Category: MasterCard

The payment card giant MasterCard just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering an unused domain name. The misconfiguration persisted for nearly five years until a security researcher spent $300 to register the domain and prevent it from being grabbed by cybercriminals.

A DNS lookup on the domain az.mastercard.com on Jan. 14, 2025 shows the mistyped domain name a22-65.akam.ne.

From June 30, 2020 until January 14, 2025, one of the core Internet servers that MasterCard uses to direct traffic for portions of the mastercard.com network was misnamed. MasterCard.com relies on five shared Domain Name System (DNS) servers at the Internet infrastructure provider Akamai [DNS acts as a kind of Internet phone book, by translating website names to numeric Internet addresses that are easier for computers to manage].

All of the Akamai DNS server names that MasterCard uses are supposed to end in “akam.net” but one of them was misconfigured to rely on the domain “akam.ne.”

This tiny but potentially critical typo was discovered recently by Philippe Caturegli, founder of the security consultancy Seralys. Caturegli said he guessed that nobody had yet registered the domain akam.ne, which is under the purview of the top-level domain authority for the West Africa nation of Niger.

Caturegli said it took $300 and nearly three months of waiting to secure the domain with the registry in Niger. After enabling a DNS server on akam.ne, he noticed hundreds of thousands of DNS requests hitting his server each day from locations around the globe. Apparently, MasterCard wasn’t the only organization that had fat-fingered a DNS entry to include “akam.ne,” but they were by far the largest.

Had he enabled an email server on his new domain akam.ne, Caturegli likely would have received wayward emails directed toward mastercard.com or other affected domains. If he’d abused his access, he probably could have obtained website encryption certificates (SSL/TLS certs) that were authorized to accept and relay web traffic for affected websites. He may even have been able to passively receive Microsoft Windows authentication credentials from employee computers at affected companies.

But the researcher said he didn’t attempt to do any of that. Instead, he alerted MasterCard that the domain was theirs if they wanted it, copying this author on his notifications. A few hours later, MasterCard acknowledged the mistake, but said there was never any real threat to the security of its operations.

“We have looked into the matter and there was not a risk to our systems,” a MasterCard spokesperson wrote. “This typo has now been corrected.”

Meanwhile, Caturegli received a request submitted through Bugcrowd, a program that offers financial rewards and recognition to security researchers who find flaws and work privately with the affected vendor to fix them. The message suggested his public disclosure of the MasterCard DNS error via a post on LinkedIn (after he’d secured the akam.ne domain) was not aligned with ethical security practices, and passed on a request from MasterCard to have the post removed.

MasterCard’s request to Caturegli, a.k.a. “Titon” on infosec.exchange.

Caturegli said while he does have an account on Bugcrowd, he has never submitted anything through the Bugcrowd program, and that he reported this issue directly to MasterCard.

“I did not disclose this issue through Bugcrowd,” Caturegli wrote in reply. “Before making any public disclosure, I ensured that the affected domain was registered to prevent exploitation, mitigating any risk to MasterCard or its customers. This action, which we took at our own expense, demonstrates our commitment to ethical security practices and responsible disclosure.”

Most organizations have at least two authoritative domain name servers, but some handle so many DNS requests that they need to spread the load over additional DNS server domains. In MasterCard’s case, that number is five, so it stands to reason that if an attacker managed to seize control over just one of those domains they would only be able to see about one-fifth of the overall DNS requests coming in.

But Caturegli said the reality is that many Internet users are relying at least to some degree on public traffic forwarders or DNS resolvers like Cloudflare and Google.

“So all we need is for one of these resolvers to query our name server and cache the result,” Caturegli said. By setting their DNS server records with a long TTL or “Time To Live” — a setting that can adjust the lifespan of data packets on a network — an attacker’s poisoned instructions for the target domain can be propagated by large cloud providers.

“With a long TTL, we may reroute a LOT more than just 1/5 of the traffic,” he said.

The researcher said he’d hoped that the credit card giant might thank him, or at least offer to cover the cost of buying the domain.

“We obviously disagree with this assessment,” Caturegli wrote in a follow-up post on LinkedIn regarding MasterCard’s public statement. “But we’ll let you judge— here are some of the DNS lookups we recorded before reporting the issue.”

Caturegli posted this screenshot of MasterCard domains that were potentially at risk from the misconfigured domain.

As the screenshot above shows, the misconfigured DNS server Caturegli found involved the MasterCard subdomain az.mastercard.com. It is not clear exactly how this subdomain is used by MasterCard, however their naming conventions suggest the domains correspond to production servers at Microsoft’s Azure cloud service. Caturegli said the domains all resolve to Internet addresses at Microsoft.

“Don’t be like Mastercard,” Caturegli concluded in his LinkedIn post. “Don’t dismiss risk, and don’t let your marketing team handle security disclosures.”

