#HackedOff
9th March 2015
It is stated that human behaviour is a lot less reliable than machine capabilities; therefore it is a lot easier to trick a person than it is to trick a computer.
Within any organisation procedures and policies must be put in place to protect integrity and maintain security. Statistics reveal that within the last year there was a ¼ of a million stolen identities. This shows Cybercrime is REAL and a growing threat to e-commerce and the general public. The realisation of contemporary issues, led to Obama himself stating:
“The very technologies that empower us to create and to build also empower those who would disrupt and destroy”.
History of Hacking
In 2013 the payment services industry was the most targeted at 56.3%, this is crucial to the event industry and organisations need to be alerted that it is an ever growing threat.
Figure 1 Most Targeted Industry Sectors 3rd Quarter 2013
The timeline below shows the increase of phishing attacks that have occurred over a ten year period. In addition there was a reported 87% increase in phishing in 2013, making us question where does this leave our security in the future?
Phishing Timeline
What is hacking?
Computer hacking refers to the practice of modifying or altering computer software and hardware to accomplish a goal that is considered to be outside of the creator’s original objective. Computer hacking will involve some degree of infringement on the privacy of others or the damaging of a computer-based property such as web pages, software, or files.
What is phishing?
Have you have ever had your personal details; such as usernames, passwords, and PIN numbers; stolen or impersonated? If so, you have been a victim of phishing.
In a recent UK Police operation, it was found that out of the top 10 Google results, 7 were fraudulent websites.
One of the most re-occurring types of phishing is through hoax emails and links; such as fake emails from your bank which asks you to phone someone and provide your personal details.
Research has shown that 2013 was a record breaking year for the highest amount of phishing attacks launched. Phishing caused$5.6 billion in global losses, and as long as phishing remains successful, cyber-criminals are going to continue cashing in on this method of fraud.
What is hacktivism?
Hacktivism is a new social movement which has been suggested to be a way in which people can participate in global politics. This is done through hacking to communicate their ideas and principles of democracy, facilitating online protests and disrupting the flow of certain information.
This type of movement is not to destroy or sabotage government operations, but the idea is to bring more attention to human rights and the freedom people have.
Why Contemporary?
Hacking has been a contemporary issue within the Event and Hospitality industry within the last year due to attacks on large corporations such as Ticketmaster and Marriott. Cyber-attacks within the industry have become so prominent that the Government are issuing warnings to the general public.
Over half of online ticket sites are being reported as ‘bogus’ causing online scams.
TicketWeb (a sub-brand of Ticketmaster) faced a similar issue in 2012, with customers receiving a phishing email claiming their Adobe Reader required an update. This was the result of their network being infiltrated by hackers. Ticketmaster was unaware of the situation until it was pointed out by customers via twitter. Ticketing of events has also been targeted through a group naming themselves ‘WiseGuys’, the group hacked in to LiveNations database purchasing desired tickets and selling them illegally making over £25 million. By hiring an experienced hacker from Bulgaria they created a way to breach CAPTCHA technology.
Figure 3 Example of CAPTCHA Technology
In relation to cybercrime, the event based venues such as Mariott Hotels have also been targeted. In 2013 members of Mariott Reward Club were affected by hackers trying to access their personal accounts and obtaining classified details. To prevent this happening Marriott promptly contacted all their customers requesting them to update their passwords to resolve the problem.
These are prime examples of organisations in today’s hospitality and event industry which are being affected by phishing attacks. It shows how vital a solution to protect ourselves against these attacks is needed, especially considering large scale events in relation to their high profile clients. Take a step back and ask yourself how safe is your data?
How Protected Are You?
There are three common factors that lead to a company’s network infrastructure being hacked. These are Lack of Education, not updating software and finally the use of ‘bring your own device’ (BYOD), however all of these problems have very simple solutions.
Problem: One of the main reasons phishing attacks are successful is that users ignore software updates. In 2012 Skype found 40% of adults don’t update their software when initially prompted; furthermore 75% of those investigated took between two to five prompts to update before actually carrying out the necessary task.
What software is your company using? How often do you update your software?
Problem: BYOD is used by approximately 67% of workplaces today; this has resulted in 50% of users accessing their email from outside the corporate network. Employees that use BYOD are more vulnerable as traditional corporate network security is not there to defend them from targeted phishing attacks. If the employee is utilising vulnerable outdated software on their BYOD device, the attacker has multiple vulnerabilities to exploit on a device used for corporate activities.
Do you use BYOD? If you do, what protection do you have in place?
Problem: The common denominator of all phishing attacks is the end user; it is believed that the reason for this is the lack of education on the importance of protecting themselves from attacks.
Have you provided any training for your employees concerning computer safety?
Thank you for taking time to read our blog, feel free to connect with us @EventHacktivism and comment below.
