Behind the $1.6 Million Heist at StubHub: Recycled Passwords

If there's one lesson bankers can take away from the hacking incident at the online ticket seller StubHub, it's that they need to educate their customers about the dangers of using the same passwords on multiple sites.

Earlier this week, Manhattan District Attorney Cyrus Vance Jr., indicted six people in a cybercrime ring that stole $1.6 million worth of event tickets through StubHub, an eBay subsidiary.

The thieves committed the heist by deploying a technique that poses threats to banks and retailers every day: account takeover. Rather than stealing card or account data, many cybercriminals are committing fraud by simply stealing or guessing login credentials to impersonate legitimate customers and conduct seemingly innocent transactions that go undetected.

The StubHub hackers used stolen login credentials to purchase 3,500 e-tickets and sent them to a network of people in New York and New Jersey to be resold within hours of an event. The events included concerts featuring Elton John, Marc Anthony, Justin Timberlake and Jay-Z; athletic events including Yankees baseball games, Giants and Jets football games, Knicks and Nets basketball games, Rangers hockey games, and the U.S. Open; and Broadway shows, such as "The Book of Mormon."

The accounts of 1,600 StubHub customers were compromised, yet the company says its databases were not compromised and no credit card numbers were stolen.

"Legitimate customer accounts were accessed by cybercriminals who had obtained the customers' valid login and password either through data breaches of other businesses, or through the use of key-loggers and/or other malware on the customers' PCs," the company said in a statement.

It is not yet known exactly how the cybercriminals stole customers' online credentials. They most likely used phishing, malware on the victim's computer, or the fruits of earlier data breaches in which user names and passwords were stolen, said Robert Siciliano, a security consultant and founder of BestIDTheftCompanys.com.

The hackers tried thousands of stolen passwords at StubHub to find ones that worked.

What made this break-in and many others like it possible is the fact that consumers tend to use the same user name and password on all the sites they visit.

Therefore, banks should encourage customers to change their online banking password every six months, Siciliano pointed out. Banks should also warn customers not to click on links in emails unless they are 100% sure they're legitimate, as well as keep their antivirus, antispyware, anti-phishing and firewall software and operating system security patches up to date, he said.

Somewhat ironically, StubHub was originally founded with the idea of providing security for people who have bought a ticket to an event but are unable or no longer want to attend and therefore want to resell. Users are authenticated with an automated verification of data points such as name, address, and phone number. Transactions are constantly monitored for unusual behavior patterns, the way they are at most banks, card companies and retailers.

"People were tired of getting ripped off when buying tickets on the street, through classified ads or other places," said Robert Capps, who was head of the 70-person Global Trust and Safety group for San Francisco-based StubHub from 2010 until mid-April of this year; his group uncovered this fraud. (He left a few months ago to join the network security startup RedSeal Networks, but still consults with StubHub.)

"There's inherent risk in transacting on a ticket for cash with someone you don't know," Capps added. "StubHub was intended to help with sales and provide safety, to protect buyers and sellers from each other."

But in this case, StubHub's software did not pick up on the fraudulent behavior — customers did. StubHub became aware that something was wrong when dozens of customers called to complain of seeing unfamiliar transaction activity on their accounts.

This in and of itself is not uncommon, Capps said, because customers, particularly family members, often share accounts.

"In some cases, Mom's account was used by little Debbie because she wanted to go to a Justin Bieber concert and hadn't communicated that," he said. "All retailers face some level of confusion when customers start mixing accounts and credit cards. But when you get a consistent number of people calling about events happening in the same general region, you start thinking, 'ha, something else is here.' And you start looking around the edges for it."

Shouldn't StubHub's fraud detection software have found this first?

It should, Capps acknowledged. However, account takeover hasn't historically been an issue for retailers. Almost all the fraud that retailers have seen to date has stemmed from new accounts created with stolen credit cards, he said.

When a hacker logs in with legitimate credentials and pays for a purchase with a card already stored in the account, that transaction doesn't look different from the customer's previous transactions and most retailers' systems won't catch it, Capps pointed out. Building technology that would identify account takeover for a retailer can be an expensive undertaking.

"Most of the account portals used by e-commerce merchants and loyalty programs were not built with the same level of security that their online transaction and fraud management systems have in place," said Mike Gross, director of risk strategy and professional services at 41st Parameter (a part of Experian). "It's a bit of a new risk, but fraudsters are aggressively exploiting the security gaps around things like simple username and password authentication."

In the ongoing investigation of this scam, it turns out that the fraudulent activity could have been spotted in analysis of the company's network log files. Large volumes of login attempts, each with a different user name and password, were made from the IP addresses of compromised servers or PCs. Many did not match records on file and fell by the wayside unnoticed.

So a second lesson to be gleaned from this episode is: monitor your network log files.

This might sound obvious. But for retailers, the common practice has been to monitor network activity for failed logins to legitimate customer accounts, not look for failed logins in general.

Attacks like the StubHub fraud happen every day at all major retailers, financial institutions, and social media companies, Capps said. The only reason this case came to light was because StubHub decided to prosecute, he said.

"Account takeover is a huge problem, and [companies are] just writing off the losses," he said. "If there's something of value available on the site, and there's a way to monetize that, there's an attacker willing to target it."

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER