Another CrowdStrike-like outage could collapse cashless societies

[Alfonso Maruccia]

No Cash All Pain?: Entire sectors of the global economy were disrupted by a single, botched PC security update, and it could easily happen again. This is why proponents of cash argue that we should never completely abandon non-digital money as a legitimate form of payment.

Security company CrowdStrike has caused disruptions to millions of Windows systems over the past few days, just months after similar issues affected Linux-based machines. The latest global IT outage led to significant disruptions across industries, particularly for businesses that rely heavily on digital and cashless payment systems.

The Payment Choice Alliance (PCA) argues that the CrowdStrike incident should serve as a warning against major changes in how money and payments are managed in modern society. The UK-based organization advocates for payment choice, noting that only three percent of adults in the UK have completely stopped using cash.

PCA President Ron Delnevo stated that outages are inevitable. However, if there are no alternatives to cards or digital apps, the entire economy could collapse. According to the banking organization UK Finance, cash payments have been increasing. The number of regular cash users fell from 23.1 million in 2021 to 21.6 million last year.

Cash continues to play a role in modern society, and most businesses still accept it. The GMB Union, a trade organization representing over 560,000 private and public entities in the United Kingdom, also emphasizes that cash is a vital component of community operations.

"When you take cash out of the system, people have nothing to fall back on, impacting on how they do the everyday basics," the organization said.

Cash is also essential for those seeking privacy and anonymity, according to PCA campaign director Martin Quinn. Thanks to cash, no Big Tech company or digital platform can collect or sell personal data. Banks, credit card companies, and online retailers do not have the right to know every detail of an individual's life, Quinn stated. Furthermore, cash remains the easiest payment method for some.

Permalink to story:

Another CrowdStrike-like outage could collapse cashless societies

 

[ScottSoapbox]

Living in a hurricane-prone area, locals keep cash on hand and extra at the house for just those inevitable outages.

Cash or some type of equivalent is essential as a backup. This outage showed just how much farther we progressed from being able to do basic things. 15 years ago, the registers at a store going down wouldn't be a big deal. Get out some paper for receipts and take cash. Today, many shops were completely shut down.

 

[Impudicus]

Wait until a compromised Microsoft update goes out to everyone...

 

[Zcolor]

"Another CrowdStrike-like outage could collapse cashless societies" <----------------- I think, this is the entire point!

 

[brucek]

This outage is a huge embarrassment for everyone involved. If I was on the deployment end I'm not sure I could ever be talked into a no-review, no-limited-population-test, immediate deployment of updates that are effectively at the boot loader / kernel level or similar, and have no automated, remote, or even local user failsafe to rollback.

But even assuming the threat scenario is such that this inherently highly risky setup is justified, it would have to be supported by a level of QA and testing that is 100.000000000% bullet proof on the pushing party's side (CrowdStrike in this case, which clearly miserably failed to the tune of many many millions in economic harm done.)

Further, even if you had the bullet proof QA at time of push, someone needs to worry about the coordination of who else has push authority for other parts of the software stack. If CrowdStrike is absolutely sure their patch works on the current Windows version, and pushes it just as Microsoft pushes out a critical security patch change, who has tested the compatibility of the two together?

 

[Squid Surprise]

Does anyone really believe that this outage wasn’t caused by a cyberattack on CrowdStrike - which was almost certainly made possible by the hacking of MS earlier this year…

Backups are great - maybe do proper DIGITAL backups… of course, cash is always good to have for an emergency, but this sort of thing shouldn’t paralyze society.

 

[maxxcool7421]

I *HOPE SO* .. for weeks ... because the rich people who do not carry cash will be helpless.

 

[brucek]

Does anyone really believe that this outage wasn’t caused by a cyberattack on CrowdStrike - which was almost certainly made possible by the hacking of MS earlier this year…

I do, because a) CrowdStrike has accepted responsibility for this being their error, and b) if you were the sophisticated attacker who had this chance to install your malware on lots of critical systems, you goal would be something more significant and long-lasting than causing a temporary outage that is also certain to result in the removal of your malware.

 

[Squid Surprise]

I do, because a) CrowdStrike has accepted responsibility for this being their error, and b) if you were the sophisticated attacker who had this chance to install your malware on lots of critical systems, you goal would be something more significant and long-lasting than causing a temporary outage that is also certain to result in the removal of your malware.

Unless you were state sponsored and this was your “shot across the bow” to warn the world (aka the US) that you can do this again any time…
And when MS was hacked by state sponsored hackers in November 2023… hmmm… connect the dots anyone?
By the way, isn’t CrowdStrike headed by the former VP of McAfee - who did a very similar thing (cause outages) years ago?

 

[amghwk]

I never liked the over-dependence on tech to do even basic things.

All the money in the banks are just numbers nowadays, and these numbers are at the mercy of hackers.

 

[daffy duck]

We have had holier than now hipster coffee shops in Australia ban cash. I hope those clowns were burned badly as they couldn't sell you a damn thing for a few days.

 

[Durch]

Cash is just as useless as digital as it's tied back to computer systems/databases at the point of sale, banks, and ultimately the Fed.

If an outage were to occur where it knocked all the systems offline, your money would useless unless a deposit were to be accepted. In today's world that would be the old mom and pop stores, everyone else would scan or enter a code into a computer system in order to make the transaction which would be affected.

 

[Starfals]

Cash is just as useless as digital as it's tied back to computer systems/databases at the point of sale, banks, and ultimately the Fed.

If an outage were to occur where it knocked all the systems offline, your money would useless unless a deposit were to be accepted. In today's world that would be the old mom and pop stores, everyone else would scan or enter a code into a computer system in order to make the transaction which would be affected.

