The May 31 security breach at Eventbrite’s Ticketfly sent a chill through the ticketing industry. The “malicious cyber-attack” dismantled the website, exposing the names, phone numbers, addresses and emails of 27 million users, though neither credit and debit cards nor passwords were affected. The shutdown caused havoc among the venues across the U.S. and Canada that use the digital ticketing service, which took to social media to tell people to bring a photo ID and a printed copy of a ticket to the box office because of the data hack.
With the entire world economy interconnected online, internet security has become a big business in and of itself. According to George Avetisov, CEO of HYPR, which offers “secure password-less experiences with decentralized authentication,” more than 3 billion credentials have been stolen, which is roughly half the global population. In today’s tech-fueled economy, identity and access management, or IAM, comprises more than half of a chief information security officer’s annual budget. There aren’t enough information security professionals to fill the number of positions across the sector.
“It’s one of the most significant hurdles we face in a fully connected world,” he said. “From a service provider’s standpoint, one had to wonder ‘Who are my users?’ and from a user’s point of view, they’re wondering if their credentials being out in the wild are being used in credential reuse attacks, draining their accounts. Fraud is a speed bump to a fully connected life and the experience behind it. All these worries ultimately cause friction and can even slow down the economy.”
Ticketing sites are particularly vulnerable and form an attractive target of hackers because they tend to store access and payment credentials with usernames, passwords and bank cards on file. Most of these digital ticketers are only user name and password- protected, rather than using the more advanced two-factor authentication, or 2FA, a two-step process that involves, in addition to the standard ID, something only a user would have on his person, either a text message, an app or a physical token. This extra layer of security makes it much more difficult to access and steal that information.
Avetisov’s solution to the problem is rooted in his company HYPR, which specializes in identity solutions that don’t involve passwords. “They can start by tying the authentication and payment credentials to a person and not to a static alphanumeric string,” he said. He also recommends “each person holds (their) biometrics and back card information isolated and encrypted on their mobile device.” With such biometric solutions as retinal or iris scans, facial recognition or fingerprint, the ticket holder merely has to take a selfie without any sensitive personal information sent to a vulnerable, centralized platform or venue site.
Added Avetisov: “User habits reveal that people use the same user name and password across different services. Passwords are inconvenient. Phasing out or eliminating passwords is a solution available right now for ticketing platforms.”
Several current ticketing start-ups employ facial recognition as part of their security process. Blink Identity unveiled its business plan at the recent TechStars Music Accelerator in Hollywood. The company was founded by Mary Haskett and Dr. Alex Kilpatrick, who describe themselves as “serial entrepreneurs with deep backgrounds in military biometrics.” The company uses facial recognition technology originally developed by the military to identify people “at a full walking speed, handling over 60 people per minute in any lighting conditions … creating the next generation of access control, security and smart buildings.”
Former Ticketmaster CEO Nathan Hubbard’s Rival is also based on similar facial recognition technology, in which cameras are attached to the metal detectors at venue entrances to scan the attendees and continue to interact with them via cell phone even when they’re inside the arena.
With these technological advances come the issue of privacy. Are patrons willing to give up some of their user-generated data for convenience and a superior experience?
“We take cybersecurity very seriously,” says Blink Identity’s Haskett. “We follow established industry best practices in the protection of sensitive customer data. Our vision going forward is (that) biometric identification will be used to securely establish someone’s actual
presence in a physical space.”
Even face scans aren’t a foolproof guarantee, according to HYPR’s Avetisov, who said: “If the biometric templates, or any access or payment credential for that matter, are centrally stored at the service provider, there is always an element of risk. That then becomes a hacker’s No. 1 target and opens the door to potential credential reuse attacks. Credentials do not need to be centrally stored in order to provide the service. They can be held with the user on her or his mobile device.”
Ticketfly said little publicly in response to the hack, but it reset all its passwords and tweeted the following statement a week after the attack: “We understand the importance you place on the privacy and security of your data and we deeply regret any unauthorized access to it. We assure you we are taking this very seriously and are committed to providing updates as appropriate. We’ve engaged leading third-party forensic and cybersecurity experts to investigate and help us address the issue, and have done this with your security top of mind.”
With Ticketfly back up and running, Avetisov suggests the company contract a third party or independent audit of the incident to restore the clients’ confidence. “Provide some transparency about the fixes,” he says. “It’s important to manage your customers’ expectations with a frictionless experience. With identity theft on the rise, so are worries about it. Customers always want to remove any friction from their experience, and that comes from passwordless features, but keep in mind they need to be secure ones, not just convenient.
“Passwordless experiences do not always equate to a passwordless architecture. They are great for removing friction, but they often just mask the existence of an underlying system that is both password-based and centrally stored. A fingerprint scan, for example, may unlock a phone or communicate with a password vault, but the service provider holds passwords on all of its users. With central password architecture a risky practice, this must stop for fraud to end.
“A true passwordless access system is one that is absent of passwords and ties identity to user traits such as biometrics, which are not transferrable to another person, including hackers.”
For instance, these kinds of passwordless architectures are already in use by major companies such as Mastercard, with open standards (like the Fast Identity Online Alliance), making it a straightforward proposition to incorporate this secure method of signing in to digital ticketing and other sites.