Posted on December 9, 2010 - by Venik

Network attacks against PayPal are effective

Two days ago PayPal closed Wikileaks’ charitable donations account, freezing nearly eighty thousand dollars in funds (including my humble contribution). During December 8 PayPal came under a moderate DDoS attack from supporters of Wikileaks. PayPal’s PR department tried to put a brave face on the situation:

“A PayPal spokesman told the Guardian that while a site called ThePayPalBlog.com had been successfully silenced for a few hours, attempts to crash its online payment facilities had been unsuccessful.”

(“WikiLeaks supporters disrupt Visa and MasterCard sites in ‘Operation Payback‘”, by Josh Halliday, Esther Addley, The Guardian, Dec. 8, 2010)

In reality, however, PayPal services were significantly degraded throughout the day, causing the company to release Wikileaks’ funds and to issue this explanation of its actions:

A statement from PayPal’s general counsel, John Muller, sought to “set the record straight”. He said that the company was required to comply with laws around the world and that the WikiLeaks account was reviewed after “the US department of state publicised a letter to WikiLeaks on November 27, stating that WikiLeaks may be in possession of documents that were provided in violation of US law. PayPal was not contacted by any government organisation in the US or abroad. We restricted the account based on our Acceptable Use Policy review. Ultimately, our difficult decision was based on a belief that the WikiLeaks website was encouraging sources to release classified material, which is likely a violation of law by the source.

“While the account will remain restricted, PayPal will release all remaining funds in the account to the foundation that was raising funds for WikiLeaks. We understand that PayPal’s decision has become part of a broader story involving political, legal and free speech debates surrounding WikiLeaks’ activities. None of these concerns factored into our decision. Our only consideration was whether or not the account associated with WikiLeaks violated our Acceptable Use Policy and regulations required of us as a global payment company. Our actions in this matter are consistent with any account found to be in violation of our policies.”

(“WikiLeaks supporters disrupt Visa and MasterCard sites in ‘Operation Payback‘”, by Josh Halliday, Esther Addley, The Guardian, Dec. 8, 2010)

PayPal went one step further and admitted that its decision to suspend Wikileaks’ account was due to pressure from the US government.

“PayPal today admitted it suspended payments to WikiLeaks after an intervention from the US State Department.

The site’s vice-president of platform, Osama Bedier, told an internet conference the site had decided to freeze WikiLeaks’s account on 4 December after government representatives said it was engaged in illegal activity.

“State Dept told us these were illegal activities. It was straightforward,” he told the LeWeb conference in Paris, adding: “We … comply with regulations around the world, making sure that we protect our brand.”

PayPal is the first major corporation to admit that its decision to suspend dealings with WikiLeaks was a result of US government pressure.”

(“PayPal admits US pressure over WikiLeaks account freeze“, by Esther Addley, The Guardian, Dec. 8, 2010)

PayPal is backpedaling and there is good reason for that. While PayPal’s financial services remained accessible throughout the day, their performance was well below average. Prolonged, intermittent degradation of service can lead to the same loss of revenue as a complete but relatively brief outage. An intermittent degradation of service is also easier to achieve and harder to troubleshoot than a full outage. While PayPal’s PR representative was not lying when he said that attacks failed to crash PayPal’s services, they did degrade them significantly and it is just as bad, or worse.

PayPal is particularly vulnerable to DDoS attacks due to its hardware infrastructure being optimized primarily for speed and security, but not for redundancy or spare capacity.  Thus, when on November 4, 2010 a single-point network hardware failure occurred at eBay’s new datacenter in South Jordan, Utah, PayPal services experienced a complete outage that lasted for nearly two hours. eBay shifted all traffic to its older datacenter in Denver, which was unable to handle the load. This failure occurred after eBay bragged about their new datacenter in May of 2010, calling it “the most efficient” and “fault-tolerant”. No hackers were involved in that incident: overconfident eBay did it to itself.

Both VISA and MasterCard also experienced intermittent service outages throughout the day, with MasterCard experiencing more downtime than VISA. Both companies suffered a more significant setback when Wikileaks released a US embassy cable revealing how the US government lobbied Russia on behalf of Visa and MasterCard. Russia is planning to pass a new law that potentially can deprive Visa and MasterCard of about $4 billion in annual revenues and effectively close Russian market to these two companies.

“The cable, dated 1 February 2010, states that the Obama administration took up the companies’ plightcause with senior Russian government officials. Earlier this year Moscow unveiled plans to create a new National Payment Card System (NPCS) that would collect all credit card fees on domestic transactions – depriving Visa and MasterCard of revenue.

A consortium of state-owned Russian banks would administer the system and collect processing fees “estimated at $4bn (£2.53bn) a year”, the cable claims. Additionally, sending payment data abroad would be forbidden under the law going through Russia’s rubberstamp lower house of parliament – another potential blow to the US credit card companies.”

(“WikiLeaks cables: US ‘lobbied Russia on behalf of Visa and MasterCard’“, by Luke Harding, Tom Parfitt, The Guardian, Dec. 8, 2010)

Earlier this week Russian media reported that the planned law has been rewritten to protect interests of Visa and MasterCard. However, with the revelation of US government’s involvement in this rewrite process, the new law is likely to encounter broad political opposition. In the end I do not think Visa and MasterCard will be out of business in Russia, but they will lose a significant market share and the possibility of future expansion.

Join the forum discussion on this post - (1) Posts