One final note: The domain akam.ne has been registered previously — in December 2016 by someone using the email address um-i-delo@yandex.ru. The Russian search giant Yandex reports this user account belongs to an “Ivan I.” from Moscow. Passive DNS records from DomainTools.com show that between 2016 and 2018 the domain was connected to an Internet server in Germany, and that the domain was left to expire in 2018.

This is interesting given a comment on Caturegli’s LinkedIn post from an ex-Cloudflare employee who linked to a report he co-authored on a similar typo domain apparently registered in 2017 for organizations that may have mistyped their AWS DNS server as “awsdns-06.ne” instead of “awsdns-06.net.” DomainTools reports that this typo domain also was registered to a Yandex user (playlotto@yandex.ru), and was hosted at the same German ISP — Team Internet (AS61969).

Surge in Passkey Security Adoption in 2024

Tech giants such as Google, Amazon, Microsoft, and Facebook are leading the charge in moving away from traditional passwords, embracing passkey security technology. As of 2024, passkey adoption has seen a significant increase. According to a recent survey by the FIDO Alliance, more than 15 billion online accounts now utilize passkey technology to secure user data against sophisticated cyberattacks. Google alone has seen its passkey adoption reach 800 mil-lion users this year, resulting in over 2.5 billion sign-ins in the past two years. Consumer awareness has been a major driver of this shift, with companies like Google and Apple actively promoting passkey solutions over the past eight months. Industry experts predict that this trend will accelerate further in 2025, potentially doubling adoption rates in the coming year.

Long-Lived Credentials Pose a Growing Risk to Cloud Companies

Long-lived credentials—those created by system administrators and left unchanged for extend-ed periods—are emerging as a serious security threat for cloud service providers. According to Datadog’s State of Cloud Security 2024 report, these credentials, if compromised, could lead to significant breaches in major cloud platforms like AWS, Microsoft Azure, and Google Cloud. Experts are urging CIOs and CTOs to implement policies for the regular rotation and management of such credentials to prevent misuse. The failure to address this vulnerability could result in major security incidents affecting cloud-based services.

Mastercard Introduces Biometric Payment Passkey Service in Latin America

Mastercard has unveiled its new biometric Payment Passkey Service in Latin America, allowing users to authenticate online transactions using biometric data, such as fingerprints or facial recognition (ERIS). In partnership with Sympla and Yuno, Mastercard aims to streamline the payment process, eliminating the need for traditional passwords. This launch is part of the company’s broader goal to phase out password requirements entirely by 2030, providing a more secure and user-friendly alternative for digital payments.

Iran-Linked IOCONTROL Malware Targets US and Israeli Critical Infrastructure

A new cyber threat is emerging in the form of a custom malware known as IOCONTROL, allegedly developed by Iranian cyber operatives. According to research by Claroty’s Team82, the malware has been implanted into the operational technology (OT) of critical infrastructure in North America and Israel. The targets so far include water utilities and power plants, where the malware provides hackers with the ability to conduct surveillance and potentially disrupt operations. The cyberattack is attributed to an Iranian hacking group named CyberAv3ngers, which is reportedly expanding its efforts to infiltrate gas stations in the affected regions.

Massive Data Breach at California Hospital Network

PIH Health, a major healthcare provider in California, confirmed that hackers gained access to sensitive patient data after a ransomware attack on December 1st, 2024 and since then its webside is still disrupted. The breach affected over 17 million patient records across three hospitals—Downey Hospital, Good Samaritan Hospital, and Whittier Hospital. The attack caused significant disruption, including the postponement of surgeries and rerouting of ambulances to other hospitals. While PIH Health has not yet verified the full extent of the stolen data, sources on Telegram suggest that a portion of the information is already being sold on the dark web.

MCX Engages EY to Investigate Ransomware Attack

MCX, a U.S.-based foreign exchange brokerage firm, has enlisted the services of EY (Ernst & Young) to investigate a ransomware attack that compromised its systems on December 9th, 2024. The attack, attributed to a hacking group specializing in ransomware, caused significant disruption to MCX’s operations. The company has confirmed that specialists from EY are conducting a thorough investigation to mitigate any potential risks and secure its infrastructure moving forward.

The post Cybersecurity News Headlines Trending on Google appeared first on Cybersecurity Insiders.

Mastercard is on track to phase out passwords by 2028 and will also eliminate the use of card numbers and one-time codes by 2030. Instead, the company plans to shift toward more secure methods, such as tokenization and biometric authentication, to protect user information from cyber threats.

As online shopping continues to grow, there has been a corresponding surge in e-commerce transactions—and, unfortunately, a significant increase in fraud. Exposed card details, including numbers, CVVs, and the last four digits, have become prime targets for cybercriminals, causing significant financial losses for both cardholders and e-commerce merchants.

