Startup bank Monzo: We warned Ticketmaster months ago of site fraud

Compromised payment cards detected in April, JavaScript code meddling revealed in June

Musician Lotte on stage in Germany
That's your Lotte ... Concert fans had their bank cards swiped

Online bank Monzo said it warned Ticketmaster that something weird was going on in early April, two months before the ticket-slinging giant revealed its payment pages had been hacked.

Monzo detected an abnormal number of customers who had both bought tickets from Ticketmaster since December and had fraudulent activity on their cards, leading staff to believe the two were related. On April 12, Ticketmaster staff visited the startup bank's offices to see the evidence, we learned on Thursday this week.

According to Monzo, 50 customers had complained on April 6 that someone had hijacked their bank cards and spent their money – and 35 of them, or 70 per cent – had used Ticketmaster.

"This seemed unusual, as overall only 0.8 per cent of all our customers had used Ticketmaster," Natasha Vernier, Monzo's head of financial crime, said. A week later, on April 19, Ticketmaster told the upstart bank that, in Vernier's words, "an internal investigation had found no evidence of a breach and that no other banks were reporting similar patterns."

Fast forward to June 27, this week, and Ticketmaster admitted hackers gained access to the personal details and sensitive payment card information of up to five percent of its customer base.

Miscreants were able to modify JavaScript code on Ticketmaster's payments pages to siphon off people's information over the course of several months until June 2018. We asked the ticket-touting biz when exactly it learned of the cyber-break-in, and why the Monzo's discoveries were not passed on to the public months ago. In response, Tickermaster offered the following statement:

When a bank or credit card provider alerts us to suspicious activity it is always investigated thoroughly with our acquiring bank, which processes card payments on our behalf. In this case, there was an investigation, but there was no evidence that the issue originated with Ticketmaster.

Indeed, Ticketmaster blamed third-party supplier Inbenta for the security cockup. US-based Inbenta developed and hosted code for Ticketmaster's customer support site, as well as some JavaScript customized purely for Ticketmaster. According to Inbenta, this JavaScript was placed on the payments pages without Inbenta's knowledge. This was a bad move because the code was not secure, and was abused by hackers to alter files on Inbenta's servers, and ultimately snoop on ticket buyers.

According to an FAQ, the JavaScript was "a point of vulnerability that affects the capacity for web forms to upload files. It appears that the attacker used this vulnerability."

Someone playing an instrument

Ticketmaster gatecrash: Gig revelers' personal, payment info glimpsed by support site malware

READ MORE

"Had we known that the customized script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability," Inbenta CEO Jordi Torras said in a statement.

We're told crooks modified this script code, hosted on Inbenta's servers, "to extract the payment information of Ticketmaster customers," said Torras.

So, Inbenta was hacked to alter the JavaScript used on Ticketmaster's site in order to steal sensitive data. Monzo said it spotted Ticketmaster-linked fraud in April. Ticketmaster had a rummage around, and found no signs of any hacking on its own systems. Then, by June, Ticketmaster said it had discovered Inbenta's JavaScript code on its site had been hijacked to steal gig-goers' payment information.

"The source of the data breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster’s particular requirements," said Torras. "This code is not part of any of Inbenta’s products or present in any of our other implementations. Ticketmaster directly applied the script to its payments page, without notifying our team."

Impact

UK customers who bought, or tried to buy, a ticket from Ticketmaster between February and June 23 this year, and international customers who flashed the plastic from September 2017 to earlier this week, were at risk. As many as 40,000 Brits had their details slurped.

If Monzo’s warnings had been fully followed up, fewer customers would have been impacted, said Tony Pepper, chief exec of data security outfit Egress.

“There are going to be a few eyebrows raised this morning about this breach and when Ticketmaster really discovered it,” Pepper said.

“Clearly data was at risk for some time and apparently, Ticketmaster had been alerted to the issue but didn’t heed those warnings. It is going to be interesting to see how the ICO reacts when they get to the bottom of this, given the emphasis now placed on data breach reporting and reflected in the changes made under the GDPR.”

Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, commented: "Hackers have, for years, used vulnerabilities in websites and other connected applications as a point of breach. Once through, it is only a hop, skip and jump into databases, web servers and other crucial infrastructure. It looks like that is exactly what has happened to Ticketmaster – and it’s the customers who pay."

Ticketmaster responded to the intrusion by contacting those who may have had their info swiped by miscreants, and offering a free 12-month identity monitoring service. The malicious JavaScript code snatched Ticketmaster's customer names, addresses, email addresses, telephone numbers, payment details, and login credentials. Affected users are being advised to change their passwords.

The Ticketmaster cyber-break-in is the first major computer security breach since Europe's GDPR came into effect on May 25, so close attention will be paid on whether Ticketmaster complied with the regulation relating to breach notification and adequate security. ®




Biting the hand that feeds IT © 1998–2018