Commerce in a post-Wikileaks economy

You’ve likely seen the news that Visa, Mastercard, PayPal and others are under distributed denial of service (DDOS) attacks by folk who feel that WikiLeaks headman Julian Assange is being persecuted for distributing sensitive information he...

cc.jpgYou’ve likely seen the news that Visa, Mas­ter­card, PayP­al and oth­ers are under dis­trib­uted deni­al of ser­vice (DDOS) attacks by folk who feel that WikiLeaks head­man Juli­an Assange is being per­se­cuted for dis­trib­ut­ing sens­it­ive inform­a­tion he’d received from others.

Set­ting aside that entire espi­on­age, sex-by-sur­prise, per­se­cu­tion, journ­al­ism and right to inform­a­tion thing, what’s left is the hack­ing attempts — coördin­ated attacks on key points of the infra­struc­ture of com­merce. This, as we are in the midst of the hol­i­day buy­ing sea­son. A juicy tar­get indeed.

What’s hap­pen­ing
The coördin­ated attacks seem to be hav­ing some small effect on com­merce. Accord­ing to one report:

Mas­ter­Card, call­ing the attack “a con­cen­trated effort to flood our cor­por­ate web­site with traffic and slow access,” said all its ser­vices had been restored and that account data was not at risk.

But it said the attack, moun­ted by hack­ers using simple tools pos­ted on the Web, had exten­ded bey­ond its web­site to pay­ment pro­cessing tech­no­logy, leav­ing some cus­tom­ers unable to make online pay­ments using Mas­ter­Card software.

How it’s done
By using freely avail­able tools to tar­get and coördin­ate these attacks, *any­one* can join in the action. Find the right IRC serv­er, down­load the tools, and turn them on — poof, you’re a ‘hack-tiv­ist’ and  your com­puter (or com­puter net­work) is now part of a bot­net:

The weapon of choice is a piece of soft­ware named a “Low Orbit Ion Can­non” (LOIC) which was developed to help Inter­net secur­ity experts test the vul­ner­ab­il­ity of a web­site to these assaults, the dis­trib­uted deni­al of ser­vice attacks. The LOIC is read­ily and eas­ily avail­able for down­load on the Internet.

The LOIC can be con­trolled cent­rally by an admin­is­trat­or in an Inter­net Relay Chat (IRC) chan­nel, a type of com­puter chat room; it can seize con­trol of a net­work of com­puters and use their com­bined power in a DDoS attack. The attack is aimed at the tar­get web­site and when the LOICs are activ­ated they flood the web­site with a deluge of data requests at the same time.

The DDoS attack pre­vents the over­loaded serv­er from respond­ing to legit­im­ate requests and slows down the web­site to a crawl — or shuts it down totally. The attacks are coördin­ated in the IRC chan­nel, and on Thursday, around 3,000 people were act­ive on the Oper­a­tion: Pay­back chan­nel at one stage.

One side effect of all this is that the par­ti­cipants are also test­ing the lim­its of the com­merce infra­struc­ture for hack­ers and oth­ers who’s inten­tions may not be so noble as pre­vent­ing a per­ceived injustice.

The impact
So what does this mean for retail­ers and cus­tom­ers in the next few weeks and months, and what does this mean for the future of online commerce?

  • Slow or blocked online com­merce — if the serv­ers are clogged, your online mer­chant may not be able to pro­cess your cred­it card or PayP­al trans­ac­tion, and can’t com­plete the sale
  • Increased attacks — depend­ing on how this spate of incid­ents turns out, copy-cats will use the same tech­niques against new tar­gets, or evolve their own meth­ods and tools
  • Increased unease — new online con­sumers will have anoth­er reas­on to *not* shop online, pre­fer­ring to con­tin­ue shop­ping at brick and mor­tar shops as they’ll feel more secure
  • Increased secur­ity — essen­tial to recov­er con­trol of the com­merce infra­struc­ture and to demon­strate to con­sumers that online com­merce works and is safe
  • Increased cost — bet­ter and tight­er secur­ity isn’t free, so this ‘cost of doing busi­ness’ will be factored into the retail pro­cess, res­ult­ing in high­er prices

The Genie is out of the bottle
Yep, the tools and tech­niques have been around for a while. It’s taken one event like this to cata­lyze a motiv­ated and uncon­nec­ted group of people around the world to par­ti­cip­ate in coördin­ated action. We will see more of this, maybe aimed at polit­ic­al insti­tu­tions, nation­al gov­ern­ments, or launched by envir­on­ment­al act­iv­ists. Wel­come to a new reality.