In Focus

• Improving Data Handling
• UK National Security Strategy
• UK Cyber Security Strategy
• Information Superiority
• Information Sharing
• Information Exploitation
• Olympic Security Strategy
  • Olympic Park Security Challeng
  • Supply Chain Security
  • Olympic tickets cyber crime
• Managing Efficiency
• Secure Government Networks
• Acquisition Reform
• TLCM
• Business Continuity Management
• Addressing Sustainability

Home Page / In Focus / Olympic Security Strategy / Olympic tickets cyber crime

Cyber crime threatens Olympic ticketing plans

The release of tickets for the London 2012 Olympic Games has generated great excitement across the UK, as sports fans make plans for watching the greatest show on earth. However, in an era of evermore cyber security threats, the ‘simple’ task of purchasing tickets online has now taken on new dimensions for consumers needing to protect personal information, bank and credit card details from cyber criminals. VEGA, a leading provider of information security solutions, outlines the dangers facing consumers, and suggests appropriate preventative measures.

The UK Government’s publication of the revised London 2012 Olympic and Paralympic Safety and Security Strategy cites ‘cyber attack’ as the second most serious threat after terrorism. Additionally, version two of the Olympic Safety and Security Strategic Risk Assessment (OSSSRA), published in January 2011, placed cyber attack as the most likely risk (albeit it indicates a relatively low impact), when quoting examples from the National Risk Register of Civil Emergencies.

In light of these warnings by the UK Government, ‘caveat emptor’ must be the mantra for anyone buying Olympic tickets, with the associated risks including all those common to electronic transactions and on which VEGA currently supports the Police e-crimes Unit (PCeU) to resolve. At the Vancouver Olympics, fraud with stolen credit cards was common, as was conventional ticket touting. But for the 2012 games in London, the increased ‘skill’ demonstrated by cyber criminals may herald problems of a different scale…and crimes could start now!

Purchasing tickets

Although LloydsTSB (an Official Partner) caters for paper applications, most 2012 tickets transactions are through online applications via tickets.london2012.com. The buying public must therefore be fully aware of the dangers of unintentionally giving away their personal and sensitive data to cyber criminals.

The site is one that very few are familiar with (hence may not know if they have reached a fake site), and whose homepage supplies no ‘identity information’ and is not protected (albeit the actual link to registering is secured by AES_256_CBC, SHA1 message authentication and RSA key exchange).

Phishing and Pharming

The lack of familiarity and the profile of such a major event means that applicants are very likely to be vulnerable to all manner of cyber fraud.

‘Phishing’ is a term most people are now familiar with – the receipt of an unexpected email which encourages you to ‘browse’ to a website that looks familiar (but which is fake and developed by a cyber criminal) and enter identity information that will be used by the cyber criminal to steal money or commit fraud. Defending against ‘phishing’ is simple – if you did not expect and do not recognise the email, do not click on the attachment, for as well as the website asking for private information, it will have already delivered malware to your computer.

Far fewer are familiar with the term ‘pharming’, which in recent times has become a major concern for e-commerce and online banking. Pharming is where the hacker (or cyber criminal) diverts a website’s traffic to another [bogus] site. It can be done by changing the host’s file on an individual computer, but more effectively (as it catches a greater number of people) by ‘poisoning’ appropriate DNS servers and all the way up the chain to the ISPs themselves. Until recently, the technique was mainly of academic interest but widespread use of wireless routers, where administrative control is sometimes left in default settings, gives almost unlimited opportunity for ‘drive-by’ pharming.

Examples of pharming include Panix, a highly respected New York ISP, having its site re-routed to Australia over a long US holiday weekend in January 1995, and Symantec reporting a user having his local router being changed after getting an e-mail from a greeting card company in 1998.

Threats to London 2012 ticket buying?

For the 2012 Olympics ticket applicants therefore, cyber threats, such as pharming, present a real danger. They are not detected by conventional anti-virus or malware defences, so applicants for Olympic tickets find themselves on a fake site, happily giving their card details to a criminal.

Moreover, since the real site is not debiting a payment for several months, a criminal would have a lot of time to ‘bleed’ a victim before activity became suspicious. (The best protection is to ensure that a secure connection (e.g. https) is used when exchanging personal data).

One hopes, however, that this is not the case. In the case of Olympic ticketing, e-commerce companies, internet banking, and similar organisations are already investing heavily in defending against this latest generation of cyber criminals and serious organised crime groups. Clearly, pharming can be mitigated by ensuring that routers are not misconfigured, and, in the case of wireless routers, that passwords are changed frequently and chosen in a secure way. Professional penetration testing is also essential to reinforce configuration control and among other things, check that software and operating system patches have been rigorously applied.

100% protection?

Awareness, education and the latest anti virus updates, although key to information assurance best practice, can only provide protection to a point.

At the 2010 CESG Information Assurance conference (IA10), Jonathon Hoyle, Director General Security & Information Assurance at GCHQ, stated that the cyber threat against high value targets (Advanced Persistent Threats) cannot be defeated by conventional information security products and procedures; anti-virus, firewalls, patching and testing can only cope with about 80 per cent of today’s threats. Increasingly, social engineering, employee malpractice and evermore sophisticated malware requires an organisation to supplement its defences with a deeper level of Protective Monitoring; this can typically be achieved through a Security Operations Centre (SOC). At the heart of a SOC is an intelligent security event manager which detects unusual activity, alerts on unplanned events, and maintains comprehensive logs to help trace traffic arriving and leaving.

And yet the battle to protect one’s information is still not won. As soon as the criminal (or hostile/inquisitive state sponsored organisation) realises that his target is protected with a SOC, then the SOC itself becomes a target! The cyber criminal wishes to protect his identity and conceal his activities and will change strategy to exploit weaknesses in the SOC analysis engine, corrupt its log files, or disable its monitoring capabilities.

Crossing the finishing line

Just as the competitors in the games strive to stay ahead of their fellow competitors, so all of us aiming to secure our places at the 2012 games need to be constantly prepared for the cyber security hurdles that must be negotiated to ensure we get our prize of our much sought after tickets. Training and the right equipment will only get us so far; we can only win with thorough understanding of the challenges we face and a desire and commitment to do what we need to succeed.

Contact VEGA for more information about the London 2012 Olympic and Paralympic Safety and Security Strategy