About Me

I ramble about a number of things - but travel experiences, movies and music feature prominently. See my label cloud for a better idea. All comnments and opinions on this blog are my own, and do not in any way reflect the opinions/position of my employer (past/current/future).

13 March 2012

Security controls at concerts

I have been surprised at the relative unsophistication of the concert security at both concerts. In most large concerts (and for that matter events of any kind) in South Africa, specific ticket categories get an associated coloured wristband. This wristband is given in exchange for the ticket at entry; thus there is a positive verification of the ticket (through the barcode and/or physical hologram) and the seat classification. The exchange also ensures that replay attacks (using the same ticket more than once) are minimized if not removed all together.

In both concerts, it would be easy to forge the tickets if you had knowledge of the ticket format. An original ticket is still required to enter the venue (as this is checked via a 2D barcode, on an online system it seems). However, once inside, there is only a visual check on the ticket type (eg standing or the seating zone). Thus, it would be quite easy to fake entry to a wrong zone or for that matter cause clashes in seating. Additionally, while the ticket check at entry was online, I think it was limited to the integrity of the ticket itself (ie whether this was a true ticket) and not whether the ticket details (eg seat 293) matched. Thus, this could be easily extended to alter PDF tickets if desired. I draw this inference from the validity check on the machine at the entrance which just stated OK, instead of showing the seat number or zones. Replay attacks on the entrance itself should also be possible, since tickets are not taken away; and a person can claim to have gone out for a smoke etc. At both concerts, there didn't seem to be any controls for people wishing to leave the venue completely, though I did not investigate this.

Another attack, which is much simpler is a replay attack for the standing zone. This would require a friend with a standing ticket who then passes it over to a person in the seating zone (there is a little wall as separation) though jumping is easier to detect and control via the sporadic marshals.

I think it would be easy to create the fake tickets, as tickets are sold online in PDF form (thus easy to manipulate) and also sold resold on eBay (thus easy to get more samples).

I am not sure to what extent this is exploited. What got me thinking about it, was the number of empty seats in Nightwish, given that it was a sold out concert. Since the ticket price is the same, the only concern is for the fire safety; which given the pyrotechnics is a real concern. There is otherwise no commercial incentive to enforce tickets, something that is true for concerts in South Africa.

No comments: