The holiday season means many things in the U.S., including the blast of consumer spending that provides our economy a critical financial shot in the arm to close out the fiscal year.
Starting at Midnight on Thanksgiving, and running from Black Friday through Cyber Monday, there are more credit card transactions than any other 5-day period in the year. The economic health of the nation is directly affected by, and reflected in, this annual spending spree. Many small companies exist primarily on this annual engorgement event.
Imagine a Few Days without Credit Cards
Imagine how our economy, let alone our individual lives, would be impacted if, for that 5-day period, no one could use their credit cards? We are the world’s consummate consumers. Our purchase on plastic fuels a good part of the global economy. The impact of our inability to buy would be immediately and globally significant.
There's always cash, you say. Not so fast, unless you want to trigger a run on local banks. The on-hand supply of legal tender would be gone in hours, leaving an angry mob wondering if the Grinch really did steal Christmas.
We'd certainly survive, but it would amount to a national crisis with repercussions far into the future. Cyberfud? Maybe not.
IoT & Mirai botnets, RAT, and North Korea
A potentially significant line of threat intelligence within the last week has put many security professionals on edge. The current threats being discussed concern:
- Possible staging of an IoT botnet to run Distributed Denial of Service (DDoS) attacks against payment processors
- Identification of a Remote Access Trojan (RAT) and associated Command and Control (C2) network operated by suspected North Korean-connected actors; for more information, see the Hidden Cobra US-Cert Alert TA17-318A.
Other less concrete but useful indicators have heightened concerns such as key government leaders abruptly canceling regularly scheduled briefings and the US-CERT and FBI jointly warning of the potential for cyberwar to break out against North Korea.
Retail Payment Processing—the Cyber Warfare Bullseye
If I were sitting in Pyongyang, Tehran, or any of a host of countries antagonistic to the U.S. and planning a cyberwarfare strategy, the goal would be to do the most damage with the lowest possible cost and risk. Any direct attack against our military or our critical infrastructure would most certainly escalate into a full-scale military conflict. A far easier mechanism to reach that end goal would be to attack the U.S. economy and affect the psyche of the citizenry.
It may not take an elite group of well-funded cyber warriors running a highly coordinated set of complex attacks and intrusions into the heart of the payment processing network to cause an outage; it may just take a botnet like Mirai to take out the ability for the relatively small number of highly-targeted payment processors to intake transactions. Or worse, if a targeted attack using a payload such as Industroyer was able to disrupt critical systems to the point of requiring replacement, it would produce a long outage. Empirically we know that those events can be false-flagged as a ransomware attack by organized crime.
How to Prepare for the Worst
There are constant, high-level threats against the payment card ecosystem of merchants, processors, banks, and platforms, but an orchestrated attack by a nation-state against these systems during this absolutely critical 5-day window has the potential to inflict great damage, both financially and psychologically, on our nation.
So, what can you do?
As a merchant, you can use tried and true business continuity practices to ensure that you can stay operational during an outage. If this scenario is not already a part of your business continuity and disaster recovery planning, add it to the plan and, for the current holiday season, conduct a quick analysis of your incident response plan to mitigate an outage such as this. Apply standard preventive controls, but make sure you monitor your network and have a response plan. Backups will turn out to be the greatest thing ever.
As a citizen, it is always a good practice to keep cash on hand for emergency purposes. Having lived through the 1971 San Fernando, the 1987 Whittier Narrows, and the 1994 Northridge earthquakes, I can personally attest to how important an on-hand supply of cash can be for any emergency, not just a disruption of credit card processors.
At the state and local government level, you may want to practice an emergency management response for such a scenario if you haven’t already. Just sayin’.
