Flash Seats Usability, Security, and Privacy

The Quora Conundrum

Quora reported a data breach earlier this month and the company outlined the stolen data, what they are doing, and what you can do in an email to those affected:

The following information of yours may have been compromised:

  • Account and user information, e.g. name, email, IP, user ID, encrypted password, user account settings, personalization data
  • Public actions and content including drafts, e.g. questions, answers, comments, blog posts, upvotes
  • Data imported from linked networks when authorized by you, e.g. contacts, demographic information, interests, access tokens (now invalidated)

They also have more detail in https://help.quora.com/hc/en-us/articles/360020212652

Did I even know I had a Quora account? Nope.

Quora password reset email

But lo and behold, I did, so it was time to reset my password and delete the account.

Side note, if you logged in with Google or Facebook you may not have an account password, as mentioned in the account deletion FAQ: “if you created the account via Google or Facebook, you will first need to create a password by clicking the “Change Password”


We have processed your request for account deletion and your name and content will be completely removed from Quora in 14 days. Note: If you login during the next 14 days, your account will be reactivated and deletion will be canceled.

We’re sorry to see you go, but we hope you consider joining the Quora community in the future.

Quora Support

What happens to all the information Quora knows about me after the account is gone? No idea. Luckily their help page has detailed info on the account deletion process:

Once the 14-day grace period has expired and your account has been deleted, your content and profile will be permanently deleted, and personal data associated with your account will be removed from Quora’s databases.

While it is unfortunate that the breach occurred, Quora clearly disseminated information and had the support network in place to help people manage their accounts effectively.

I do not expect Flash Seats could handle a breach with similar organization and focus.

The Flash Seats Fiasco

Let me preface by saying this came about from buying tickets to an NBA game. A long running, national sports league, with a recent focus on technology. Not the D-League (G-League?) or a college game, but the National Basketball Association.

If you haven’t heard about Flash Seats, not to worry. I didn’t either, but over the course of the ticket buying experience, I learned much more about the service than I wanted to know.

So let’s get started. Select your game from the Nuggets schedule, land on tix.axs.com, choose your seats on tix.axs.com and proceed to checkout on tix.axs.com. Done!

But not so fast, that’s only how buying tickets should work. It’s just after you’ve chosen your seats and are ready to buy when the first mention of the separate Flash Seats service appears for the ticket delivery method.

Flash seats delivery method drop down

If you gloss over the defaults you don’t even notice the distinction that the tickets are not on AXS, but instead on Flash Seats.

Select the details drop down and you will find the following information about ticket delivery options:

– Tickets will be delivered electronically to your Flash Seats account within one (1) week following the official on-sale date

– The easiest, most convenient, and most flexible option. With Flash Seats® digital tickets, there are no paper tickets, and you can quickly enter the event with the Flash Seats Mobile App for IOS or Android, your credit card or driver’s license. You can also transfer tickets to friends or sell your tickets on our secure marketplace.* If applicable*

At the gate, please show your Mobile ID in the Flash Seats app (for IOS or Android), or credit card used during your purchase or your registered driver’s license.

-Your card or mobile device will be swiped at the door by a Guest Services representative using a hand-held device and you will receive a seat locator identifying your seats. For more information about Flash Seats, please visit www.altitudetickets.com/flashseats

Proceed to purchase and you can sign in or create your AXS account with your password manager of choice.

Notice no mention that this account is in fact for Flash Seats, not AXS as shown at the bottom.


Complete the purchase and you’ll get an order receipt from customerservice@altitudetickets.com. When was I on altitudetickets.com? Not sure I was, but did you read the fine print from before? www.altitudetickets.com/flashseats is a thing

Altitude Tickets is powered by AXS utilizing Flash Seats digital tickets to deliver your tickets safely and securely


It feels like this service is the ticketing equivalent of the Amazon arbitragers from A Business With No End.

