PayPal Tries Cloud Cover to Fend Off Further Attacks

PayPal Inc. weathered last month's Internet attacks better than most of its rivals, but it still has been more outspoken than anyone else about its need for improvement.

To that end, PayPal is expanding its use of cloud computing.

"We have a lot of defenses in place. When this happened, we put additional defenses in, in a very fast manner," said Anuj Nayar, a PayPal spokesman. "Major cloud providers have incredible amounts of bandwidth."

In early December, PayPal, along with some other payment brands, stopped handling payments for WikiLeaks after the organization published secret government communications. In doing so, the eBay Inc. unit faced the wrath of WikiLeaks' online supporters; a group of hackers claimed credit for subsequent denial-of-service attacks that it said were retaliation. Such attacks aim to shut down company websites (and any services connected to the websites) by overwhelming servers with more Internet traffic than they were designed to handle.

The offensive blocked access to the websites of Visa Inc. and MasterCard Inc. and disrupted use of MasterCard's SecureCode payment verification system.

But PayPal, also targeted, emerged virtually unscathed.

"We always maintain excess headroom to handle a spike on a normal day. For instance, we see pretty big spikes in our volume when the U.S. wakes up," Nayar said.

Cloud-computing providers allow payments companies and others to switch on the capacity to absorb the massive amount of traffic being directed by hackers.

In this manner, computer systems behave much like conventional telephones. If a company has two lines and both of them are ringing, a third person can't get through. Cloud-computing companies, which do not store any of the payment network or bank's customer information, provide more lines. They can also filter out the bad calls rather than let them tie up your phone.

WikiLeaks itself relied on cloud-computing services from Amazon.com Inc., and this service was cut off around the time the payments providers cut off their own services to WikiLeaks. However, companies like PayPal say the cloud can be helpful during an online attack — the digital equivalent of calling in the cavalry.

"They have become targets," said Andy Ellis, chief security architect at Akamai Technologies Inc., a cloud-computing company in Cambridge, Mass. "If you are somebody who is big in the consumer space … [you] are worried about consumers saying: 'Wow, they were down when I tried to go pay my mortgage. Can I trust them?' "

Ellis would not say whether Akamai works with PayPal.

Experts say there are many reasons PayPal withstood attacks that Visa and MasterCard could not.

"PayPal has a lot more experience in dealing with" denial-of-service attacks, said Gunter Ollmann. vice president for research at the computer security firm Damballa.

PayPal's focus on attracting and serving customers online has given the San Jose, Calif., company a sense of urgency in protecting its website that its rivals do not have, since card payments generally do not pass through the card brands' own websites.

"Visa and MasterCard have had more of a B-to-B and business processing type of experience," Ollmann said. "That makes it easier for an attacker to coordinate their attacks and bring an overbearing amount of traffic on a smaller subset of targeted systems."

Nayar said PayPal has a team of thousands of employees dedicated to keeping PayPal's website and payment network up and running.

MasterCard is continuing to "upgrade" its defenses against hackers, a spokesman said by e-mail. He would not provide details.

A Visa spokesman would not discuss how the company would handle hackers in the future.

Experts said there has been more interest from banks and payment providers in cloud computing, driven by concern over their reputations as well as their customers' ability to make payments online.

MasterCard and PayPal said they are cooperating with law enforcement agents to track down the perpetrators of the December attacks.

While cloud computing providers don't help track down the bad guys, a chief function of a cloud-computing provider is to alert clients when they are under attack. Most of the time, an Akamai spokesman said, those clients would have no way to tell without the aid of cloud computing.

The Federal Bureau of Investigation has raided a Dallas server farm that housed computers used to launch the December hack attacks, according to an affidavit posted in December by the news site TheSmokingGun.com.

The FBI consulted the payment companies' records of the Internet Protocol addresses used in the online attacks and tracked them to the Texas facility, Tailor Made Servers, the document said. Server farms rent out capacity much like cloud providers do; Tailor Made is not necessarily a suspect in the investigation.

In this manner law enforcement agents can "follow the breadcrumb trail back to the botnet operator," Ollmann said.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER