Mobile payments becoming unusable

Perhaps some of the readers of this paper have experienced trouble with mobile payments recently. You could not use your mobile app when you thought you would buy coffee on your way to work in the morning.[1] When you went to pay for your lunch you could not use mobile payments.[2] You took a train and when you reached the exit you did not have enough money on your Mobile Suica payment so you attempted to reload it, but you could not reload the transportation-type payment app.[3] You have probably had these kinds of experiences. These are IT system failures which actually occurred this month (May 2024) in Japan. As small payments transition to mobile devices, the number of people who do not carry cash with them is increasing, and this kind of IT system failure now has a major impact on the lives of people.

The causes of IT system failures which disrupt mobile payments can be broadly divided into (i) trouble with hardware devices such as servers, (ii) trouble with the system software, and (iii) cyberattacks and unauthorized access. Of these, (i) can essentially be prevented by ensuring redundancy (backup system devices), but cases are occurring in which the redundancy configuration does not function or it takes time to recover from the failure due to a mistake in the recovery procedure. (ii) often occurs when the system is updated. The most troublesome problem these days is the increase in IT system failures caused by the cyberattacks in (iii).

The Financial Services Agency of Japan released the Analysis Report on Financial Institutions’ IT System Failures in June 2023, and its analysis was that the new trend since 2022 was the occurrence of IT system failures caused by cyberattacks, namely unauthorized external access to the IT systems of subcontractors, ransomware attacks exploiting vulnerabilities, and failures due to DDoS attacks on financial institutions.[4] Of these, the DDoS attacks are a long-standing modus operandi used as a cyberattack technique, which involves sending a huge volume of communications traffic to the target servers and websites in excess of their processing capacity, in order to generate IT system failures caused by overloads.

The 2023 Analysis Report of the Financial Services Agency has published examples of financial system failures which occurred due to DDoS attacks from 2022 onward, in a form which avoids explicitly stating the names of the specific financial institutions or the timing of the attacks. In the examples of financial services failures due to DDoS attacks which occurred in the Shinkin Bank or credit associations [5], people became unable to browse the websites of financial institutions, online banking on websites was disrupted, and people became unable to use the apps of financial institutions due to the DDoS attacks. In another DDoS attack which occurred in a different financial instruments business operator, the DDoS attack was directed to an IP address providing financial services, and delays in the processing times for the financial services and errors occurred due to overloading of the network device.[6] In a financial services failure which occurred in a regional bank, a DDoS attack occurred against the contractor to which the bank had outsourced the operation of its website, and the bank suffered collateral damage as people became unable to access its online banking via that website.[7]

Given this context, the IT system failure of the transportation-type payment app which occurred on May 10 this year (2024) mentioned in the example at the beginning of this paper was an IT system failure which appears to have been caused by a cyberattack, specifically a DDoS attack. Immediately after the failure occurred, I carried out an initial investigation of the cause with my engineer colleagues, and we found that both the primary (preferred) DNS server [8] and secondary (alternative) DNS server of the mobile payments app and the Internet reservation site were down, so we strongly suspected that a DDoS attack was being carried out against the DNS servers. In this example, connection to the app became difficult from about 5:30 p.m. on May 10 and the failure continued until about 10:00 p.m., having a large impact on users using mobile payments in Japan. At the same time, there was a large-scale service failure in which access failures occurred on an Internet reservation site for trains.[9]

Financial services targeted by long-standing and new DDoS attack techniques

As stated above, even among cyberattacks the DDoS attack is a particularly long-standing attack technique, which involves sending a massive amount of communications traffic from a group of highjacked IT devices (a botnet) to overload and paralyze the IT devices of other parties. As this technique has been recognized for a long time, technological countermeasures have also progressed, so in addition to blocking access there are also countermeasures such as CDN (content delivery network) and WAF (web application firewall). However, recent DDoS attacks do not target the IT systems themselves for which countermeasures against attacks have advanced; there are an increasing number of DDoS attacks which target DNS servers, which it is difficult to take countermeasures against, such as in the aforementioned example of the transportation-type payment app.

2023 was a year in which many DDoS attacks occurred against Japan, and the attacks were not limited to financial services. The National Police Agency summarizes and publishes the cyberattack situation for each calendar year and in its report it presented the analysis that in 2023 multiple website browsing failures occurred due to DDoS attacks, and in particular browsing failures occurred due to random subdomain attacks targeting authoritative DNS servers [10] in attacks which occurred from March to June.[11] These random subdomain attacks are a new technique within DDoS attacks, and are attacks which randomly generate subdomains which do not exist (for example, subxx.xx.co.jp) against the DNS server of an actually existing site of a target company (for example, xx.co.jp) to generate a massive amount of queries to overload the authoritative DNS server and cause it to crash.

In the case that a new type of DDoS attack such as a random subdomain attack is carried out, IT system failures often occur for a few hours to half a day, so long-standing and new DDoS attack techniques pose a threat to the IT services which support society, and most of all to app-based services which use Internet protocols.

