PayPal, Braintree, Shopify and several other key fintech sites were shut down today, apparently as a result of a denial of service attack early this morning on Dyn, an internet service provider.
The attack knocked down the sites — we count at least a dozen key fintech sites down — for several hours. Some, like Credit Karma, remain off line, as of this writing, at 1:36 pm ET.
The attack seems to have most concentrated on the East Coast of the United States, though European users of some of the key sites also reported problems in the original announcement thread of the attack on Hacker News.
Some tech experts said poor information architecture was at least partly to blame for the site failures:
All this talk about redundancy, real-time apps, scalable architecture and and a “simple” DDOS against DNS architecture brings half of the internet down. Honestly did nobody think about having a spare dns at some other company? or even backup dns server exactly for a situation like that?
Chris Pierson, Chief Security Officer at Viewpost, a secure-payments startup, said DDoS attacks are becoming a more common method of attack.
Pierson told Bank Innovation:
We have recently seen a change in attack vectors, as well. In one recent and notable attack, Internet of Things (IoT) devices, which were largely in unsecure or security-disabled configurations, allowed attackers to use bandwidth/addresses from security cameras, light switches, and thermostats to attack targets.
The IoT angle was stressed today by Brian Krebs, a noted security blogger. Krebs wrote, “The size of these DDoS attacks has increased so much lately thanks largely to the broad availability of tools for compromising and leveraging the collective firepower of so-called Internet of Things devices — poorly secured Internet-based security cameras, digital video recorders (DVRs) and Internet routers.”
While Dyn reportedly returned services to normal several hours after noticing the attack, the company has reported that the DDoS attack might have also impacted several other services the company manages, and its engineers are still working on the issue.
Altogether at least nine big-name fintech sites were knocked out. Beyond Shopify, PayPal and Braintree — though not Venmo — and Credit Karma, Shift Payments, Paymill, Lending Club, Kasasa, and Credit Sesame were also experiencing problems. E-commerce marketplace Etsy was also down, as were other top sites like Twitter, Tumblr, and Airbnb.
Coming off recent breaches as the Yahoo hack, this attack illustrates the need for all companies — but specifically fintechs — to constantly keep on top of cybersecurity; especially as hackers get smarter. As Pierson told Bank Innovation, given that DDoS is a constantly evolving threat, companies need to continually adjust their risk-based threat programs and controls.
UPDATE: John Waupsh, chief innovation officer of Kasasa, let us know that Kasasa’s site was only temporarily unavailable to East Coast visitors, because of the nature of the attack on DNS provider Dyn. We shold al stress that the sites mentioned above were not direct recipients of DDoS, but rather were affected due to their affiliation with Dyn.
Additionally, Shopify has confirmed that the “massive attack” did affect its site, but stressed that the situation was “nearly returned to normal.” PayPal also wished to reassure users; telling Bank Innovation the attack:
…has prevented some of our customers from being able to pay with PayPal in certain regions. PayPal was not attacked directly, nor were any of our core services to business impacted in the disruption. We are sorry for the inconvenience, and remain committed to giving our customers around the world trusted and reliable ways to manage and move their money.