A Recent Ticketfly Data Breach Reminds Consumers to Use Incomplete Data When Possible
Data breaches obviously leak private information to nefarious people who sell it on the black market or use it for financial gain, but how do consumers know when a provider is secure? One way to combat your data being leaked and take some security into your own hands is to leave incomplete or even false information in profiles when you don’t need to provide accurate data. Ticketfly’s recent security breach showed consumers that having accurate information when it’s not necessary increases your chance of having your sensitive data leaked.
Ticketfly Data Breach
Ticketfly is just your ordinary ecommerce site where consumers can buy tickets with their credit card numbers. An attacker was able to find a vulnerability in its ecommerce store and sent Ticketfly’s administration an email notifying them of it and asked for one bitcoin in exchange for details. Ticketfly’s administrators ignored the notification, so the attacker published the data leaked from the vulnerability. The total amount of data leaked was 26.1 million records including names, addresses, phone numbers and email accounts.
No credit card data was exposed, and no passwords were leaked. Superficially, the data leaked doesn’t seem to impose any harm on consumers other than having their data exposed. However, this information can be used to further phish for more information, or it can be used to sign up consumers for services. Some attackers will even try to use the leaked information for hacking purposes.
Using Incomplete Data or False Data for Security
What makes this data breach unique is that Ticketfly did not require true information from users except when taking credit card payments. As most ecommerce store owners know, real data is needed to bill a credit card account using a merchant payment system. Any fake information is flagged and a credit card payment won’t go through when users enter incorrect billing data. Some merchants even go so far as to compare billing and shipping data to confirm that the user is not fraudulent.
Users are forced to provide accurate data when purchasing product but not when no payment is necessary. With Ticketfly, users were not asked to complete profile data to browse the site but needed to update it when they decided to buy tickets. With this latest breach, only data that was entered for a profile account was leaked so any data that was falsified or not entered at all is safe. Should a site ask for this type of data when you’re not making a payment, security experts suggest that consumers should choose not to enter their real information until it’s absolutely necessary.
Data sampled by researchers after the Ticketfly breach showed that some consumers entered incorrect data, which made them somewhat immune to the attack. With fake data, attackers can’t use the information for anything more than to expose vulnerabilities to the vendor. Attackers often blackmail vendors into give money in exchange for information into vulnerabilities, but merchants and site owners disregard warnings and often ignore contact from attackers about possible security issues. This leads to the attackers exposing the information.
Consumers can protect their data by only providing it when it’s absolutely necessary such as credit card purchases or services with delivery to a proper address. Even legitimate sites with true security can be hacked, but limiting the amount of true data entered on an unfamiliar site saves your data from possible breaches. Even when data is breached, any withheld data makes it virtually impossible for an attacker to use the basic information stolen.
When working with unfamiliar sites, it’s better to withhold data when it’s not necessary. For security reasons, always avoid entering your real data on unfamiliar sites.
See GateKeeper proximity access control in action.
Take a self-guided tour of how your proximity-based access control can work.