A payment processor account holds the operating cash of a business, the customer card list, and the keys to receivables. The account is more valuable than the cash sitting in it. An attacker who controls a payment account can route deposits to a new bank, refund recent charges to themselves, or initiate transfers that the genuine owner has no view of until the next reconciliation.
The route in is rarely the password. It is the recovery flow. A founder who set up the account years ago with a phone number that is no longer in use, or with an email on a domain that has lapsed, has left a door open that they have long stopped checking. The account works fine in normal use; the door is only visible to someone looking for it.
What changes once an attacker is inside is operational, not technical. The first move is usually to add a new bank account as a payout destination and change the schedule of payouts. The second is to suppress notifications. By the time the legitimate owner sees a missed deposit, the route has been used.
The defences are not mysterious but they are usually neglected. The recovery email and phone on the account should belong to the present moment, not to the year the account was opened. Two-factor on the operator account should use a hardware key, not a number that can be moved. A second person should have view-only access for cross-checking the payout schedule on a separate cadence from the operator.
·
The picture is rarely flattering to anyone who has not been watching it carefully.
More from the desk
The second passport and its quiet footprint
Executive impersonation and the wire transfer
The private jet flight tracker
The maritime tracker and the port record
The recovery email on a domain you no longer own
The quiet leak from a personal assistant