back to article Ticketmaster breach 'part of massive bank card slurping campaign'

The Ticketmaster breach was not a one-off, but part of a massive digital credit card-siphoning campaign. Threat intel firm RiskIQ reckons the hacking group Magecart hit Ticketmaster as part of a massive credit card card hacking campaign affecting more than 800 ecommerce sites. Magecart has evolved tactically from hacking …

  1. Anonymous Coward
    Anonymous Coward

    If ticket master put all their surcharges above the face value of tickets from customers into security of their systems I'm sure it would have a multi million pound annual budget to keep customer card data safe.

    Back in reality I guess the spin will be "with are working with 3rd parties to secure their systems".

    1. Dan Wilkie

      Whilst I agree with the sentiment, even I wouldn't start a business that put all its money into security. How do I get paid, and how do I advertise to get customers?

      I know that is taking it more literally than you mean, but remember where you are, there's people that will take it that literally ;)

      1. Anonymous Coward
        Anonymous Coward

        'there's people that will take it that literally ;)'

        Ticketmaster: Thanks for the tip @ Dan Wilkie! We need to outsource more of our operations and quickly. Let 3rd-Parties take the heat / blame so our brand remains virginal and pure!

      2. Doctor Syntax Silver badge

        "I wouldn't start a business that put all its money into security. How do I get paid"

        The OP didn't say all the money. He said surcharges - the skimming over and above the commission it gets for selling the ticket in the first place.

  2. streaky

    WHY...

    Are people putting third party analytics etc on pages in scope for PCI-DSS. Just why; also why isn't PCI, Visa, Mastercard etc doing anything about it? Think we're overdue some adults in the sandbox who are in a position to give a shit removing card services from these people.

    1. Nick Ryan Silver badge

      Re: WHY...

      PCI is very prescriptive and focussed about most things unfortunately this means that because of this level of proscription and focus, elements that are not specifically covered are missed out entirely because the rules don't cover them, even if they should. The more specific the set of rules, the more holes there are in them.

    2. EnviableOne

      Re: WHY...

      quite frankly there are bigger holes inpayment processing than this and they arent even bothered fixing them.

      the first four digits are set by the type of card and issuing bank, then you can start inventing data and sling it at the payment network (which has no retry limits) and brute force yourself a valid cc number, cvv expiry and digits in postcode (the only bit it ever checks,) and dont even bother with the name on card (this never get checked anyway) oh and if you fire a valid number at the system it will tell you which bits you got wrong too....

      1. Antron Argaiv Silver badge
        Thumb Up

        Re: WHY...

        ...digits in postcode (the only bit it ever checks,)

        Not true. Apparently, there are degrees of authentication. I have two addresses, one for billing, one for delivery. Same postcode (ZIP, actually, as I'm in the US).

        I occasionally get lazy and use the delivery address for the billing address, so I don't have to enter two addresses. I have had charges declined because the billing address didn't match (even though the card issuer has been informed that the delivery address is a valid secondary address for the account).

        This doesn't happen all the time, seems related to the amount being charged, but not always. I'm led to believe that this may be an option, "require full billing address match", for the vendor, who gets a microscopically lower cost per transaction in return.

        1. Lyndon Hills 1

          Re: WHY...

          Additionally at least one has detection of repeated transactions per ip address. Causes problems if people in an office are on one shared external ip, and many of those people try to buy something at the same time.

          IIRC this protection (and others like disallow a card issued in one country from being used from an IP apparently in a different country) can be turned of by request of the website owner.

          1. EnviableOne

            Re: WHY...

            all is quoted from research by cyber experts in the UK.

            These are based on the use of top 1000 websites from Alexa.

            Use Amazon, Apple and Paypal, and you can build a valid fake card then use it any site to purchase world + Dog.

            in UK post codes are a mix of letters and numbers, but ZIP codes it could check all of.

            sites have different CNP requirements

            Am ony requires number and expiry

            Ap requires no. + exp + Cvv

            PP requires no.+ exp + pcode + cvv

            research was done using the sites listed above and the VISA/Mastercard networks.

