Combating the Risks of e-Ticketing

By John Grimm

Super Bowl 50 is almost here. For months, legions of fans from around the world have been clamoring for tickets to the biggest of Big Games, with this year’s event billed as the most technologically advanced ever. Despite the astronomical ticket prices (starting at US$4,000 each and going for up to US$25,000 for private suites), the tickets were snapped up quickly.

Levi’s Stadium, this year’s event host, seats approximately 68,500 fans and features 165 luxury suites and 8,500 club seats. Do the math and combine it with an ardent fan base, and you’ve got an environment ripe for fraudsters to exploit.

About 80 percent of tickets are sold in the two weeks prior to the big game, and that’s when fraudsters strike, setting up phony websites to lure fans in. Would-be ticket buyers are bilked out of their money and, adding insult to injury, are also then targets of identity theft and fraud. The National Football League (NFL) also suffers loss of revenue.

One of the ways the NFL has chosen to help reduce fraud is by not using electronic tickets for the Super Bowl – a decision seemingly at odds with the ‘most technologically advanced game ever’ hype. E-ticketing has grown in popularity in today’s always-connected, mobile society. As a general rule, organizations that don’t offer mobile tickets stand to miss out – not only on sales, but on the speed, customer service, convenience and cost savings that e-ticketing offers.

However, security and fraud concerns persist in the realm of mobile transactions – particularly in situations where dollar values and demand are both sky high. The ongoing threat of data theft or fraud alone can cause merchants and consumers alike to shy away from the mobile ticketing option, let alone the sophisticated ways that cyber criminals are able to steal data in transit when basic protections are not applied.

But just as the NFL and other paper ticket issuers continue to raise the bar with more sophisticated printing techniques, hidden codes, holograms, and just simply keeping the designs out of the public eye as long as possible, there are stronger electronic security techniques in play today that can shore up critical security aspects of e-ticketing.  In fact, done correctly, e-ticketing can be a powerful tool for fighting fraud, with the added benefit of being far easier for the consumer.

The critical security properties that an e-ticketing system must provide are authenticity – that the ticket is issued from an authentic source and is not a counterfeit – and integrity – that the ticket has not been altered in any way.  Just like in the physical ticket world, there are various means by which these properties can be provided, each with different levels of strength or trust.  In the ‘e’- world, digital signing – with strong protection for the private signing keys – is a powerful weapon when applied to barcodes that represent tickets.  With a properly secured public key infrastructure (PKI) used to associate an organization’s identity with those signing keys, the authenticity of the ticket can be verified.  The signature verification process also by its cryptographic properties provides a means by which any alteration of the barcode that may have been attempted can be detected.

Organizations in the airline industry, for example, have created PKIs for this exact purpose.  And because of the need for trust around the identity of the ticket-issuing organization, a recognized best practice is to protect the foundational keys in the PKI – the root and issuing Certificate Authority keys – with hardware security modules (HSMs). Private signing keys underpin the security of the entire system – it is essential that they are properly safeguarded and managed.

With the (current) exception of the Super Bowl, sports, entertainment and many other vertical markets will adopt e-ticketing systems as consumer expectation and demand grow. The means to protect e-tickets are here today, and are tried and true – and maybe next year, the Big Game will up its game!