Home / Digital Bank / When the bank knows you’ve been hacked (before everyone else)

When the bank knows you’ve been hacked (before everyone else)

You may have seen that Ticketmaster just announced that thousands of customers worldwide may have been affected by a hack. If you didn’t here’s the low-down (via ABC News)

The company said its British business, Ticketmaster UK, identified malicious software on a customer support product which was hosted by a third-party supplier Inbenta Technologies. Around 30,000 customers in the UK were identified as being affected by the data breach.

Inbenta is a Spanish company, based in the United States, which produces “artificial intelligence and natural language processing” software.

“As soon as we discovered the malicious software, we disabled the Inbenta product across all Ticketmaster websites,” Ticketmaster said in a statement on Thursday. The company has known about the threat to its customer data for five days – since Saturday, June 23. The personal information which may have been compromised includes name, addresses, email addresses, telephone numbers, payment details and Ticketmaster login details. Ticketmaster said it did not know how its customers’ information was “accessed by an unknown third party”. It said it was currently working with forensic teams and security experts “around the clock”.

Ticketmaster has identified two groups of customers who may be affected by the data breach:

  • UK customers who purchased, or attempted to purchase, tickets between February and June 23, 2018
  • International customers who purchased, or attempted to purchase, tickets between September 2017 and June 23, 2018

It also confirmed that none of its North American customers had their details compromised.

“Less than 5 per cent of our global customer base has been affected by this incident,” the company said. “If you have not received an email, we do not believe you have been affected by this security incident based on our investigations.” Customers who have been affected have been urged by Ticketmaster to change their passwords. The ticket vendor also told customers to monitor their account statements “for evidence of fraud or identity theft”, and said they should contact their banks or credit card companies if they had any concerns.

Ok, so that’s fairly run-of-the-mill stuff as some firm somewhere gets hacked every day, and some thousands or millions of people have their email addresses, passwords and other info leaked every day. So what?

Well, I find the line: “The company has known about the threat to its customer data for five days – since Saturday, June 23”, highly suspect as The Guardian reports the incident very differently.

Digital bank Monzo was the first to spot customers’ cards were being compromised. It identified in April that the common factor behind a spike in frauds was that every customer who lost money had also had interaction with Ticketmaster.

On 12 April it warned Ticketmaster of the issue, but “couldn’t get any traction” out of the company, according to Monzo’s head of financial crime, Natasha Vernier.

In the meantime, Monzo contacted all customers who had ever dealt with Ticketmaster – about 5,000 – to replace their cards.

It also told banks that are part of the UK Finance group in April that it was aware of what appeared to be a significant data breach at Ticketmaster.

Monzo’s experience suggests that anyone who has bought a ticket through Ticketmaster should check their accounts for unusual transactions involving Xendpay, Uber and Netflix. None of these companies were involved in the fraud itself, but were the means by which the fraudsters were able to steal money from people’s accounts.

In other words, Monzo’s smart systems were spotting and reporting unusual transaction activity on accounts from way back when. They told Ticketmaster in April, three months ago, and got no reaction. They told other banks, although I haven’t seen other banks noticing or reporting these events. To be clear, Monzo’s Natasha Vernier has written a blog about what they saw going on:

On Friday 6th April, around 50 customers got in touch with us to report fraudulent transactions on their accounts and we immediately replaced their cards. This happens every day, as banks are constantly targeted by financial criminals, so this wasn’t immediately unusual. But as always, we did some analysis to try to identify any trends that might help our customers.

After investigating, our Financial Crime and Security team noticed a pattern: 70% of the customers affected had used their cards with the same online merchant between December of last year and April this year. That merchant was Ticketmaster. This seemed unusual, as overall only 0.8% of all our customers had used Ticketmaster.

Within four and a half hours, the team rolled out updates to our fraud systems to block future transactions on other customers’ cards that looked suspicious in a similar way. That evening, we reached out to other banks and the US Secret Service (who are responsible for credit card fraud in the US) to let them know what we’d seen and ask if they’d seen anything similar. At the time, they hadn’t.

Over the following weekend we saw attempted transactions on four of our customer’s cards that our fraud system automatically blocked. Of those four cards, two had previously been used at Ticketmaster. The next week, we saw four more compromised cards, that had all been used at Ticketmaster.

Given the pattern that was emerging, we decided to reach out to Ticketmaster directly. On Thursday 12th April, members of the Ticketmaster security team visited the Monzo office so we could share the information we’d gathered. They told us they’d investigate internally.

By the next week, another nine cards had been used fraudulently and all of them had been used to make Ticketmaster transactions. One of those cards had been previously used for an attempted transaction at Ticketmaster, but the expiry date had been typed incorrectly so the transaction had failed. That same (incorrect) expiry date was then used in an attempted fraudulent transaction on the Monday, providing further evidence that Ticketmaster was the source of the breach. We shared this information with both Ticketmaster and the US Secret Service.

At this point we were confident that there’d been a breach, so we told Mastercard directly and decided to proactively replace every Monzo card that had been used at Ticketmaster.

Over the course of Thursday 19th April and Friday 20th April, we sent out six thousand replacement cards to customers who had used their Monzo cards at Ticketmaster. We let them know that we were replacing their cards through their Monzo app, but didn’t name Ticketmaster as the reason at the time.

Throughout this period we were in direct contact with Ticketmaster. On Thursday 19th April, they told us an internal investigation had found no evidence of a breach and that no other banks were reporting similar patterns.

In other words, Monzo has shown itself to be a step ahead of everyone when it comes to tracking fraudulent activity on this occasion. This is neat as a bank should know about vulnerabilities before everyone else, if they’re worth their salt. Most banks don’t know this because their systems are not real-time.

Nice one Monzo, and a great headline for the challenger … although not so nice for Ticketmaster. WHY WEREN’T YOU LISTENING????

Keep it up guys.


PS: this blog seems to be becoming a never-ending advert for Monzo and Ant Financial. Be clear: neither company pay me anything; I have no ties to either company; I am not endorsing either company. I just seem to get a never-ending stream of news about how amazingly good they are at FinTech, so I end up talking about them more than others. Watch this space as I’m sure that Revolut and WeChat Pay will be my next big items.

Also, to be clear, I often talk about some banks as digital leaders such as BBVA, DBS, JPMorgan, Goldman Sachs and others. They do not pay me; have no affiliations with me (apart from friendships); and are not referenced as advertising. I am purely mentioning them as they are getting past the gate first in digital transformations of old banks.

About Chris M Skinner

Chris M Skinner
Chris Skinner is best known as an independent commentator on the financial markets through his blog, TheFinanser.com, as author of the bestselling book Digital Bank, and Chair of the European networking forum the Financial Services Club. He has been voted one of the most influential people in banking by The Financial Brand (as well as one of the best blogs), a FinTech Titan (Next Bank), one of the Fintech Leaders you need to follow (City AM, Deluxe and Jax Finance), as well as one of the Top 40 most influential people in financial technology by the Wall Street Journal’s Financial News. To learn more click here...

Check Also

Would you believe they put a man on the moon?

… “Any sufficiently advanced technology is indistinguishable from magic” Arthur C. Clarke This quote has …