Photo: CFP

Three weeks after a hacker attack, business seems back to normal on xinrong.com, a Shenzhen-based peer-to-peer (P2P) lending website.

"The attack only caused a temporary flood of traffic, and our services went back to normal right after," a customer service representative from the website told the Global Times Monday.

Specifically, xinrong.com was hit by a massive distributed denial-of-service (DDoS) attack, which interrupted its online services from 11:04 am on June 15 to 9 am on June 16, according to a company announcement on the ­website on June 16.

A DDoS attack typically works by overwhelming the targeted website with useless traffic from multiple sources, leaving it incapable of responding to its users.

Nevertheless, the Shenzhen-based P2P website reassured its investors in the same announcement that all of the data on the platform remained secure, despite the attack.

Xinrong.com is not the only P2P lending website that hackers have targeted recently. At nearly the same time, two other sites, Chengdu-based bao.cn and Shenzhen-based liyedai.cn, suffered similar attacks, the ­Guangzhou-based newspaper Information Times reported on June 18.

Hacker attacks are nothing new for P2P websites, said Luo Lei, chief operating officer of Shanghai-based P2P platform yingdainet.com, which was launched in July 2014.

"The industry has always been under the threat of hacker attacks. It happens from time to time," he told the Global Times on June 30.

While experiencing wild growth in recent years, China's Internet finance industry - in particular, online P2P platforms, with their large volumes of financial transactions and big databases of user information - has also been attracting hacker attacks.

According to the latest report from an international anti-hacker group, global hackers are now targeting China's P2P lending websites, Wu Xiaoling, vice chairman of the Financial and Economic Affairs Committee of the National People's Congress, was quoted as saying by news portal ­forbeschina.com in January.

Undermining confidence

In 2014, 278 P2P platforms experienced operational problems, among which 231 reported system failures, data tampering, missing funds and other problems due to hacker attacks, according to statistics from a report by china.com.cn in January.

"In most cases, hackers use DDoS attacks to overload website servers with floods of messages, and there is no way to reject those messages because they all come from different IP addresses," Luo said.

All the platforms have their own backup systems, which are usually off-line and enable the platforms to recover all their data immediately once the attack stops, he explained.

"Technically speaking, such hacker attacks are unlikely to cause any financial losses for those P2P platforms," a programmer surnamed Dai, who works for a Shanghai-based P2P lending platform, told the Global Times on June 30. He asked not to disclose his full name and his employer's name as he is not authorized to speak with the media.

Ma Jun, chief analyst at Shanghai-based wangdaizhijia.com, a Web portal that follows the industry, agreed with Dai, saying that he has never heard a real case about hackers successfully stealing money from a P2P platform.

But it doesn't mean hackers attack a platform for nothing. According to a report from the Beijing Business Today, there are various motives behind hacker attacks. In most cases, hackers bring down a platform to extort money from the operator; or due to the fierce competition in the online finance industry, some platforms might be hiring hackers to attack their rivals.

The attacks don't even necessarily need to cost the target site any money to be successful.

"The reason why it works is because investors' confidence in those P2P websites is actually fragile," Ma told the Global Times on July 1.

Although China's P2P lending industry has been growing rapidly over past years, stories about the owners of troubled platform who run off are not uncommon.

"Once investors find they cannot log onto a P2P platform, they believe that their money is no longer safe there," Ma said. "This could easily affect capital flow and may even make it difficult for investors to withdraw cash from the site."

"User information can also be compromised by a hacker attack, which may cause customers to lose faith in a platform, hurting its future business," Luo said.

Skimping on security

The relatively weak security at many P2P lending platforms is a major reason why they have been a common target for hackers, the Beijing Business Today reported.

"Big P2P companies usually have their own IT team to develop and maintain the system, while smaller ones generally hire contracted teams to develop the system and employ some part-time software engineers for regular maintenance," Luo said. "Some platforms may even buy a P2P model system from software developers like [Xiamen-based] Diyou and make their own modifications to the system."

Using an off-the-shelf software system to create a P2P platform is risky, Dai said. If a hacker finds a weakness in the model system's security, then all the platforms built based on the same system would be in danger.

Compared with traditional financial institutions that spend billions of yuan developing and maintaining their financial systems every year, China's P2P lending platforms spend much less to build their systems and maintain security.

"It costs less than 1 million yuan ($161,025) for an operator to contract a team or buy a model system to create a P2P platform," Dai said.

Many small platforms are unwilling to spend a lot of money on security, perhaps because they believe there's only a slim chance that hackers will target them, Ma said.

According to the Information Times report, larger platforms tend to attract more attacks. For instance, major Chinese P2P lending site such as renrendai.com and ppdai.com have both been attacked in recent years.

"But it doesn't necessarily mean that smaller P2P platforms should feel it's safe to skimp on IT expenses," Luo said.

If platforms are unwilling to strengthen their security, regulators should give them a push, but considering that the industry is so new, that may take some time, Dai said.

Due to the frequent hacker attacks on P2P lending sites, some market insiders have begun calling for regulators to do something about the security problem, according to the Information Times.

"From what I've heard, regulators may consider adding certain IT standards to the requirements for running a P2P lending platform," Ma said.