I was a victim of Fraud. I didn’t think it was possible and I have my suspicions as to what had happened, but I don’t have any way of proving it. The scary thing is that I don’t think Ticketmaster cares about fraud. Don’t get me wrong, Ticketmaster refunded my money, but they don’t care enough to do anything else about it, and that kind of attitude only promotes further fraud.
So, here is what happened. Over the last year, my debit card has left my hand only one time. That was to pay for a meal that I had at a local establishment.
The next day, BAM, hit for 4 tickets each ranging from $312 to $340 purchased from Ticketmaster. Which is fishy because I don’t have a Ticketmaster account. I called my bank and Ticketmaster; my bank told me they would credit my account in 5 to 10 business days. My call to Ticket master was much more interesting.
When I originally called Ticketmaster, I told the customer service agent what had happened, and they told me that someone would call me back in 24 hours. Well, that never happened, so I had to call back the next day. The customer support person that I spoke to the next day was very helpful but wouldn’t tell me much about what had happened other than the fact that the fraudulent transactions were for 4 tickets to an NFL game on Sunday in Florida.
The customer service person told me that they were unable to give any more information about the account used to make the transaction, as it may have been stolen from the actual account holder who would not have known the transaction happened using their account. I was told that the fraudster used my debit card information, including name and mailing address, but not my email address. Doing a quick check of my name on the internet doesn’t readily give a person enough information to know where I live. However, if the fraudster knew the name of the town in which I live in, they can easily get the rest of my address information.
Okay, so, this is where I get a bad feeling about Ticketmaster as a service. Please keep in mind that I don’t have a Ticketmaster account and don’t care to get one. With that said, if what the customer service agent said was true, right away I see three red flags, 1) they allowed someone to use card information that doesn’t match the account holder’s personal information, 2) Ticketmaster may not be using some kind of multifactor authentication to confirm the transaction is valid and 3) they failed to confirm the accuracy of all information about an account holder from day one when the account was created and later when an account is hijacked.
Let’s take each of these red flags individually so that I can tell you why it’s a red flag and Ticketmaster really needs to fix their current practice.
1) Allowing the fraudster to use my card on any account. Let’s talk about this, it seems that Ticketmaster is allowing cards that don’t match the accountholders name to be used to purchase tickets. Wow, really?! I just don’t understand why this would be a good idea. Ticketmaster, don’t you do any user validation at all? It would be so simple to compare and validate this information, even if the account was stolen. Simply don’t allow the user’s account personal information to be different from the cardholder’s name. This is a no brainer; I just can’t think of a reason as to why the Ticketmaster accountholder’s name would be different than the cardholder’s name. Some may argue that the Ticketmaster account name should be allowed to be different so that you aren’t using the accountholders real/legal name. That can easily be solved by using an alias tag that is displayed as the account holder’s name online.
2) Looking online, I see articles stating that Ticketmaster is using multi-factor authentication. If so, that would indicate that the accountholder, in this case, allowed the fraudster access to their account and the second authentication method, i.e. email or mobile phone. Or the fraudster is using an illegal/fake account. Once this happens, the true accountholder is completely unaware of the fact that they no longer control their own account and can no longer access it depending on what the fraudster does with their account.
3) Failure to confirm the accuracy of newly created or recently edited personal account information. Since the tickets at Ticketmaster could be thought of as an actual asset, it would make sense that the items would be traceable. The FI world really has this down pat with their whole KYC (Know Your Customer) programs. Why wouldn’t every business join in on that parade? Banks make sure you confirm your identity every time you make a change to your personal information, making fraud much more difficult by would be thieves. Easy things like security questions that you must answer correctly to save any personal data changes. I’ve even worked with some organizations that ask questions about your past which make it difficult for someone else to know other than the actual owner of the personal data.
I’m going to speculate as to what had happened on the fraud that was committed against my account, and the process they implemented to make money from my card. I suspect that this is a fraud ring. It started with the fraud ring front person running my card through the magnetic stripe card reader that captured my personal profile and account data. The card has my full name on it and provided my account information to the reader. From there, it’s a quick look up to confirm the data, i.e., phone number, street address, etc. In this case, the fraudsters didn’t use my email address. Next, my personal data was sent to the fraud ring database for processing and availability to commit fraud. The ring may have put the information on the dark web or sent the data to their backend. However, in my case, I think the ring used a hacked victim’s account to purchase tickets for cash resale. In this case, the hacked account owner probably didn’t know of the hack and the use of their account.
Lastly, I feel that Ticketmaster doesn’t really care about deterring fraud. If they did, they seriously would have gone after the bad guys, but instead TicketMaster will write off the loss as part of doing business and let the taxpayer’s pickup up the tab.
According to the Ticketmaster site, “We take fraud very seriously and thoroughly review every claim brought to our attention. If you suspect fraud on your Ticketmaster or Live Nation account, contact us.
And remember — where you buy matters. The only way to know if your tickets are the real deal is to buy Ticketmaster Verified Tickets directly from Ticketmaster or Live Nation or get them at the venue box office. Ticketmaster Verified Tickets are 100% authentic and guaranteed to get you in, including Fan-to-Fan Resale Tickets.”
Ticketmaster uses PayPal for the processing of financial transactions which means that PayPal is the intermediary for processing the ticket payments. I’ve yet to see how well PayPal confirms the users/payer’s identity to combat fraud. When I used PayPal to purchase items, I was never asked to confirm my purchases or alerted when my account was used.
If I log into any of my financial accounts to make a payment from a device that has not been confirmed to be mine or at my location, I am asked to verify that device. Why wouldn’t TicketMaster do the same?
TicketMaster has a long way to go to improve their online security. Let’s hope they can figure it out in the near future.
References
Ticketmaster Site – “How do Ticketmaster and Live Nation handle fraud?” -https://help.ticketmaster.com/hc/en-us/articles/9702120360209-How-do-Ticketmaster-and-Live-Nation-handle-fraud-
Fraud Rings – https://www.unit21.ai/trust-safety-dictionary/fraud-ring