If we turn our eyes overseas, DDoS attacks targeting financial services are increasing in the same way as in Japan. FS-ISAC in the United States (US) and leading US security company Akamai, which has provided services to combat DDoS attacks for many years, jointly published an analysis report in March 2024 which stated that DDoS attacks on US financial institutions dramatically increased by 154% from 2022 to 2023.[12] According to this report, 35% of the DDoS attacks observed by Akamai targeted financial services, and that percentage has been in an increasing trend since 2022. Furthermore, regarding the attack technique, the report points out that DNS flood attacks which make the DNS server the subject of the attack [13] account for the majority at 55% of the total attacks, and pseudo-random subdomain attacks are used in some of these attacks.[14] The report also presented the analysis that a shift is observed from financially-motivated DDoS attacks, which were previously the most common kind of attacks, to DDoS attacks by hacktivists [15] supported by states with the objective of geopolitical harassment.[16]

Changes to the geopolitical environment in the background to the attacks

In the background to these kinds of DDoS attacks targeting financial services is the intensification of the geopolitical conflict between Russia and Western societies since Russia’s invasion of Ukraine in 2022. As pointed out in the report by Akamai and FS-ISAC in the US, attackers are carrying out politically motivated attacks with the objective of causing chaos in the target countries’ societies; they target government institutions, public transportation systems, and financial services, and aim to cause these services to crash temporarily.

Actually, pro-Russia hacktivist groups named NoName057 and Killnet have been claiming responsibility for carrying out DDoS attacks on the US, Europe and other Western countries, and in approximately six months immediately after the start of the war in Ukraine they claimed successful attacks targeting government institutions, transportation systems, and financial institutions, as shown in the table below. In Japan as well, a wide range of DDoS attacks against government institutions, financial institutions, subways, social media, and other services were carried out in September 2022.

Table: DDoS attacks for which Killnet has claimed responsibility (March to September 2022)

Timing of the attacks (March to September 2022) Targets of the DDoS attacks
Late February Ukraine (government institutions)
March Poland (central bank)
April Czech Republic (government institutions)
Germany (airports)
Estonia (government institutions)
Romania (government institutions, finance, media)
May Germany (finance)
Italy (government institutions, airports, ports)
Latvia (government institutions)
Moldova (government institutions)
June Lithuania (government, private sector)
Norway (private sector)
July United States (airports, tax payment systems)
Poland (transportation infrastructure, tax payment systems)
Latvia (government institutions, tax payment systems, media)
August United States (Lockheed Corporation)
September Japan (government institutions, tax payment systems, airports, ports, subways, finance, social media)

Source: Created by this author based on Killnet Telegram, media reports, etc.

NoName057 and Killnet tend to periodically intensify their attacks, with their attacks increasing in the middle of February, the annual anniversary of the start of the Ukraine War, the middle of May about the time of the anniversary of Russia’s victory over Germany in World War II, and early September which includes the anniversary of Russia’s [the Soviet Union’s] victory over Japan in WWII. Multiple DDoS attacks against companies and local governments were observed in February 2023 and February 2024 in Japan as well. Furthermore, DDoS attacks against the Ministry of Justice, the Immigration Services Agency, and Japan Post occurred in the middle of May 2023. Regarding the DDoS attack against the financial services of a transportation-type payment app on May 10, no claim of responsibility has been made at the present time, but based on the timing it is highly likely that it was a politically motivated attack by Russian hacktivists.

Against the background of these kinds of changes to the geopolitical environment, I can assume that politically motivated cyberattacks against financial services, which are the foundation of people’s lives, will continue going forward. The intention of the attackers is to cause chaos in civilian life, so in order to prevent them from achieving that objective it is of course necessary for the government and companies to monitor the situation and strengthen their countermeasures, but we also need to increase our resilience (the ability to overcome difficulties) so that we do not panic at critical moments. Digital technologies are convenient, but I would like you to recognize the importance of physical backup, for example carrying a little cash with you rather than depending only on mobile apps.

(2024/06/24)

Notes

  1. 1 “IT System Failure at Starbucks,” Nippon TV News, May 20, 2024.
  2. 2 “Malfunctions Such as Being Unable to Pay with PayPay: Company Investigates the Cause,” NHK NEWS, May 15, 2024.
  3. 3 “Failure of Mobile Suica, etc.: JR East Says ‘Possibility of a Cyberattack’,” Nihon Keizai Shimbun, May 10, 2024.
  4. 4 Financial Services Agency, “Analysis Report on Financial Institutions’ IT System Failures,” June 2023.
  5. 5 Id., “Analysis Report on Financial Institutions’ IT System Failures,” p. 10.
  6. 6 Id., “Analysis Report on Financial Institutions’ IT System Failures,” p. 12.
  7. 7 Id., “Analysis Report on Financial Institutions’ IT System Failures,” p. 13.
  8. 8 DNS is an abbreviation of “Domain Name Server” and it refers to a server which responds to queries from users’ IT devices by providing the IP address which is actually used to access the communications.
  9. 9 “IT System Failure Making It Difficult to Load Mobile Suica, Mostly Recovered… JR East Says ‘Possibility We Were Subjected to a Cyberattack’,” Yomiuri Shimbun, May 10, 2024.
  10. 10 An authoritative DNS server holds information about the IP addresses corresponding to domain names, and responds to external queries about domain name destinations with information within the area it manages itself, without making any queries to other DNS servers.
  11. 11 National Police Agency, “Threats in Cyberspace in 2023,” March 14, 2024.
  12. 12 FS-ISAC and Akamai, “DDoS: Here to Stay,” March 6, 2024.
  13. 13 A DNS flood attack is an attack which carries out a massive amount of queries to the DNS server for IP addresses corresponding to domain names (name resolution), flooding the server with attack communications traffic, and forcing the server (flooded with signals) to crash.
  14. 14 FS-ISAC and Akamai, op. cit., p. 12.
  15. 15 This refers to a group which carries out cyberattacks with political intentions.
  16. 16 FS-ISAC and Akamai, op. cit., pp. 7-8.