Thank god there are a million little stores like that here. You can buy food, water and some other small things. Im in Europe, and 90% of the people in my country still use cash. I honestly dont like the idea of cards too. Yeah, there are big stores too, that need the register etc. We are slowly becoming like the US, and that sucks, for the obvious reasons shown this week all over the news.

 

[user556]

Does anyone really believe that this outage wasn’t caused by a cyberattack on CrowdStrike - which was almost certainly made possible by the hacking of MS earlier this year…

The real screw up here is all the *large scale* businesses that just left their production systems open to automated updates from M$, or anyone else at all. It's not Crowdstrike's responsibility to ensure the smooth operation of every system in the world.

And it shouldn't be M$'s either, yet here we are staring at exactly that situation. I'm amazed how we managed to get so far down such a stupid path.

 

[Squid Surprise]

The real screw up here is all the *large scale* businesses that just left their production systems open to automated updates from M$, or anyone else at all. It's not Crowdstrike's responsibility to ensure the smooth operation of every system in the world.

Well… it kind of is… if you’re paying CrowdStrike to provide you with security patches (and they were among the world leaders with a sterling reputation until last week), you don’t expect one of their patches to knock out your machines…

And it shouldn't be M$'s either, yet here we are staring at exactly that situation. I'm amazed how we managed to get so far down such a stupid path.

It isn’t their fault - unless the credentials used to hack CrowdStrike came from hacking MS back in November…

 

[Northy]

We have had holier than now hipster coffee shops in Australia ban cash. I hope those clowns were burned badly as they couldn't sell you a damn thing for a few days.

I just thought those guys were muppets paying $9 for soy frappachinos. I honestly hope they stay in those places and keep playing with plastic so they don't come to the places I like to go.

 

[user556]

… if you’re paying CrowdStrike to provide you with security patches (and they were among the world leaders with a sterling reputation until last week), you don’t expect one of their patches to knock out your machines…

If you've just left them to it then that's your fault.

It isn’t their fault - unless the credentials used to hack CrowdStrike came from hacking MS back in November…

If they're the ones encouraging/forcing untested automated updates then M$ very much is to blame here. And I mean testing at your end, not theirs.

 

[Squid Surprise]

If you've just left them to it then that's your fault.

Large companies have thousands of machines - there's no way to update these manually. That's why you pay experienced companies like CrowdStrike to do it for you.

If they're the ones encouraging/forcing untested automated updates then M$ very much is to blame here. And I mean testing at your end, not theirs.

Had you read the article, you'd know that MS has no choice but to provide kernel access to 3rd parties. The CEO of CrowdStrike literally "wrote the book" on cybersecurity... yet it looks like even he wasn't infallible...

 

[user556]

Large companies have thousands of machines - there's no way to update these manually. That's why you pay experienced companies like CrowdStrike to do it for you.

Of course they don't manually install each machine one by one. IT depts do have tools and skills of their own. But they absolutely should be testing any updates before those are installed to live production gear.

Had you read the article, you'd know that MS has no choice but to provide kernel access to 3rd parties. The CEO of CrowdStrike literally "wrote the book" on cybersecurity... yet it looks like even he wasn't infallible...

Irrelevant to testing.

 

[Squid Surprise]

Of course they don't manually install each machine one by one. IT depts do have tools and skills of their own. But they absolutely should be testing any updates before those are installed to live production gear.

They pay CrowdStrike to do that!

Irrelevant to testing.

No - my argument is that CrowdStrike might have been hacked…. Which would be the reason the “patch” ended up being malicious. If they weren’t hacked, the fault is clearly CrowdStrike’s!
And unless that hack happened as a result of MS being hacked earlier, it would still be their fault - security is supposed to be their CEO’s specialty after all.

 

[user556]

They pay CrowdStrike to do that!

Rubbish. Crowdstrike doesn't administer IT systems for anyone. They make a product.

No - my argument is that CrowdStrike might have been hacked…. Which would be the reason the “patch” ended up being malicious. If they weren’t hacked, the fault is clearly CrowdStrike’s!
And unless that hack happened as a result of MS being hacked earlier, it would still be their fault - security is supposed to be their CEO’s specialty after all.

Irrelevant to testing.

 

[Squid Surprise]

Rubbish. Crowdstrike doesn't administer IT systems for anyone. They make a product.

No - they rollout patches and install them remotely… do you actually know how IT works?

Irrelevant to testing.

No - if they were hacked, then the malicious file was sent without the ability to be “tested” as they didn’t send it intentionally.

 

[user556]

No - they rollout patches and install them remotely… do you actually know how IT works?

That's the IT department's job, not Crowdstrike's. Which is what I said from the very start.

No - if they were hacked, then the malicious file was sent without the ability to be “tested” as they didn’t send it intentionally.

Irrelevant to testing.

 

[Squid Surprise]

That's the IT department's job, not Crowdstrike's. Which is what I said from the very start.

No - not when you outsource to CrowdStrike - or any other equivalent company… you assume THEY do the testing - that’s why you pay them…

Irrelevant to testing.

No - patches are automated… it is assumed they are tested before deployment but…. If a company is hacked, they might be sending malicious files disguised as patches… do some reading maybe?

 

[user556]

No - not when you outsource to CrowdStrike - or any other equivalent company… you assume THEY do the testing - that’s why you pay them…

Rubbish. Crowdstrike doesn't administer IT systems for anyone. They make a product.

No - patches are automated… it is assumed they are tested before deployment but…. If a company is hacked, they might be sending malicious files disguised as patches… do some reading maybe?

That's a good reason to not let any external company automate it. But mainly it's because only you have full knowledge of your own systems.

It's not a hard concept - Always do such updates as a test first. Or at the very least, on one live system before a full deployment.