In a matter of days, the world will be watching as the Philadelphia Eagles and the Kansas City Chiefs square off in the much-anticipated big game 57 at State Farm Stadium. Some will be watching more closely than others. Hopefully, security analysts will be watching closest of all.
The Field’s Wide Open
The venue is likely to be filled to capacity as 63,400 fans get their digital tickets scanned and pour into the arena. They should have gotten a slew of lead-up emails regarding parking, predictions, and must-knows before the game. Most of them will swipe or tap for a half-time snack, and many will purchase team swag from official sites or vendors around the stadium. Every now and again, a fan will buy an oversized foam hand or a bag of popcorn from a person peddling Square on their phone. And that doesn’t even begin to cover the roughly 200 million viewers who will tune in via mobile, satellite, or internet.
It’s safe to say that the last thing on anyone’s mind come Big Game Sunday will be the security of their digital interactions. However, there’s one very specific subset who will be playing quite a different game. If game-day security defenders are going to beat it, they need to analyze the opponent, the plays, and the points of weakness – and how they can leverage their own strengths.
The Threat Offensive
Whenever large groups of people get together, physical and cyber security systems should be on high alert. First, we listed a lot of glittering generalities surrounding Big Game security spaces. Now, let’s get into specifics. The cyber-offensive opportunities surrounding this year’s game will likely fall into the following categories:
1. Identity and access management for players, staff & ticket holders
Tickets sold through all major ticket vendors will most likely be digital, optimized for mobile, and email accessible. They will probably include a QR code or a bar code with roving cursor (to prevent screenshots). That means that everyone wanting to access their tickets must do so by signing in either to their email or ticket vendor’s account – and there are plenty of opportunities for account compromise.
They don’t all have to be grand in scope. Beware of hackers wanting to use your ESPN account (scrutinize those emails and pop-ups), sign into your cable provider, or scalp your Ticketmaster ticket. And for those that re-use passwords: theft of your entertainment login could be eventual access to bigger, more detrimental accounts (such as banking, insurance, and health).
2. The ‘big event’ phishing spike
It’s not just what happens on game day, but on the practice field, as they say. During the time leading up to Big Game Sunday, fans can expect to see a boost in phishing email touting ‘sales’ on ticket prices, ‘inside access’ to team-sponsored content, and ‘deals’ from streaming services who can cover the big day. Watch out for small, previously unknown pop-up sites that will ‘stream the game for free’ and obscure apps that are suddenly Big Game specific – especially ones requiring payment.
A misleading email with Photoshopped logos could easily redirect to a malicious backlink, prompting users to ‘sign-in’ on a spoofed site. Once armed with your credentials, hackers could infiltrate further into a personal, professional, or team network. Along with the rush, many threat actors will be quick to spin up fake celebrity accounts. Be they for players, pundits, coaches, or sportscasters, these fake Instagram, Twitter, and TikTok accounts can gain user trust and then lead them to sites containing malware or other malicious content.
3. Broadcast security
There is a myriad of ways to watch the Big Game, and chances are not all of them are equally secure. Users can watch on mobile, via their cable provider, online, on YouTube, on a variety of public broadcasting stations, and even keep up in real-time with Tweets and sports app notifications.
The security of 5G authentication and privacy will be called into question, and legacy broadcasting companies are susceptible to old OT/ new IT security conflicts. Old vulnerabilities remain from the early days of network television, and any that have not been patched – or systems that have not been stress tested – are liable to be put to the test. With so many connected devices plugged into a concentrated handful of media outlets that day, cyberattacks on few may be able to impact many. Privileged access accounts of those connected with Big Game distribution services will be at a premium, so watch out for scams on social media, and in your inbox.
Passwordless for the Win
Hackers will take advantage of Big Game sign-ins as users are less vigilant when waiting for an expected confirmation to show up, and don’t hold anticipated messages to the same scrutiny. Be careful with MFA pushes and pop-ups, as distracted users could fall victim to MFA fatigue and compromise.
For that reason, it’s more important than ever to secure authentication with phishing-resistant MFA or passwordless log-in. While a hacker could steal a credential list or even scrape your sensitive information, with tokenized and certificate-based authentication methods, they won’t gain enough yards to move the ball down the field.
Go for the win with passwordless authentication.