There's a fresh undercurrent of worry among security experts that the U.S. payments infrastructure is a prime target for nation-state attackers.
The payments network is an alluring target because while an attack on it could wreak a lot of havoc, it wouldn't necessarily trigger a military response from the U.S. government. It wouldn't be considered as threatening as an attack on our electric or communications grids, for instance. And the network itself is fragmented, with widely varying levels of security at each point.
"If Russian attackers hacked it, our payments network would go down like that," said one payments security expert, snapping his fingers.
Alex Jimenez, a digital banking and payments consultant based in Providence, R.I., agreed that the network is vulnerable to nation-state attacks.
"Who's to say it's not already happening?" he said. "The merchants don't really care because outside the PR risk, the risk is owned by the banks. And the banks don't want to work together. So it's entirely a big mess that could easily be attacked."
Part of the problem, Jimenez said, is that people don't think of the payments system as a critical network.
"We worry about air traffic, we worry about drinking water, we worry about the electric grid," he said. "There's nobody worrying about the payments networks."
The vulnerability of the overall financial system to sophisticated attacks is a longstanding concern, noted Gary McAlum, chief security officer at USAA in San Antonio, Tex.
"It has long been a general concern among others, like power generation facilities and other components of critical infrastructure," he said.
The payments ecosystem is very complex, very federated and it looks a lot like a subset of the Internet, McAlum said. "Who's in charge of security on the Internet? The answer is: no one," he said.
"There's no cybercop out there controlling the financial system, looking for threats. What it really depends on is a neighborhood watch model – 'if you see something, say something.' But in terms of the interconnection points, whether it's card payments systems, global money movement, or ACH, there's nobody specifically tasked or given the authority or responsibility to monitor those transaction points."
Aging, Fragmented Network
One reason the U.S. payments infrastructure is vulnerable is its fragmented nature – often compared to a "spaghetti bowl." There are 15 automated clearing house networks; four major credit card networks; the Federal Reserve, which clears and settles paper and electronic checks; the large processors that process debit and credit card transactions (First Data, TSYS, et. al.); the banks themselves, which each have their own payment systems; and retailers that accept payments at their point of sale terminals.
"As an industry, we're very siloed," Jimenez noted. "There are the people looking at credit cards, debit cards, ACH, wires. Each network is a silo and there aren't many that are looking across for risk management. We don't do it at a specific bank. We could do it industrywide." The vendors and payment processors are siloed as well, he said. There's no one point of visibility into incoming threats.
But fragmentation can be an advantage as well.
"You have multiple targets, and if you lose access or have issues with one payments system we have redundancy," said Al Pascual, senior vice president, research director and head of fraud and security at Javelin Strategy & Research. "It's not as through you could target one system and we couldn't render payments in a comparable way."
The older technology in some cogs of the payments infrastructure is also an advantage, he said.
"These systems are not publicly accessible and they're very much legacy," Pascual said. "You'd have to have intimate knowledge of the platforms on which these systems are built" to infiltrate them. How many hooded young hackers know COBOL or the AS/400?
Hence, "as far as the whole catastrophic idea of taking down the system, I'm not alarmed," Pascual said. "I do think we have problems. We have breaches. We have the potential for individual organizations that accept payments to be brought to a standstill." But "a nationwide disruption in payments is extremely unlikely."
Russia and China are the two countries most capable of attacking the U.S. payments network.
Russia has "a lot of Cold War stealth that they transferred into code," said James Scott, co-founder and senior fellow at the Institute for Critical Infrastructure Technology, a Washington-based forum of federal agency executives, legislative community members and industry leaders focused on solving critical infrastructure problems.
Its hackers tend to be so precise they can often launch successful cyberattacks with just a few emails, said Scott, who recently co-authored a report entitled "Know Your Enemies 2.0: The Encyclopedia of the Most Prominent Hacktivists, Nation State and Mercenary Hackers.".