024
Coinme CEO Neil Bergquist: 'Regulatory Clarity Key to Mainstream Crypto Adoption'
From Coinme, Inc.
November 01, 2024
Editors' picks
Latest in Retail
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell