Protecting customers from the Ticketmaster Breach: Monzo's story

Perhaps 30cm is too far, what I was attempting to convey (but didn’t word very well) is that most people believe you need physical contact with the mag stripe to read it and thus if a card is in your pocket it will be safe. Physical contact is not required and the contents of the mag stripe can be used without any additional info (unlike other interfaces).

2 Likes

I’m skeptical - how do you determine the order of bits? Hence the request for any references you have.

Fair. There definitely are tricks you could use to read through envelopes, etc. That’s trivial. Still, in a moving environment I don’t see reading a magstripe in a wallet as feasible. Much easier to just skim the stripe with a skimmer.

I’ve done some investigation and all I can say is I am extremely skeptical that this is anything other than urban myth.

The low density track has approximately 0.3mm between the magnetic dipoles forming the bits. A reader at 1cm is over 30 times this distance away from the dipoles - it won’t have any chance of distinguishing the dipoles from each other, if it can sense them at all given the inverse cube law magnetic strength reduction.

3 Likes

Just going to leave this here: https://twitter.com/danielchatfield/status/1012692135215185920

13 Likes

NS Tech: Ticketmaster breach led to “quite a big” financial loss for Monzo, claims bank’s CEO.

6 Likes

Maybe it’s time to look into separate card numbers? To avoid the expense of replacing physical cards for those customers that used a card number generated from the app.

7 Likes

An outstanding response and great transparency from Monzo. Congratulations to all responsible for the detective work and the response.

:clap:

1 Like

Received my replacement card yesterday.

Excellent work

Thank you

This demonstrates that Monzo is a real bank, with all the maturity of the established players but without the legacy thinking that makes them so frustrating to deal with. As a consumer we see all the wonderful updates in app functionality but it’s the backend that really makes a bank . Well done ladies and gentlemen for being market leader in this space so quickly.

10 Likes

An MRI machine “reads” radio pulses emitted by relaxing hydrogen nuclei. There are no / trace amounts of hydrogen in magstripes so shouldn’t see anything from a mag stripe in an MRI scanner.
Had to jump in there - I don’t know the intricacies of finance but I do know Physics :slight_smile:

4 Likes

no other banks were reporting similar patterns.

That’s why a lot of us are here.

3 Likes

I have a couple of questions regarding this that I really would like Monzo to answer:

  1. Why did you wait until Ticketmaster made a public disclosure before publishing your timeline of what you did?

  2. Why did you not contact the UK police? I understand there are industry procedures to follow - which you obviously have - but you do not mention the UK police specifically.

With relation to (2), I am referring to the Proceeds of Crime Act 2002 and the reporting obligations therein.

In infosec, there’s a process of responsible disclousure regardless of how bad the event is. The process is usually, “We discovered X, you have Y months to fix it and we publicise our discovery”. It is surprising to see how much they worked with Ticketmaster.

It was actually the transparency of how Monzo handled this which made me join on Friday (received my card on Saturday morning, damn quick). I was originally under the impression Monzo were just another “Meme Bank” offering pre-paid cards. Currently getting my Wages moved to Monzo and doing a partial switch from RBS.

13 Likes

Monzo won you over quick! Welcome :slight_smile:

3 Likes

I spent most of Saturday morning looking through Companies house documents and looking through the financial services register before deciding to switch :slight_smile:

4 Likes

Amazon work, Monzo! That’s it, I’m definitely switching from my High St bank now!

To be fair, I bet they want to do this too, but I bet their legacy core banking infrastructures are so complex that it’s simply impossible to get this level of visibility into what’s going on. This really requires a greenfield approach to the whole problem.

2 Likes

I think it is summarised fairly well in this article: http://tech.newstatesman.com/security/ticketmaster-breach-monzo-tom-blomfield

We talked with our lawyers quite extensively at the time and we didn’t feel comfortable disclosing information that could have a material impact on the company’s value,” he says. “Our number one priority is making sure our customers’ money is safe so we took all the steps we could to keep our customers’ safe.”

Why did you not contact the UK police? I understand there are industry procedures to follow - which you obviously have - but you do not mention the UK police specifically.

We contacted a mailing list which the police and NCA are members on.

With relation to (2), I am referring to the Proceeds of Crime Act 2002 and the reporting obligations therein.

It is not standard practice (nor required by that legislation) to report card fraud to the police. The police would almost certainly not accept such a report. We do communicate and collaborate with law enforcement daily but the police don’t investigate card fraud.

13 Likes

Thanks for that. Questions asked and answered.

1 Like

I feel guilty that I bank with you and millions miss out.

Keep up the good work. It really is appreciated.

Thank you.

5 Likes