I think the idea of being trained in cyber security is a growing need for all industries in the future. The problem for events is huge as more and more people shop etc online. But phishing attackes for online ticket services may disuade consumers from going to events if they feel their details aren’t safe online; as events are not a neccesity but a luxury to many.
Thank you Sian for you comment, I can see that this may put customers off of buying online and due to the growth of technology it can sometimes be the only way to pay. By making event managers aware of the growing risk they can state on their website how often they have updated software/knowledge of fraud etc. would you feel safer handing over your details to a company stating this?
I think there is a growing concern for an increase in cyber security software, although this isn’t the only issue. During my previous job i was approached by multiple companies asking to buy our event data. We had never sold our data, and would not want to in the future. But it is a well known fact within exhibitions, personal contact details particularly, are being passed around with out any second thoughts. Its possibly also beneficial to provide a clear set of guidelines on how to handle peoples data, with the individuals in mind.
Thank you for your reply Stephanie, we do agree that people’s details are being sent round without a second thought of the consequences. A clear set of guidelines would be a useful action for event managers so this problem does not occur. Do you think this is something which event companies should be able to access for free provided by trade associations/government?
This is an interesting topic. However, if I am a small event management company, how can I keep up to date with the latest safety software? As we go more and more to electronic file management systems, how can I ensure that my data (and that of my customers is safe)?
Thank you Jlannon for your comment, we believe that using branded software such as Norton will provide you automatically with these updates. However smaller businesses may have a tighter budget therefore trade associations/government should be setting aside their time/money to ensure that this is a priority. Do you believe this is a growing issue for all smaller rather than larger event companies?
I think that as a small event management company it is likely to be harder to keep up to date with this. If you have a server, you need a firewall, not just anti-virus software and this can be quite expensive?
A really interesting insight into the way the Internet is impacting event management. On one hand it makes advertising so much easier and draws attention to a new audience, however these developments come at the cost of personal data. Although the UK is protected through the Data Protection Act it is surprising just how many breaches occur weekly.
This report has certainly highlighted the need for more training for the end user and this needs a high priority. This is especially important as phishing attacks by email are so cost effective for the perpetrators that there is currently a low incentive for them to stop. Due to the amount of money lost each year to phishing the international community/law enforcement should work closer together.
BYOD adds a lot of flexibility but there needs to be an easier way to see outdated programs on the computer. Applications like Avast’s ‘Software Updater’ can be used to view this information in one place and may well assist people to update their systems regularly.
Thank you for your comment Stu, it is good to see that others recognise the little affect the Data Protection Act can have in the UK. We certainly agree that there is the need of training for cyber security, to attempt to play a part in reducing the amount of money lost through phishing annually.
It is important for outdated programs to be recognised and highlighted but is there more of a need to see how secure they actually are rather than how out of date they are?
As an attendee I have been concerned about phishing attacks when purchasing tickets for festivals or concerts online, however this has never put me off of buying tickets. One of the first things I would do is check whether the event website offers guidance on trusted ticket sellers and as long as the URL includes ‘https://’ I would go through with it with confidence. So far this has worked for me but I suppose you can never really know how safe electronic purchasing is!
With regards to emails – I think all consumers should as a general rule avoid following links from emails which request your payment and personal information, no matter how believable it looks. This is something I have experienced and was very close to being caught out – these emails can be scarily and extremely realistic! I think more education for consumers is required in this area. Perhaps, with the event industry being so hugely impacted by these issues, professionals in the industry could take this forward with an official guide for the online consumer’s safety.
Thank you for your comment youreventsay, it is good to hear someone talking from their experiences. One thing I question however, is, don’t all websites have “https” at the start? Even if they are untrustworthy websites, they are still able to produce one of these addresses.
In regards to phishing emails, they are becoming more realistic and there is a larger number of people falling victim to them, so it is difficult to stop consumers from pressing on them- what happens if it is actually a real email and the link confirms their ticket? Do they miss out on their ticket if they don’t click on it?
Hi, my company currently restricts its employees using its own devices for corporate activities but I know it would make our event managers much more efficient if they could work on there own personal devices. Is there any solution that can manage these personal devices on the company side of the network, instead of just relying on the end user to stop a potential security breach?
Thank you for your comment Matt, in response to your query there are software packages called mobile device management (MDM) solutions which allow the company to accept and blacklist devices from the network and track out of date and insecure apps on smartphones etc. This also allows employees to upload apps and run them remotely like antivirus and if the phone is lost or stolen with corporate information on it then they can do a remote wipe. Please let us know any further thoughts you have on the issue.
It’s so important for companies to be aware of phishing and scamming especially when dealing with customer’s personal details. I have worked at a company who were hacked previously and thousands of dollars had been taken from a bunch of customers by using their credit card details! The company then taught us all regularly about safety online and how to acknowledge a scam and people ‘phishing’. I think education is one of the most important things that companies should do!