There's a fresh undercurrent of worry among security experts that the U.S. payments infrastructure is a prime target for nation-state attackers.
The payments network is an alluring target because while an attack on it could wreak a lot of havoc, it wouldn't necessarily trigger a military response from the U.S. government. It wouldn't be considered as threatening as an attack on our electric or communications grids, for instance. And the network itself is fragmented, with widely varying levels of security at each point.
"If Russian attackers hacked it, our payments network would go down like that," said one payments security expert, snapping his fingers.
Alex Jimenez, a digital banking and payments consultant based in Providence, R.I., agreed that the network is vulnerable to nation-state attacks.
"Who's to say it's not already happening?" he said. "The merchants don't really care because outside the PR risk, the risk is owned by the banks. And the banks don't want to work together. So it's entirely a big mess that could easily be attacked."
Part of the problem, Jimenez said, is that people don't think of the payments system as a critical network.
"We worry about air traffic, we worry about drinking water, we worry about the electric grid," he said. "There's nobody worrying about the payments networks."
The vulnerability of the overall financial system to sophisticated attacks is a longstanding concern, noted Gary McAlum, chief security officer at USAA in San Antonio, Tex.
"It has long been a general concern among others, like power generation facilities and other components of critical infrastructure," he said.
The payments ecosystem is very complex, very federated and it looks a lot like a subset of the Internet, McAlum said. "Who's in charge of security on the Internet? The answer is: no one," he said.
"There's no cybercop out there controlling the financial system, looking for threats. What it really depends on is a neighborhood watch model – 'if you see something, say something.' But in terms of the interconnection points, whether it's card payments systems, global money movement, or ACH, there's nobody specifically tasked or given the authority or responsibility to monitor those transaction points."
Aging, Fragmented Network
One reason the U.S. payments infrastructure is vulnerable is its fragmented nature – often compared to a "spaghetti bowl." There are 15 automated clearing house networks; four major credit card networks; the Federal Reserve, which clears and settles paper and electronic checks; the large processors that process debit and credit card transactions (First Data, TSYS, et. al.); the banks themselves, which each have their own payment systems; and retailers that accept payments at their point of sale terminals.
"As an industry, we're very siloed," Jimenez noted. "There are the people looking at credit cards, debit cards, ACH, wires. Each network is a silo and there aren't many that are looking across for risk management. We don't do it at a specific bank. We could do it industrywide." The vendors and payment processors are siloed as well, he said. There's no one point of visibility into incoming threats.
But fragmentation can be an advantage as well.
"You have multiple targets, and if you lose access or have issues with one payments system we have redundancy," said Al Pascual, senior vice president, research director and head of fraud and security at Javelin Strategy & Research. "It's not as through you could target one system and we couldn't render payments in a comparable way."
The older technology in some cogs of the payments infrastructure is also an advantage, he said.
"These systems are not publicly accessible and they're very much legacy," Pascual said. "You'd have to have intimate knowledge of the platforms on which these systems are built" to infiltrate them. How many hooded young hackers know COBOL or the AS/400?
Hence, "as far as the whole catastrophic idea of taking down the system, I'm not alarmed," Pascual said. "I do think we have problems. We have breaches. We have the potential for individual organizations that accept payments to be brought to a standstill." But "a nationwide disruption in payments is extremely unlikely."
Russia and China are the two countries most capable of attacking the U.S. payments network.
Russia has "a lot of Cold War stealth that they transferred into code," said James Scott, co-founder and senior fellow at the Institute for Critical Infrastructure Technology, a Washington-based forum of federal agency executives, legislative community members and industry leaders focused on solving critical infrastructure problems.
Its hackers tend to be so precise they can often launch successful cyberattacks with just a few emails, said Scott, who recently co-authored a report entitled "Know Your Enemies 2.0: The Encyclopedia of the Most Prominent Hacktivists, Nation State and Mercenary Hackers.".
"They'll do enough social engineering research, where they can do tailored whale phishing [phishing attacks aimed at senior executives or wealthy people] as opposed to spear phishing, emails that are so precise and so right on that they only have to send three and they can infect a network," Scott said.
China's hackers are less sophisticated, but there are more of them, Scott said. "What they're doing is almost like digital smash and grab. They're hacking into a ton of systems at once using zero-days [a type of vulnerability] from, for example, the Elderwood platform, that exploits vulnerabilities in very common applications like Internet Explorer and everything that Microsoft puts out." (Elderwood is a hacking platform with attack code that takes advantage of software vulnerabilities in commonly used programs.) They tend to start with spear phishing and spam.
"What China lacks in technological capacity and sophistication, they make up by sheer volume of attack attempts," he said.
Still, Scott doesn't see either Russia or China going after U.S. payment systems.
"It's too easy to go after our dams," he said. "If they wanted to do something catastrophic, they can go after dams, car hacking, air traffic control. That's where the scary stuff is."
He does see the financial sector as a whole as a target. "I think we're such an easy target in so many other ways because our entire country and economy is run off all kinds of technology," he said.
Who's Protecting Us?
The Treasury Department and Federal Reserve work on interagency cybersecurity committees and guidelines for banks and major infrastructure providers. But Jimenez says they are taking an overly granular approach.
"Regulators worry about individual banks and what control they have, what recovery methods, but they're really going bank to bank and they're not looking at the overall network," Jimenez said.
Banks and other participants in payment networks obviously have to defend their own networks and have state-of-the-art backup and disaster recovery, so when the worst happens they can make a quick recovery.
Government agencies could take a proactive role here to help protect the payment network along with other critical infrastructure. A true national cybercop would not only warn of danger and set rules for cybersecurity, but track down the international bad actors and block them from attacking people and companies in the U.S. It would also help the payment networks get back up and running in the wake of an attack.
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.