A Recent Ticketfly Data Breach Reminds Consumers to Use Incomplete Data When Possible
Data breaches obviously leak private information to nefarious people. They then sell it on the black market or use it for financial gain. But how do consumers know when a provider is secure? One way to combat your data being leaked and take some security into your own hands is to leave incomplete or even false information in profiles when you don’t need to provide accurate data. Ticketfly’s recent security breach showed consumers that having accurate information when it’s not necessary increases is riskier. Your chance of having your sensitive data leaked gets worse. If you don’t need to provide the data, don’t provide the data. Omit information when possible.
Ticketfly Data Breach
Ticketfly is just your ordinary ecommerce site where consumers can buy tickets with their credit card numbers. An attacker was able to find a vulnerability in its ecommerce store and sent Ticketfly’s administration an email notifying them of it and asked for one bitcoin in exchange for details. Ticketfly’s administrators ignored the notification, so the attacker published the data leaked from the vulnerability. The total amount of data leaked was 26.1 million records including names, addresses, phone numbers and email accounts.
Credit card data did not leak. Passwords did not leak. Superficially, the data leaked doesn’t seem to impose any harm on consumers other than having their data exposed. However, this information can be used to further phish for more information. Then the data is used to sign consumers up for services. Some attackers will even try to use the leaked information for hacking purposes. This is where the risks get worse. Read about other vulnerabilities to watch out for, like malicious sites.
Using Incomplete Data or False Data for Security
What makes this data breach unique is that Ticketfly did not require true information from users except when taking credit card payments. However, real data is needed to bill a credit card account using a merchant payment system. Any fake information is flagged. A credit card payment won’t go through when users enter incorrect billing data. Some merchants even go so far as to compare billing and shipping data to confirm that the user is not fraudulent.
Users are forced to provide accurate data when purchasing product. But not when no payment is necessary. With Ticketfly, users were not asked to complete profile data to browse the site. But needed to update it when they decided to buy tickets. The hackers only got profile account data during this data breach. So any data that was falsified or not entered at all is safe. Should a site ask for this type of data when you’re not making a payment. Security experts suggest that consumers should choose not to enter their real information until it’s absolutely necessary.
Cyber Blackmail
Data sampled by researchers after the Ticketfly breach showed that some consumers entered incorrect data, which made them somewhat immune to the attack. With fake data, attackers can’t use the information for anything more than to expose vulnerabilities to the vendor. Attackers often blackmail vendors into give money in exchange for information into vulnerabilities. But merchants and site owners disregard warnings and often ignore contact from attackers about possible security issues. This leads to the attackers exposing the information.
Consumers can protect their data by only providing it when it’s absolutely necessary such as credit card purchases or services with delivery to a proper address. Any website is hackable, given enough resources and time. But limiting the amount of true data entered on an unfamiliar site saves your data from possible breaches. Even when breached, the hacker should not get everything.
When working with unfamiliar sites, it’s better to withhold data when it’s not necessary. For security reasons, always avoid entering your real data on unfamiliar sites.
See GateKeeper Enterprise advanced MFA in action.
Take a self-guided tour of how you can evolve from passwords. Then you're really saving time with automation.