How did the organizers structure the ticket office to deal with cyber attacks?

At a time of increasing cyber attacks in administrations or hospitals, the security of tickets for the Paris 2024 Olympic and Paralympic Games has been an important issue. In total, 10 million tickets for the Olympics and 3.5 million for the Paralympics will be sold. By way of comparison, the last World Cup in Qatar gathered almost three million spectators in its stadiums, according to Fifa figures.

These volumes make this ticket office a target for cybercriminals. “They have the speed and habit of taking over all the big events so they can do what they do on a daily basis: making money off the backs of their victims. There is no reason for the Olympics and/or ticket sales of this magnitude is no exception, and even more so with regard to the price of some tickets. Because the more expensive it is, the rarer it is and the more it attracts”, says Benoit Grunemwald, a cybersecurity expert at ESET, a company that develops cybersecurity software and services.

This ticket office therefore constituted a “challenge”. Damien Rajot, commercial and experience director on site at Paris 2024, acknowledges that it was necessary “handle the volume of over 750 sessions”, for simultaneous purchase, worldwide. With the launch of the second phase of ticketing on Wednesday 15 March, franceinfo:sport has deciphered the methods used by the Organizing Committee of the Olympic and Paralympic Games Paris 2024 (Cojop) to counter these threats.

Cyber ​​attacks on the rise

While cybercriminal attacks on ticket offices are difficult to quantify, the National Syndicate of Music and Variety Shows Prodiss conducted a study in 2017, showing that illicit sales affected up to one in four tickets. At the same time, “the evolution of the number of judicial decisions concerning the illegal resale on the secondary market of tickets in the sports sector has increased by 250% between the period 2008-2010 and the period 2020-2022″, observed the integrated group of lawyers and notaries De Gaulle Fleurance.

To deal with these different threats – fraud, usurpation and the black market – the organizers of Paris 2024 have “set up a reflection from the beginning to manage volumes and find a solution to sell something very complex in a safe way, in a short time”, points out Damien Rajot, “even if zero risk does not exist”, specific.

“If Paris 2024 takes into account the consideration of fraud, we know that in cybersecurity there is no solution that works 100%”.

Benoit Grunemwald, IT security expert at ESET

to franceinfo: sports

“There is always a flaw in the system, and cybercriminals are resourceful. The efforts are there, we’ll see if it will be enough”, comments again from Benoit Grunemwald’s side, before predicting: “It’s a safe bet there will be big maneuvers against the event because everyone will be watching the Olympics.”

The extraction and purchase slots, security against bots

This was big news. To get seats to the Paris Games, you must already register for a draw, then be drawn so you can then purchase tickets for the competitions. The buyer is then given a 48 hour buying window. “Going through a registration phase and buying slots allows you to spot the bots, and avoid having people organizing multi-sales in all directions”, explains Damien Rajot.

An effective system according to Corinne Henin, cybersecurity expert. “This mechanism of registering via email, mining and then limiting to 30 tickets per account, to some extent prevents a robot from connecting, buying many tickets and then reselling them. Because it requires a lot of manipulation for small tickets at a time.” , she analyzes. The slot purchase system has also made it possible to split flows, thus avoiding endless queues during the purchase phase. Indeed, the goal was not to repeat the bad user experience of the Rugby World Cup, among others, where the sales platform had been saturated since its opening.

An official resale platform to combat the black market

Buying tickets a year and a half in advance presents a risk for buyers, who may no longer be available on D-day. For this reason, Cojop has announced that it will establish a single resale platform in 2024. “We want to control and organize this platform to avoid any form of excessive commercialization and speculation”, says Damien Rajot. Therefore, tickets can only be resold on this site, at the purchase price.

100% digital banknotes and a unique application to avoid counterfeit banknotes

Another security announced by Paris 2024: tickets will only be offered in digital format and will be nominative. Paper tickets will not be accepted. Tickets will only be issued and validated on a dedicated official mobile application. And the organizers warn: they will be shipped to buyers only a few weeks before the Games. “To combat counterfeit tickets, digital tickets are effective. Yes, they are more difficult to copy than paper tickets. Then, issuing them at the last moment leaves less time for scammers to study their appearance”, says Corinne Henin, computer security expert.

“If there’s a little mistake in the ticket, they’ll have less time to find it. It’s security in obscurantism.”

Corinne Henin, computer security expert

to franceinfo: sports

However, for the system to work, the user’s support is needed to guide him in the procedure to follow, give him the right information, help him prepare for his visit, etc. “It’s very important, especially in the Olympics where you go to multiple sites in the same day. You need to be able to transmit information to people live”, admits Damien Rajot.

Especially to avoid as much as possible viewers falling into phishing campaigns. “We can imagine these launching before D-Day, or when tickets become available, with an invitation to download a fake ticketing application. Upon arrival at the venue, you may receive a text message saying ‘Welcome to the Olympics of Paris, please update your password'”, detail specialist Benoit Grunemwald. And thus have access to your personal data to recover your real ticket.

Dynamic QR codes, an extra layer of security

As well as being digital, tickets will be in the form of dynamic QR codes, generated in a specific time slot just before the event. “A QR code is a way of writing data that is easily readable by a computer. A dynamic QR code consists of a URL, and what is behind the URL changes regularly.is an additional layer of security”, popularizes computer security expert Corinne Henin. “This type of QR code, which rotates, makes it more difficult for someone to hack and/or scan the QR code or copy it”argues Benoit Grunemwald.

Despite a judged system “pretty sure” by the experts interviewed, “Threats are never obsolete, slice Benoit Grunemwald. We have to protect ourselves from A, B, C, D, and that changes very quickly and adds up. And maybe A and B are no longer exploitable, but users still need to have good cybersecurity hygiene, i.e. update their devices well, have good passwords and double authentication. We keep repeating it, but it won’t stop.” Because the threat will not weaken, quite the contrary.