In a joint statement published earlier this week, hacking groups Anonymous and LulzSec urged readers to boycott e-commerce giant PayPal, claiming:
“PayPal continues to withhold funds from WikiLeaks, a beacon of truth in these dark times” and “PayPal’s willingness to fold to legislation should be proof enough that they don’t deserve the customers they get.”
Could this call for action be the start of a sustained campaign against PayPal? Could a large hack-attack be planned for PayPal in the near future?
First, it’s important to realise even the most secure systems fail given enough time and effort. Only constant vigilance maintains security.
There are economic limits to the amount of security any corporation can implement while remaining profitable, and if a corporation fails to remain profitable, it fails.
PayPal has implemented controls that may provide extremely secure systems and they do a good deal to protect their business and clients.
But even this may not be enough against organised hacktivism groups such as Anonymous and LulzSec and the AntiSec movement in general.
The problem with defending against hacktivist and cyber terror groups is they do not follow a rational economical model.
By contrast, traditional cyber crime – itself a difficult problem with few solutions – is easy to predict. It is built upon a traditional business model – albeit an illegal one – and cyber criminals have a desire to make a profit from their illicit activities. They act rationally, in an economic sense.
Cyber crime groups only expend resources to a point that allows them to maintain a suitable level of profitability.
Conversely, cyber terror and hacktivism groups, such as Anonymous and LulzSec, do not operate under such constraints.
They have members who are willing to risk jail terms, financial loss and other sanctions for purely ideological reasons. These are people who attack sites out of principle, as misguided as those principles might be.
For this reason, groups such as Anonymous and LulzSec will continue to look for holes in the security of organisations such as PayPal, well past the point that a criminal would have moved on to greener pastures.
So, why should we care if just another corporation is made the target of an attack? After all, recent attacks against security firm RSA have managed to steal sensitive data that could be used to access critical systems and infrastructure.
The answer lies in the nature of the services provided by PayPal.
More and more sites are starting to use PayPal as their commerce engine and they are becoming an essential part of the overall framework and infrastructure that defines the electronic economy.
Given it’s a service built on trust, any successful attack against PayPal could result in havoc as people lose trust in the service. This would leave many e-commerce sites unable to process payments and therefore without business.
Let’s hope the vigilance of the people at PayPal exceeds the desire to destroy, of groups such as Anonymous.
One thing’s clear though: this isn’t the last we’ll be hearing about PayPal from the likes of Anonymous and LulzSec.