Mastercard DNS Error Went Unnoticed for Years

A security researcher discovered and fixed a critical domain name server misconfiguration in Mastercard's systems that persisted undetected for nearly five years, potentially exposing the credit card giant to traffic interception risks.

Philippe Caturegli, founder of security firm Seralys, found that one of Mastercard's five DNS servers incorrectly pointed to "akam.ne" instead of "akam.net" from June 2020 to January 2025. He spent $300 to register the domain through Niger's domain authority to prevent potential exploitation. Mastercard said the typo has been corrected, insisting there was "not a risk to our systems."

Not Suprising

[mkosmo]

I'm not surprised that a company of that size had such an issue lurking -- but how many eyes have probably looked at that DNS record over the years and looked right past that typo? Something should have eventually seen it, even if it was just DNS propagation monitoring. But the claim that it created no risk? Absolute hogwash. Without trying, a threat actor could have gotten a fifth of the traffic headed to destinations that used that same NS record content... which looks like it included their own API gateways!

Re:

[mysidia]

a threat actor could have gotten a fifth of the traffic headed to destinations that used that same NS record content... which looks like it included their own API gateways!

Yes. But there should still be DNSSEC signing to prevent an accidentally listed DNS server for publishing anything right?

Furthermore you would need a valid TLS certificate in order spoof an API gateway in order to intercept data. So I guess they could say the risk is none since the ability to intercept and reply to authoritative D

Re:Not Suprising

[mkosmo]

DNSSEC and TLS would absolutely help mitigate this. Problem is, there's no DNSSEC for mastercard.com according to the records I just pulled. Now, without DNSSEC, you could plausibly get a Lets Encrypt certificate with a dns-01 challenge, so it's still vulnerable.

Re:

[mysidia]

Now, without DNSSEC, you could plausibly get a Lets Encrypt certificate with a dns-01 challenge, so it's still vulnerable.

They ought to correct their zone.. I guess that is just more evidence someone is asleep at the switch over there. It's basically inexcusable for a payment processing company to not have basic DNS security in place for that infrastructure. If BankofAmerica, Amex, and Discover.com can do it, then so can Mastercard.

In theory Multi-VA [letsencrypt.org] should still prevent getting a TLS certificate.

Re:

[mkosmo]

In theory Multi-VA [letsencrypt.org] should still prevent getting a TLS certificate

Yeah, that's why I only said plausibly, rather than possibly, as it'd take that 1:20 shot to make it happen. But plausibly may be overstating it a bit, still.

Any certificates from LE would also appear in the certificate transparency log that currently only has EnTrust and DigiCert certificates. A few hundred pages' worth of certificates.

Given everything we've learned here, do you think they're actually monitoring CT logs

But...

[Shaitan]

"He spent $300 to register the domain through Niger's domain authority to prevent potential exploitation"

Did he put it on his mastercard?

Re:

[KlomDark]

Please

Re:

[Shaitan]

He should have put the charge on a clean mastercard account and then refused to pay the bill, when they complained he should have pointed them to a policy document hosted on "their domain" that said he doesn't have to pay.

not a risk to our systems?

[ls671]

From TFS:

not a risk to our systems

Of course not, it's a risk to whoever tries to use their systems although. And it could even be a risk to their systems if their systems try to connect to other of their systems...

Re:

[Shaitan]

It's also a reputational risk to their organization... which would normally be a bigger potential cost than a systems compromise; even for mastercard.

Re:not a risk to our systems?

[mkosmo]

Yeah, but have you ever tried to articulate reputational risk to leaders? They either don't comprehend it -- or even if you quantify it, they don't believe the outputs.

Re:not a risk to our systems?

[DarkOx]

They do comprehend it. They know it is mostly a myth perpetuated by the infosec industry to justify the spending of a lot of money on their products and services.

Let's face it, anyone refusing to shop at TJ Max, Target, Home Depot, how many people moved of o365 because of various Microsoft Cloud security failures?

