Skip to Content

Data Sheet—Saturday, February 6, 2016

Tickets are like ice cream.

So says Joseph Asaro, chief security officer at StubHub, the online ticket marketplace acquired by eBay nearly a decade ago. The longer one holds onto them, the more their value generally drops (expires or melts).

“If you sell a Ferrari on eBay, that value will be there in a month,” he explains. “If you’re looking to sell a set of eight Beyoncé tickets, the minute Beyoncé takes the stage those tickets are worth nothing.”

The ticking time bomb-quality of StubHub’s wares places the company in an inherently risky business. On top of having a detonating value, electronic tickets are an immediately downloadable digital good that is transmitted via the Internet, where it’s impossible to implement “know your customer” procedures like they do in, say, banking. Thus the risk of fraud runs high, especially for an event of the Super Bowl’s magnitude (where tickets average $5,000 each).

That’s why the NFL takes an extreme cybersecurity measure: eliminating as much “cyber” from the equation as possible. In fact, the league chooses to issue only paper passes—a slight inconvenience for attendees who are unable to gain entry to Levi’s Stadium in Santa Clara, Calif. with the mere wave of a smartphone. Making only hard tickets available helps prevent people from auctioning the same easily replicable electronic ticket multiple times online—selling a pass on StubHub while simultaneously doing the same on, say, Ticketmaster, a rival marketplace owned by Live Nation.

Scammers can duplicate digital tickets and send them out to buyers endlessly—though only the first set to be scanned at the gate will work as intended. With paper passes, creating fakes or stealing copies becomes more difficult.

In terms of physical security, each ticket has about six characteristics that Asaro says his roughly 40-person team verifies to validate their authenticity. These include holograms, watermarks, special ink and paper, bar codes, etched lettering, and blacklight visible-only patterns. StubHub takes extra precautions, such as using a buddy system when counting and collating tickets, transporting them in an armored truck to an undisclosed location deep inside a vault for storage, and distributing them close to the venue just one day in advance of the Denver Broncos and the Carolina Panthers taking the field. (Purchasers must show photo ID.)

Although Asaro, who formerly headed global fraud investigations at Visa (V), declines to disclose the number of tickets StubHub will be responsible for, he does say that the company expects as many as 7,000 people to attend its pre-game pick-up party. In the absence of e-Tickets and PDFs, he does not expect much trouble from scammers. (Last year his team spotted four counterfeits in Phoenix at Super Bowl XLIX, none of whom bought them though StubHub.)

With those physical security measures in place, Asaro says, “counterfeiting is almost impossible to pull off.” Now that’s a ticket to success.

Robert Hackett

@rhhackett

robert.hackett@fortune.com

Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber, PGP encrypted email, or however you (securely) prefer. Feedback welcome.

THREATS

NSA plots major reorg. The U.S. National Security Agency is planning a a structural overhaul that will dissolve the boundaries between its offensive and defensive units. Critics worry that the new arrangement may encourage the agency to stockpile—rather than disclose—the software vulnerabilities its discovers in tech products for the purposes of attacking foreign computer networks. (Fortune)

Hello, Privacy Shield. The U.S. and the European Union struck a last minute deal to facilitate the transfer of European’s personal data across the Atlantic. The program supposedly has more privacy protections in place than its longstanding predecessor, the Safe Harbor agreement. (Fortune)

Symantec takes $500 million investment. The private equity firm Silver Lake Partners has invested half a billion dollars in the cybersecurity company. Symantec has struggled in recent years as sales of PCs, where its security software comes bundled, have declined. (Fortune)

Google counter-terrorism pilot program. Google is experimenting with a pilot program that would show anti-radical ads next to search results for extremist websites in order to counter online terrorism recruitment. Initial reports that the company would meddle with search results themselves were summarily dismissed by the Internet giant. (Fortune)

Banking malware linked to film studio? A raided Russian film studio appears to be linked to the password-stealing Dyre malware program that reportedly resulted in tens of millions of dollars in losses for financial firms like JPMorgan Chase, Reuters reports. Weirdly, the studio—named 25th Floor—was in the midst of producing a cybercrime-themed thriller called Botnet. (Reuters)

Sumner Redstone used to be a cryptographer. The longtime CBS and Viacom chairman is retiring from his life in business. Before the media mogul built a corporate empire, he served as a cryptographer in the U.S. army. (New York Times)

More Internet of toys vulnerabilities. A computer security researcher discovered coding flaws in two kid toys: the Fisher-Price Smart Toy Bear and the hereO GPS watch. Both companies quickly patched their software, which could have been exploited by hackers. (Fortune)

Share today’s Data Sheet with a friend:
http://fortune.com/newsletter/datasheet/

Looking for previous Data Sheets? Click here.

ACCESS GRANTED

Don’t celebrate the return of legally sanctioned EU-U.S. data transfers just yet. The deal faces another major hurdle.

Europe’s top politicians may be brandishing a deal with the U.S. on keeping data flowing over the Atlantic, but Europe’s privacy regulators want to see the details before giving their approval.

In fact, the EU’s data protection authorities saidWednesday that they’re still not sure whether anytransfers of Europeans’ personal data to the U.S. are legal. They want to see the finished “Privacy Shield” agreement in full before they make that call.

Here’s why it’s worth paying attention to what they decide next month... Read the rest on Fortune.com.

TREATS

Hillary Clinton. Email naif. (The Hill)

Declassified CIA intel. A Kickstarter campaign. (Vice Motherboard)

Latest anti-drone tech: Assassin birds. (Fortune)

Hack-proof chips? At least it blocks side-channel attacks. (MIT News)

Sherlock Holmes. Master of HUMINT. (Boing Boing)

FORTUNE RECON

Here’s How to Watch the Super Bowl Online by Jonathan Vanian

Alibaba Is Paying its Employees an Outrageous Amount by Jen Wieczner

This Is What it’s Really Like to Work in Porn by Aurora Snow

Why the NYT Is Looking to Cut Costs Even Though it Turned a Profit by Mathew Ingram

Consumer Apps Jump the Shark by Leigh Gallagher

Under Armour CEO Sees Technology As Company’s Destiny by Kia Kokalitcheva

ONE MORE THING

Looking to avoid a data breach lawsuit? Fortune’s Jeff John Robert has your back. Take a look at his 5 excellent tips. (Fortune)

EXFIL

“Are we really headed to a future in which our ability to effectively surveil criminals and bad actors is impossible? We think not.”

A group of cybersecurity experts convened by Harvard law professor Jonathan Zittrain assessed law enforcement officials’ argument that prohibiting their access to encrypted communications leaves them in the “dark.” The authors of the report determined that this is a bad metaphor: “We argue that communications in the future will neither be eclipsed into darkness nor illuminated without shadow.” Flourishing metadata from a world of networked sensors promises to keep them the Feds in the know. (Harvard Berkman Center)