Protecting customers from the Ticketmaster Breach: Monzo's story

I’m curious, who’s gonna be paying for that? Are those just the risks of doing business for any bank, or can Monzo (and other banks affected by this) hold Ticketmaster liable for the breach?

6 Likes

Fantastic. Curious how often this occurs with legacy banks, if at all.
Is Monzo unique in its approach to analysis and talking to vendors or is it just unique in its transparency?

I also want to know about the repercussions for Ticketmaster since they didn’t announce or confirm sooner. Why don’t they explain how they missed what Monzo caught? :upside_down_face:

As soon as we discovered the malicious software, we disabled the Inbenta product across all Ticketmaster websites.

Not soon enough, I guess. Also no mention of Monzo in this post.

2 Likes

Some mad /r/IWasWrongAllAlong material

The blog post mentions Ticketmaster saying no other bank has reported any breach to them, so either TM is lying, or (more probably) the legacy bank’s fraud detection systems didn’t see anything unusual (or at the very least, weren’t advanced enough to pinpoint the breach to this specific merchant).

1 Like

Surely they picked up on the fraud, stopped any further transactions and then just didn’t look into it any further? I would be surprised if banks went to this level on investigation for every single time card details leak, no?

2 Likes

We have a huge benefit in that our customers notice fraud very quickly due to the real time nature of our notifications. We have been working closely with other banks and many of the other UK banks did also start to corroborate what we had seen. By the end of May most of the large banks had identified Ticketmaster as a potentially breached merchant. It’s probably fair to say that our modern technology stack allows us to spot and react to things more rapidly then some of the other banks but as an industry we have a lot of collaboration and we work together to help keep our customers’ money safe.

31 Likes

Any chance of some info on how my card got ‘cloned’ circa 36 hours ago??

It’s not often possible to tell how a card got cloned, it could have been at an ATM that had been tampered with, at a payment terminal that had been tampered with, or someone could have simply walked past you in the street and used a contactless skimmer.

2 Likes

Contactless skimmers don’t work do they? The worst they can do is process the transaction in-place on their own merchant account, right? I thought “pre-play” attacks were mitigated already, but even if not they could’ve only done a single fraudulent contactless transaction right?

You can skim the mag stripe contactlessly.

2 Likes

Wow. Might have to scrape it off then :grin:

Great work guys! Given how early Monzo spotted this, presumably no other bank is doing similar work as quick as this. In the future do we think fraudsters will begin to actively avoid Monzo cards in order to evade detection?

1 Like

Really interesting run through of events. I’ve a question that I don’t really expect to get an answer to, but I’ll ask it anyway as I’m an infosec guy and naturally this sort of thing interests me.

I’m curious what the cost of this incident is to you? It’s 6000 replaced cards, but ticketmaster is clearly a niche merchant for your customers (0.8%). If it had been a major supermarket or petrol company and you follow the same replacement principle, it could be a much higher number. Factor in the increasing rate and size of breaches and you’ve got on-going cost and presumably, logistical issues (not just you, all the FS companies are in the same boat).

Anyway, nice work.

1 Like

As a fraudster it makes total sense to avoid challenger bank’s BIN ranges (the 6 first digits of the card number), as the success in cashing out as much money out of the card is directly related to how long it takes for the customer to notice. If all you can do is a single purchase before they freeze the card then it isn’t worth it. It’s even worse when you have to first “check” the card with a low-value online purchase, but with instant notifications, even if the card checks good, it will tip off the account holder and they’ll freeze the card before you can actually take out some real money off them.

I’m sure the “underground” will figure out a solution to this once all cards have instant notifications, but until then it makes sense for them to simply ignore those cards and focus on the legacy ones.

Here’s a story how Monzo completely foiled some idiot’s plan to steal bags and get free stuff using his card thanks to instant notifications.

6 Likes

My cloning was 9 mins between card check and attempt at £2,800.00 withdrawal. This failed due to most money being in pots. Interestingly they then left the account for an hour before beginning to hammer it with multiple $1 transactions. The card was frozen and subsequent cancelled by then. All cunningly timed start at half past midnight…

6 Likes

The $1 transactions were most likely automated checks by whatever shady platform the compromised card was sold on - most of them allow to automatically “check” cards (internally they attempt a low-value purchase at a merchant with poor fraud checks).

Can you ping an email to daniel@monzo.com so I can take a look at your account, that sounds interesting.

2 Likes

Done!

They weren’t card checks as they were all from same merchant. Card check had already happened

1 Like

attempt at £2,800.00 withdrawal

How is that possible? I thought “online” card details by themselves weren’t enough to make a card clone that could work for ATM withdrawals? Or did they find a new vulnerability?