Even in the Security industry where it really ought to matter it does not seem to. Citrix Netscalers are as popular as ever, people buy Cisco products after so so many embarrassing security failures, PaloAlto has had their RCEs still everyones favorite layer-7 device.

Hell how much business has Crowd Strike even lost of the availability crisis of their own making?

Even Solar Winds I am not sure the fact that it isn't as popular as it once was has anything to do with reputation, more so just generalized competition from cloud and other dev-ops platforms.

Re:

[mkosmo]

Reputational risk isn't the same everywhere. It's a much bigger deal for B2B, for example. But people absolutely care - Take a look at the flood of people that left LastPass after their large breach. It's harder for people to walk away from the big banks or retailers, so their impact is significantly reduced. But in any case, it's not just a myth. It just has to be taken in context.

Re:

[Shaitan]

Exactly. HPE and Verizon Enterprise both lost many clients after their large breaches and so did crowdstrike despite it being glossed over. They are still around but are you hearing much about AshleyMadison these days?

It's hard to say how much their poor security related reputation has cost Microsoft over the years but it is definitely billions to trillions as any serious organization has limited their footprint to endpoint and endpoint related services using solutions deemed more secure and stable for seri

Is Mastercard PCI compliant?

[Anonymous Coward]

How did this configuration go unnoticed? Were resolution failures not logged or were logs not reviewed? Either answer is a violation of PCI DSS requirements.

Re:

[Anonymous Coward]

Please. PCI DSS certification is for punishing mom-and-pop businesses with IT consultant fees, not for holding the overlords accountable for their cheap Sec spending.

Re:

[ls671]

This wouldn't have caused any resolution failure on their side. "akam.ne" is returned instead of "akam.net" and whoever tries to connect to akam.ne then get the failure unless somebody sets a server to listen for that traffic. Also, they say it was only 1 out of 5 DNS and DNS lookups will transparently try another server in one doesn't answer.

Re:

[rickb928]

And we know what akam.net was used for, most likely Akamai edge cache content. Wonder why any dev did not notice they were not retrieving the expected content? How many timeouts, even a 408?

This should have been obvious at some point, and resolved. Ugly, marginally competent dev teams. A bad look. Expect a few months of deep dive auditing to find the other problems yet to be found.

Oh, and I know, a failover somewhere masked this. Is that better?

Re:

[ls671]

Plenty we don't know so many possibilities. Example: the faulty DNS was never hit by the dev team and was only returned to serve queries from some other countries, etc. etc. etc.

Re:

[rickb928]

'never hit by the dev team'

Gotcha, the test team is not part of the dev team. We ultimately blame the test team, right?

Re:

[mysidia]

PCI DSS wouldn't require a DNS resolution error to be logged.

Also it is not possible for the domain nameserver operator to log what would happen.

Since it's only 1 nameserver; you don't get a resolution error - most DNS clients will send a parallel query to multiple nameservers, and whichever nameserver you get the first answer from wins. In this case the incorrect nameserver never returns an answer (SERVFAIL condition), so peoples' DNS clients just ignore it - no resolution failure occurs.

"It was DNS"

[bill_mcgonigle]

... got the T-shirt.

Priceless

[Roger W Moore]

Cost of registering a domain name in Niger: $300. Cost of having your credit card company's traffic intercepted: billions. Cost of having a security researcher willing to buy a domain to save your company massive financial and reputational loss when you are incompetent: priceless.

Re:

[ihavesaxwithcollies]

Doesn't Mastercard follow the same hiring procedures as all the other corporate assholes? Seven interviews. Must have two PhDs. Top .0001%. No white guys. Best of the best right?

Fuckups all the way down. Then three miles of wreckage.

But I'm sure that's all just a coincidence. You keep right on hiring those H1Bs.

If they're anything like American Express, they're an H1-B mill.

they out soured that part of IT to the lowest bidd

[Joe_Dragon]

they out soured that part of IT to the lowest bidder!

for tech errors it's always DNS...

[Squiff]

...For everything else, there's Mastercard