England and Wales may no longer be in the running for the chance to win the Rugby World Cup but the hype around the tournament is still at fever pitch, with thousands of fans excited at the prospect of cheering the remaining nations on in stadiums across the UK, writes John Grimm, Senior Director at Thales e-Security, pictured.
But whilst many lucky fans are in possession of the tickets that allow them access to the games, others may find themselves being turned away at the turnstiles after finding out they have bought a fraudulent ticket. With tickets for the Rugby World Cup final being sold in excess of £1,500, finding out you’ve been the victim of a ticket scam would be devastating for any fan. Worryingly, it is expected that there could be as many as 80,000 tickets to this year’s tournament being sold illegitimately online, and with the shutting down of fraudulent websites such as Getsporting.com hitting the headlines, it is evident just how rife cybercrime is around major ticketed events. Unfortunately, e-ticketing for events has only increased the level of risk despite being the faster, more convenient option for issuing ticketing. Without proper safeguards, e-tickets are much easier to replicate and fake than the traditional printed tickets. Therefore, how can we reduce this risk and ensure tickets are valid and with their rightful holder?
E-ticketing, today, is more of an ‘expectation’ for customers as opposed to a ‘luxury’, given its on-demand qualities and the fact that it can be easily accessed on the mobile devices customers carry around in their pockets, everywhere they go. However, balancing this level of user convenience with security is fast becoming a priority for event organisers in today’s threat landscape. The airline industry is an example of how this balancing act has been achieved successfully. With the introduction of electronic boarding passes, airlines now offer a quick and easy solution to travelling and because of this, the method has been widely adopted by passengers. But of course, security is a number one concern for this industry – without it, the consequences could be catastrophic.
By using digital signatures for boarding pass barcodes, their integrity and authenticity can be validated. This helps protect customers against forgery and enables validation upon check-in. Carriers use private signing keys to sign barcodes and issue associated public certificates from a public key infrastructure (PKI) for their validation. It is these private signing keys that underpin the security of the entire system. The ability to properly safeguard and manage these keys is an essential part of the puzzle, particularly when you consider that the easiest way to try to issue a non-authentic boarding pass is to compromise the carrier’s private signing key – allowing you to apply a legitimate signatures over an illegitimate pass.
Protecting private signing keys in specialised hardened devices or hardware security modules (HSMs) ensures that they are held within a protected environment, as well as allowing carriers to set specific access control policies to ensure that they are only used for their authorised purpose. As a result, would-be criminals are unable to exploit the weaknesses associated with storing keys on application servers and fraudulently assume the identity of the signing airline, or event organisers, and issue what appear to be legitimate tickets.
This Rugby World Cup isn’t the first, and most certainly won’t be the last, major event in which fans are exploited by ticket scams and fraudsters. Efforts are being made to mitigate the risk, with event organisers working closely with the police, but it is clear that a more effective solution is needed to ensure the right person is in possession of the right ticket. Secure e-ticketing needs to be at the top of event organisers’ agenda if we are to prevent criminals capitalising on fandom. Only when this is in place will consumers willingly embrace e-tickets with confidence, knowing that fraudsters have been kept at bay.
