A version of this post titled “Securing Super Bowl tickets” originally appeared in Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Subscribe here.
Tickets are like ice cream.
So says Joseph Asaro, chief security officer at StubHub, the online ticket marketplace acquired by eBay (EBAY) nearly a decade ago. The longer one holds onto them, the more their value generally drops (expires or melts).
“If you sell a Ferrari (RACE) on eBay, that value will be there in a month,” he explains. “If you’re looking to sell a set of eight Beyoncé tickets, the minute Beyoncé takes the stage those tickets are worth nothing.”
The ticking time bomb-quality of StubHub’s wares places the company in an inherently risky business. On top of having a detonating value, electronic tickets are an immediately downloadable digital good that is transmitted via the Internet, where it’s impossible to implement “know your customer” procedures like they do in, say, banking. Thus the risk of fraud runs high, especially for an event of the Super Bowl’s magnitude (where tickets average $5,000 each).
For more on the Super Bowl, watch:
That’s why the NFL takes an extreme cybersecurity measure: eliminating as much “cyber” from the equation as possible. In fact, the league chooses to issue only paper passes—a slight inconvenience for attendees who are unable to gain entry to Levi’s Stadium in Santa Clara, Calif. with the mere wave of a smartphone. Making only hard tickets available helps prevent people from auctioning the same easily replicable electronic ticket multiple times online—selling a pass on StubHub while simultaneously doing the same on, say, Ticketmaster, a rival marketplace owned by Live Nation (LYV).
Scammers can duplicate digital tickets and send them out to buyers endlessly—though only the first set to be scanned at the gate will work as intended. With paper passes, creating fakes or stealing copies becomes more difficult.
In terms of physical security, each ticket has about six characteristics that Asaro says his roughly 40-person team verifies to validate their authenticity. These include holograms, watermarks, special ink and paper, bar codes, etched lettering, and blacklight visible-only patterns. StubHub takes extra precautions, such as using a buddy system when counting and collating tickets, transporting them in an armored truck to an undisclosed location deep inside a vault for storage, and distributing them close to the venue just one day in advance of the Denver Broncos and the Carolina Panthers taking the field. (Purchasers must show photo ID.)
Although Asaro, who formerly headed global fraud investigations at Visa (V), declines to disclose the number of tickets StubHub will be responsible for, he does say that the company expects as many as 7,000 people to attend its pre-game pick-up party. In the absence of e-Tickets and PDFs, he does not expect much trouble from scammers. (Last year his team spotted four counterfeits in Phoenix at Super Bowl XLIX, none of whom bought them though StubHub.)
With those physical security measures in place, Asaro says, “counterfeiting is almost impossible to pull off.” Now that’s a ticket to success.