  3. Mr Dogshit

    "El Reg asked firms named in the research to comment"

    Ooh... let me guess what they're gonna say.

    "We take the security of our customers' data extremely seriously, la la la"

    1. Anonymous Coward
      Anonymous Coward

      Re: "El Reg asked firms named in the research to comment"

      Our profits are important to us and your patience appreciated while we find ways to protect them from possible fines...please hold!

  4. sitta_europea Silver badge

    This has got to stop.

    Governments have failed, and continue to fail, big-time.

  5. chivo243 Silver badge
    Coat

    Ticket Price Blaster

    Good for them... Really, couldn't have happened to a nicer bunch of assholes!

    Yes, my coat, pocket filled with cash, cold and hard!

  6. Ochib

    Just waiting for the punters who have been hit by this to be past back on forth between the bank and Ticketmaster each saying that you need to get your money back from the other party as they are not to blame

    1. AndrueC Silver badge
      Thumb Up

      Just waiting for the punters who have been hit by this to be past back on forth between the bank and Ticketmaster each saying that you need to get your money back from the other party as they are not to blame

      If paying by UK credit card, it's possible that Section 75 would apply. I'm not entirely sure though as there is a third party involved though.

      S75 is a great thing - that and not having to pay until the statement is due makes a CC kinda like a financial firewall. I'd never pay with anything else.

      1. Wellyboot Silver badge

        >>S75 is a great thing - that and not having to pay until the statement is due makes a CC kinda like a financial firewall. I'd never pay with anything else.<<

        Yup indeed. and having purchased from the TM monopoly in May my shiney new numbered CC will be arriving in the post soon.

      2. Cynical Pie

        From my hazy memory of the CCA S75 only applies above a certain value - a couple of hundred quid I think - but with Ticketmaster surcharges most purchase should be covered anyway!!

        1. Craigie

          It's £100.

  7. Anonymous Coward
    Anonymous Coward

    Why do browsers allows JS from other domains to run

    I've never understood i) why a site would trust other sites to host code for them and ii) why browsers allow one site to run scripts from another.

    If I ship an app I don't expect the users to download loads of components from third parties, i get the third party components, bundle and test them then distribute. This is the same thing.

    I'm aware the genie is out of the bottle on this one but it grinds my gears. I get asked how to run scripts from other sites at job interviews, my answer is always "I would never do that, it's unprofessional". Doesn't get me many jobs mind.....

    1. Anonymous Coward
      Anonymous Coward

      'Re: Why do browsers allows JS from other domains to run'

      Agree, its especially dangerous now. But I think web designers will argue that once upon a time, sharing JS hugely sped up loading times on the internet. But take Captcha for example. There's no good reason to host that kind of JS off a 3rd-Party website, especially when its a banking website. Its just dumb!

    2. tfewster
      Facepalm

      Re: Why do browsers allows JS from other domains to run

      I see your point, but it's essential in some cases - e.g. checking a payment using Verified by Visa loads the Visa JS from Visas site (if I allow NoScript to run some JS from those dodgy-sounding domains when prompted). However, I really wouldn't want multiple "local" copies of that.

      "...i get the third party components, bundle and test them then distribute".

      Unfortunately that's why you get multiple installs of Java on some systems, all out of date.

      Every solution has its own problems :-( The real question is, 'is the "trusted" site trustworthy?'

      1. Doctor Syntax Silver badge

        Re: Why do browsers allows JS from other domains to run

        "The real question is, 'is the "trusted" site trustworthy?'"

        I tend to regard sites that need to load javascript from a lot of other sites as untrustworthy anyway. Apart from the fact that it's a pain to have to tick go through NoScript's list and work out which minimal set needs to be ticked and then to remember to cancel immediately I've finished with the site.