A recent study by the International Banking Institute revealed that Mastercard accounts for nearly 40% of global online transactions, with its rival Visa not far behind. To address the growing issue of online fraud, both Mastercard and Visa have been integrating advanced security measures like tokenization since 2014. Tokenization replaces the traditional 16-digit card number with a unique, encrypted token, preventing fraud and improving transaction approval rates.

Looking ahead, Mastercard plans to eliminate the use of passwords and one-time passcodes altogether by the end of the decade. This will pave the way for the mandatory use of passkeys for authentication. The company has already rolled out this technology in markets like Singapore, the UAE, and India. The future of secure payments will rely heavily on biometric verification, including facial recognition, fingerprint scanning, and iris scans, which will further block fraudsters from accessing sensitive financial data.

In addition to these security enhancements, Mastercard is also bidding farewell to physical card numbers. The company plans to enhance its Click to Pay service, which allows users to securely load their card information onto their mobile devices. With this service, users will be able to make payments effortlessly by simply tapping their smartphone on a payment terminal or swiping the home screen of their device—removing the need for physical cards altogether.

With these innovations, Mastercard is striving to provide a smoother, more secure payment experience for consumers, while also protecting them from the rising tide of digital fraud.

The post Mastercard to say goodbye to passwords appeared first on Cybersecurity Insiders.

Mastercard, a leading financial institution renowned for its payment solutions, has significantly strengthened its position in the field of cybersecurity with its recent acquisition of Recorded Future, a prominent cyber threat intelligence firm. The deal, valued at $2.58 billion, is set to be finalized by the first quarter of 2025, following the conclusion of legal and contractual agreements with the current owner, Insight Partners.

Recorded Future, established in 2009, took some time to carve out its niche in the cybersecurity market. However, after earning recognition and accolades within its industry, it was acquired by Insight Partners, a prominent venture capital firm, in 2019 for $768 million. This acquisition marked a pivotal moment in Recorded Future’s growth trajectory, enhancing its capabilities and market presence.

Mastercard’s strategic interest in Recorded Future lies in leveraging its advanced technology to bolster cybersecurity measures and mitigate risks for its customers. The financial sector, particularly the payments industry, is a frequent target for cyberattacks, making robust threat detection and response crucial. Recorded Future’s expertise in cyber threat intelligence, enriched with cutting-edge generative AI technology, aligns perfectly with Mastercard’s objective to address and manage emerging threats in this high-risk domain.

For the past few years, Recorded Future has been a valuable technology partner to Mastercard, providing sophisticated threat detection solutions that utilize generative AI to process and analyze vast amounts of data. This partnership has already contributed to Mastercard’s ability to proactively identify vulnerabilities and respond with timely insights, helping to safeguard its operations and client information.

Notably, Microsoft’s OpenAI GPT technology, known for its proactive threat identification and real-time vulnerability insights, has played a significant role in enhancing Recorded Future’s capabilities. This collaboration has underscored the importance of integrating advanced AI tools in cybersecurity efforts.

In response to the acquisition, Christopher Ahlberg, the CEO of Recorded Future, took to Twitter (now X) to provide clarity on the future of the company. He confirmed that while Recorded Future will operate as an independent intelligence platform, it will function as a subsidiary of Mastercard in the coming months. This transition is expected to enhance Mastercard’s cybersecurity infrastructure while maintaining Recorded Future’s established operational autonomy.

The post Mastercard acquires Cyber Threat Intelligence firm Recorded Future for $2.58 Billion appeared first on Cybersecurity Insiders.

WAWA, a convenience and retail store from Pennsylvania, has questioned the card giant MasterCard over its imposed penalty on data breach. Going deep into the details, in the year 2019, WAWA experienced a data breach in its customer payments database.

A detailed probe launched in Dec’19 discovered that a hacking group infiltrated the systems of payment cards and stole credit card info from over 842 WAWA stores in Delaware, Maryland, Virginia, Washington, DC and Florida along with New Jersey.

On hearing the investigation details, MasterCard launched an inquiry and imposed a hefty fine on WAWA for failing to secure the critical details of its customers. The retail store agreed to pay $9m in cash and some in gifts to MasterCard to settle a class action suit filed by the American Multinational Financial Services store. It also agreed to invest $35m to upgrade its current cybersecurity posture in compliance with the current security landscape.

Wawa has now lodged a lawsuit against MasterCard and the Bank of America for being unfair in practicing business policies. It is also alleging MasterCard to pay $32m in damages and for the distress it had to go through from the past 14 months along with reputational damage that occurred as the company had to face over 6 lawsuits seeking class action status in the federal court in Philadelphia.

Note- Wawa credit card offers to its customers the privilege of paying at its fuel and gas stations and customers can also buy food and beverages at discounted prices at all convenience stores.

 

The post WAWA retail store questions MasterCard over data breach penalties appeared first on Cybersecurity Insiders.