Feeds

Footy lovers hit in Wembley playoff card snatch scam

Man on - in the middle, claims club

SANS - Survey on application security programs

Provider Ticket Zone is continuing a joint investigation with Brentford Football Club after it emerged that card details used to buy tickets for the League One playoff final last weekend were subsequently used for fraudulent purchases.

Yeovil beat Brentford 2-1 to reach The Championship on Sunday, piling on further misery for many Bees' supporters who had been stung by the fraudulent purchases. Fan Derek Abbey first heard of the apparent scam on a Bees' forum before discovering £380 in fraudulent Oyster Card payments had been deducted from his account, the BBC reports.

Reg reader Faisal told us he was also hit.

"It appears that fraudsters were able to access my online banking account and I don’t think it was my PC that was compromised," he said.

These cases were far from isolated, prompting Brentford and Ticket Zone to launch a joint investigation. Initial forensic work points to a “man in the middle” attack rather than a problem on Ticket Zone's systems or something linked to malware on consumers' PCs, the latest statement on the investigation explains.

Brentford Football Club is continuing its investigation to find out why some card details of those using Ticket Zone to purchase tickets for the npower League One Play-Off Final were compromised.

The Club learned last week that some cardholder data from those buying tickets for the match online had been used fraudulently.

An investigation was immediately launched and initial forensic work pointed to a “man in the middle” attack.

An independent investigation of Ticket Zone’s systems and those of the specialist online queuing company, Queue-it, is now underway and the Police Active Fraud Department have been informed about the security incident and are also investigating.

An investigation as serious as this will not, unfortunately, be resolved quickly.

Brentford FC acknowledged a "great deal of inconvenience has been caused to supporters" and promised it "will not rest until the full details of what has happened have been made public". It encouraged fans to report problems to Ticket Zone, the official club online sales ticketing partner.

An earlier statement, issued shortly after complaints began and the investigation was launched last week, states that Ticket Zone does not store customer card data.

Ticket Zone does not store customer card data at any point and all information is stored in a secure token system that is approved and provided by its banking partner.

Further examinations have also been undertaken in conjunction with the Danish IT company, Queue-it, who provided the front-end queuing system ahead of the Ticket Zone site.

Once again, all systems are shown as clean.

However, following an investigation, it has been noted that a small number of attempts to access the site from unknown web destinations have arrived through unauthorised links shared via social media sites.

Ticket Zone has commissioned forensic specialists to assist their own technical teams with the on-going investigations.

All investigations point towards a MITM “man in the middle” attack intercepting internet traffic prior to landing on the queuing site.

An attack like this would allow a fraudulent third party to record key strokes as they are being made on the customer’s own browser.

When this occurs, neither the customer or Ticket Zone is aware that fraudulent data capture is taking place behind the scenes.

The crime has been reported to the Police via Active Fraud UK and they are now investigating this on Ticket Zone’s behalf.

Supporters of Bradford City buying tickets through Ticket Zone for the League Two play-off final may also have been hit by fraud, according to local reports in Yorkshire. The pattern of fraud seems to be much the same as in the Brentford case, with one Bradford fan getting hit with a £900 fraudulent PayPal charge and another getting stung for £50 in scam mobile phone top-up charges. The fraud involving Bradford City fans have also become the subject of a police investigation, the Bradford Telegraph & Argus reports.

Bradford City FC, which gained promotion to League One in a League Two play off final at Wembley last Saturday, is yet to comment on the matter.

Ticket Zone is yet to respond to our request to comment on the matter. We'll update this story as and when we hear more. ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.