      2. tiggity Silver badge

        Re: Why do browsers allows JS from other domains to run

        VbV is just dire - it encourages users to accept bad security practices (shedloads of dodgy named third party .js components) - looks exactly like a scam site.

        Just because you take payments does not mean you need the VbV site.

        You could (https obv) get customer card details yourself (transiently) with no need for third party code and call your payment provider server side (in the way that desktop apps do and are happily PCI DSS compliant)

        Obviously that way all the onus is on you to keep your site secured as when you "offload" to 3rd party VbV page then some liability on them, so you need a good security focus (CSP will become your friend) - You could go further andwrite your site old school and have Zero JS and security settings not allowing any JS at all (that would get the hipster web devs choking on their 10 word coffees)

        1. roobear

          Re: Why do browsers allows JS from other domains to run

          This isnt the point of verified by visa. You can use vbv whether you have a hosted payment page or direct integration. the point of VbV is to add an extra authentication step with the card issuing bank and the main benefit for retailers is that visa then take all liability for any chargebacks (rather than the liability being with the retailer).

        2. trydk

          Re: Why do browsers allows JS from other domains to run

          @tiggity: Unfortunately, this is simply capitalism at work.

          I can invest in better security and have a team ready to keep my site safe ... OR ... I can outsource it for a pittance and pay a small fee whenever I actually use it.

          Hmmmmm, difficult ... Nah, outsource and the more money for me.

      3. trydk

        Re: Why do browsers allows JS from other domains to run

        @tfewster: I thought Verified by VISA ran in a frame thus not mixing JavaScript domains. NoScript only tells you what domains want to execute JavaScript, not the source of the calls.

        This actually reminds me that I want NoScript to be able to show the domain of the caller AND to have the permission either apply globally (so very.trusted.domain.earth can be trusted everywhere) or from specific domains (so do.much.evil.hell can be trusted only from specific domains). google.com is a domain that seems to crop up on two thirds of the sites in the world so Google can track me on all those sites even if I need them only on one of them unless I jump through hoops to avoid it (visit site, temporarily allow google.com, go to this other tab with another site, disable google.com, back to first site, re-enable google.com, ...).

    3. Doctor Syntax Silver badge

      Re: Why do browsers allows JS from other domains to run

      "I've never understood i) why a site would trust other sites to host code for them"

      Because they're cheap and lazy and don't care.

      "and ii) why browsers allow one site to run scripts from another."

      Because if they did they'd get a reputation for breaking all the sites that were cheap, lazy and didn't care and everybody and their Facebook friends would dump them in favour of browsers who didn't care either.

    4. vtcodger Silver badge

      Re: Why do browsers allows JS from other domains to run

      "I've never understood i) why a site would trust other sites to host code for them and ii) why browsers allow one site to run scripts from another."

      Heck, I've never understood why anyone would think that downloading ANY code from ANY website into a browser for immediate execution, could possibly be a good idea. It seems clear to me that can only work in a world with technology that provides 100% iron clad security as well as computer folk who never, ever, make mistakes. We do not live in such a world. We are unlikely ever to live in such a world.

      But ... but ... but ... That'd make life harder for web designers. Yep. Almost certainly it would. So what? If we're going to do financial and other important stuff over distributed public communications network, shouldn't USER security be the overriding priority?

  8. DrM
    FAIL

    Ho hum

    Boring, as common as a suicide bomber story from Iraq, We're all used to ASIC, the programmers and managers involved will get bonus checks. It's the new normal.

    ASIC - GUI (All Software Is Crap -- Get Used to It)

  9. andy bird

    pci is near useless

    Nearly all of the PCI mandated 'hoops' and certainly the typical Security Metrix type scans all focus on the server side of the problem.. which is the least likely attack vector.

    Why bother attacking the 300ft wall when the application just leaves the door wide open. PCI scans almost never flag unpatched / out of date applications.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like