this post was submitted on 06 Jul 2024
35 points (92.7% liked)

Netsec

701 readers
1 users here now

netsec is a community-curated aggregator of technical information security content. Our mission is to extract signal from the noise — to provide value to security practitioners, students, researchers, and hackers everywhere. ‎

Rules

  1. Don't do unto others what you don't want done unto you.
  2. No Porn, Gore, or NSFW content. Instant Ban.
  3. No Spamming, Trolling or Unsolicited Ads. Instant Ban.
  4. Stay on topic in a community. Please reach out to an admin to create a new community.

founded 2 years ago
MODERATORS
 

Ticketmaster shot down claims made on the dark web that hackers have access to working ticket barcodes for several upcoming Taylor Swift concerts and other events.

On Friday, a hacker allegedly offered for sale event barcodes for Taylor Swift’s Eras Tour concert dates in New Orleans, Miami and Indianapolis.

The barcodes are typically scanned at the entrance for events. In total, the hacker offered about 170,000 barcodes for sale, with about 20,000 for sale at each show.

The hacker also threatened Ticketmaster with more leaks if they are not paid $2 million — claiming to have 30 million more barcodes for NFL games, Sting concerts and more.

A spokesperson for Ticketmaster debunked the claims made in the post in comments to Recorded Future News.

“Ticketmaster’s SafeTix technology protects tickets by automatically refreshing a new and unique barcode every few seconds so it cannot be stolen or copied,” the spokesperson said.

“This is just one of many fraud protections we implement to keep tickets safe and secure.”

The spokesperson also shot down allegations made in media reports that they engaged the hacker in ransom negotiations, saying that they never engaged with the hacker and never offered the person money.

Ticketmaster’s parent company Live Nation confirmed last month that the company’s account on data storage platform Snowflake had been breached.

Hackers on the dark web claimed to have a 1.3 terabyte database of information on about 560 million Ticketmaster users that included names, addresses, emails and phone numbers as well as event details and information on specific orders.

The theft was part of a larger campaign of thefts targeting about 165 customers of Snowflake. Some of the data stolen from those companies was offered for sale by the same hacker behind this most recent post about event barcodes.

all 7 comments
sorted by: hot top controversial new old
[–] [email protected] 17 points 4 months ago* (last edited 4 months ago) (4 children)

If the barcodes are randomised their systems need to have a way to know which barcode is correct as well as a way to randomise the barcodes

Hackers can just exploit that if they get access to it

Edit:

Also when a company uses marketing tactics in response to a hacking allegation they are usually bullshitting

[–] [email protected] 12 points 4 months ago

Also when a company uses marketing tactics in response to a hacking allegation they are usually bullshitting

Bingo. They want the hackers to think they have nothing, when in reality they’re crapping themselves to find the cheapest solution with little media attention. This is another reminder the business worlds focus on ever-increasing market value is a little like autoerotic asphyxiation. Once you start, you know eventually there’s only one way it will end for you.

[–] [email protected] 1 points 4 months ago

If an app is used in client side it's relatively easy. They could literally just use the common OTP algorithm, but in reverse. Instead of refreshing ever 30s, set that to like hours or days. instead of generating 6 digits you generate enough for a barcode (like 12 or 13 or whatever is common). On refresh, stuff them in a database, so when a ticket is scanned you can quickly find the corresponding entry and identify it and mark it used.

I have no real idea how you'd do this with printable paper tickets...

[–] [email protected] 1 points 4 months ago

I've not been to one of these things, but I'm assuming you have to use your phone tobshow the barcode if it's changing 'every few seconds'. From the description it sounds more akin to something like TOTP, where each person's code is derived from a secret key and the current time. The barcodes aren't random, but mathematically derived and only the current one works. If that is the case the hackers need the secret keys, not the barcodes, and they need to build an app to display the right one at the right time.

[–] [email protected] -2 points 4 months ago (1 children)

If they truly thought it was broken, they could change the process and reissue every single ticket.

It'd take time and effort but it's doable.

[–] [email protected] 7 points 4 months ago

Good. I hope this burns their whole empire to the ground.

Among the biggest of asshole scumbags now expect us to believe them? Yeah, those barcodes are 100% legit and they tried to negotiate with those hackers the very second they found out.