MasterCard has been misconfiguring DNS for five years

It has been discovered that credit card giant MasterCard misconfigured its DNS server names, allowing anyone to intercept or divert traffic for five years from 2020 to 2025.

MasterCard DNS Error Went Unnoticed for Years – Krebs on Security

According to security expert Brian Krebs, MasterCard uses Akamai's servers as DNS servers for 'mastercard.com'. Originally, there are five places in the DNS settings where the 'akam.net' server should be specified, but one of them was 'akam.ne', which is one character missing.

The problem was discovered by Philippe Catullegli, founder of security company

'.ne' is the country-specific top-level domain used in Niger, and since no one had registered 'akam.ne,' Katsureguli spent three months and $300 (about 47,000 yen) to register it himself to avoid being abused by cybercriminals. When he enabled the akam.ne DNS server, he found that there were hundreds of thousands of DNS requests per day from all over the world. In addition to MasterCard, multiple companies and organizations had made the mistake of specifying the same 'akam.ne' domain.

If Mr. Catuleguri had operated 'akam.ne' maliciously, he could have enabled a mail server to receive emails addressed to Mastercard, or obtained a server certificate for mastercard.com to create a complete 'spoofed site.' However, Mr. Catuleguri notified MasterCard that 'akam.ne' was his domain. When contacted, MasterCard admitted that there was a mistake in the settings.

After notifying MasterCard of the problem, Catulegli posted about the DNS configuration error on LinkedIn. However, MasterCard contacted them through their bug bounty program Bugcrowd, asking them to remove the post, saying that publishing the content was not in line with ethical security practices.

Although he has a Bugcrowd account, Catulegli said he has never reported a bug through the program. 'Before disclosing the information, we ensured that the affected domains were registered to prevent abuse, mitigating any potential risk to MasterCard and our customers. This action, taken at our own expense, demonstrates our commitment to ethical security practices and responsible disclosure,' he said. In response to the unexpected response to his hope that MasterCard would cover the costs or at least thank him for the action he took, he said, 'We (Seralys) do not agree with this assessment.'

According to Krebs, akam.ne was once registered in 2016 by a user with an email address linked to the Russian search engine Yandex, and was connected to a German server for a time, but the link expired in 2018.