It’s not often possible to tell how a card got cloned, it could have been at an ATM that had been tampered with, at a payment terminal that had been tampered with, or someone could have simply walked past you in the street and used a contactless skimmer.
2 Likes
Contactless skimmers don’t work do they? The worst they can do is process the transaction in-place on their own merchant account, right? I thought “pre-play” attacks were mitigated already, but even if not they could’ve only done a single fraudulent contactless transaction right?
You can skim the mag stripe contactlessly.
2 Likes
Wow. Might have to scrape it off then 
Great work guys! Given how early Monzo spotted this, presumably no other bank is doing similar work as quick as this. In the future do we think fraudsters will begin to actively avoid Monzo cards in order to evade detection?
1 Like
Really interesting run through of events. I’ve a question that I don’t really expect to get an answer to, but I’ll ask it anyway as I’m an infosec guy and naturally this sort of thing interests me.
I’m curious what the cost of this incident is to you? It’s 6000 replaced cards, but ticketmaster is clearly a niche merchant for your customers (0.8%). If it had been a major supermarket or petrol company and you follow the same replacement principle, it could be a much higher number. Factor in the increasing rate and size of breaches and you’ve got on-going cost and presumably, logistical issues (not just you, all the FS companies are in the same boat).
Anyway, nice work.
1 Like
As a fraudster it makes total sense to avoid challenger bank’s BIN ranges (the 6 first digits of the card number), as the success in cashing out as much money out of the card is directly related to how long it takes for the customer to notice. If all you can do is a single purchase before they freeze the card then it isn’t worth it. It’s even worse when you have to first “check” the card with a low-value online purchase, but with instant notifications, even if the card checks good, it will tip off the account holder and they’ll freeze the card before you can actually take out some real money off them.
I’m sure the “underground” will figure out a solution to this once all cards have instant notifications, but until then it makes sense for them to simply ignore those cards and focus on the legacy ones.
Here’s a story how Monzo completely foiled some idiot’s plan to steal bags and get free stuff using his card thanks to instant notifications.
6 Likes
My cloning was 9 mins between card check and attempt at £2,800.00 withdrawal. This failed due to most money being in pots. Interestingly they then left the account for an hour before beginning to hammer it with multiple $1 transactions. The card was frozen and subsequent cancelled by then. All cunningly timed start at half past midnight…
6 Likes
The $1 transactions were most likely automated checks by whatever shady platform the compromised card was sold on - most of them allow to automatically “check” cards (internally they attempt a low-value purchase at a merchant with poor fraud checks).
Can you ping an email to daniel@monzo.com so I can take a look at your account, that sounds interesting.
2 Likes
Done!
They weren’t card checks as they were all from same merchant. Card check had already happened
1 Like
attempt at £2,800.00 withdrawal
How is that possible? I thought “online” card details by themselves weren’t enough to make a card clone that could work for ATM withdrawals? Or did they find a new vulnerability?
That’s crazy! This has cost Monzo about £55,000!!! Crazy!
2 Likes
The affected company is given a reasonable time to fix the issue then if they fail to do so the information is made public anyway.
Most companies work with researchers to fix things… in those cases it does in effect mean information isn’t released until the product is fixed. However a few want to sit on their problems and pretend they will go away - it’s this latter group that the time limits are there for… a form of public shaming.
1 Like
I’m very impressed with Monzo’s proactive response here - and the transparency of what was done to protect its customers.
Also great to see Monzo get some coverage for this in the press too.
Very proud to be a Monzo account holder and Investor!
3 Likes
I’m not one of the affected ones, however things like this and the subsequent transparency will likely mean I will be sticking with Monzo for the foreseeable.
4 Likes
I hadn’t seen that, but it partially answers my question. Thanks 
But you can’t skim enough data from contactless to make a functional card. And you should be able to easily look at the data presented to get an idea of how the data was obtained.
1 Like
Please explain in depth why you say this. You can’t get CVC1 over contactless. @Rika can you shed any light?
1 Like