When people think of retailers being hacked they often conjure up images of payment card data being stolen from point of sale terminals as we have recently seen in the incidents surrounding Target, Neiman Marcus and Michaels. However, craftier hackers can always find ways to leverage any information they are able to access in order to turn a profit.
The recent attack against StubHub, an online ticket retailer owned by eBay, reported on Wednesday, July 23, 2014, is a perfect example of this. In this case an international ring of hackers used compromised user accounts to purchase roughly $1.6 million in tickets that they planned on selling in the United States. However, those looking to blame StubHub for lax security should hold off as it turns out StubHub did nothing wrong.
Who was affected?
Over 1600 StubHub user accounts were affected by this recent attack. Unlike other attacks, StubHub itself was not hacked nor was any of its servers or data centers. All of the accounts used were compromised from other servers so there is really no way of telling how far this will actually spread.
How did this happen?
In March of 2013, StubHub was alerted to fraudulent purchases being made through legitimate user accounts. However, an investigation did not turn up any evidence of a hack on their part.
“Customer accounts were accessed by cyber hackers who had obtained the customers’ valid login and password either through data breaches of other businesses or through the use of key-loggers and/or other malware on the customers’ PC,” StubHub said in a statement.
How were consumers notified?
Affected customers were notified by StubHub’s Trust and Safety team once it was verified that their account was used to make fraudulent purchases of tickets. In addition to notifying individuals, StubHub also issued a press release detailing the attack and thanking the different organizations that assisted them in resolving this issue and bringing the hackers who participated in this attack to justice.
How were consumers impacted?
Any affected customers were given full refunds by StubHub, and they were assisted in changing their passwords to prevent further access by the criminal organization. Consumers who were identified as victims should also take the time to make sure that their computer anti-virus software is up to date, and their home and work, computers are free of malware. They would also be wise to change any other passwords for other accounts, especially any accounts where they share the same username and password combination as their StubHub account.
How was the company impacted?
Since the company itself was not attacked there is nothing that they need to do from a legal standpoint. If anything, StubHub showed that they are focused on doing right by their customers by making it easy for customers who’s accounts were compromised to dispute any fraudulent purchases.
Clearly, the company will feel some financial blowback, as a result, of handing out refunds to events that took place in 2013.
How can they fix it?
StubHub could jump on the two-factor authentication bandwagon and require users to authenticate via a code sent to their email or phone, but many users do not like this added security because they view it as inconvenient. Plus, there are ways around this security measure that skilled attackers can exploit.
Instead, they can provide information to their customers on how to better protect themselves in the future, and how to spot fraudulent activity on their account. This shouldn’t be the responsibility of StubHub alone, but if more retailers took the initiative to better educate their customers, attacks like this would start to scale back because smarter users won’t simply sit back and let the bad guys walk off with their stuff.