The most confusing thing about all this is that AXS has its own ticketing service. And the NBA uses 80% of it. Why not just use AXS 100%?


As an aside, for those of you following along at home, here’s the flow to purchase tickets (links are only approximate as specific event links are unique and tough to for any period of time):

  1. NBA.com: https://www.nba.com/nuggets/schedule/home-schedule
  2. altitudetickets.com: https://www.altitudetickets.com/events/category/basketball
  3. tix.axs.com: (specific event link)
  4. Flash Seats: The Future of Ticketing Today (event tickets)

Download AXS app because you don’t realize until after the fact that Flash Seats is a thing.


Discover the log in doesn’t work on AXS

Go back and download the flash seats app. 5 star reviews. They are similarly ranked in the Entertainment category, so Flash Seats isn’t just some one-off unused app. no matter what quality of the app lets on.


Log in with the same AXS/Flash Seats log in stored in your password manager of choice. Password is still incorrect… Try online, maybe the mobile app doesn’t work. Nope.


Reset your password. Maybe something messed up with the password manager.


Nope, password manager didn’t break spontaneously only on this site. Need further investigation.


Call 888-360-SEAT and let the fun begin…

Remember, the game starts in 30 minutes and we can’t access the tickets we just bought. I’ll try to remain calm (somewhat unsuccessfully), but imagine this on the scale of everyone buying tickets for every NBA game every night of the season.

(It is worth noting not every NBA team uses Flash Seats. I had not been to an NBA game in a while and didn’t realize that at first. Yet the Cavaliers, Nuggets, Rockets, Clippers, Lakers, Jazz, and Timberwolves plus some NHL teams use Flash Seats to manage tickets.)

Here’s a rough transcript of the call:

Hi, thanks for calling Altitude Tickets, oh I mean AXS, hold on, Flash Seats. Hi, I have tickets to a game in 20 minutes and I can’t access my account I just created. Ok, what would you like to be your new password. Uhh, I have to create a password with you over the phone? Yep! Well that sounds secure. It’s our policy. Makes sense. So what will it be? I guess “password“. Great, that’s what I was going to suggest. The password “password” is allowed on your service? Yep, that’s our policy. Makes sense. We strive for security. So I can get my tickets now? Yep, just log in to your account with your new password. Ok. Ok. Well have a good night. And you as well sir. One more thing, can you connect me with your security department? What? Makes sense, good night.

Good news. Password “password” works. I can log in to get the tickets (and change my password to something more secure, like correcthorsebatterystaple (please don’t use that as your password)).

Just in time to get to the arena and skip line at the Flash Seats Help Desk. I think the person with the most ridiculous problem of the night won a Tundra.

Not the best photo, but in a way, it sort of sums up the experience

The game was fun though. Nugs won! And we almost won nugs.


Deleting the account

But wait, there’s more! I couldn’t let this account stick around. Given the airtight security measures I wanted to remove the account as soon as it was no longer needed. (Are single use accounts a thing yet?). Here’s how to delete your Flash Seats account:

Before starting, remove any contact and payment info that may have been saved in your account. Don’t trust the service to do this for you.

Then go to the Contact Us page.

Don’t worry, nothing in the form is a required field and there is no parameter validation, so just enter your email and “delete account” as your phone number and Flash Seats should get the message.

A few days later this message shows up in my inbox:


Huh? What do you mean my accounts were merged? What is this deletedaccount@flashseats.com? Let’s find out…

I replied to the above email mentioning it’s confusing nature and reminded them I wanted to delete all my account information, not have them archive my info under the guise of this Deleted Account pseudonym. Here’s what they said:

Hi Ryan,

Thank you for contacting Flash Seats. That is the deletion method that we have for Flash Seats accounts.

Thank you,
Flash Seats

Fair point.

So with my new enlightenment on how Flash Seats handled user data privacy, just for fun I tried logging in to my Flash Seats account identified by deletedaccount@flashseats.com.

My attempts of password, deletedaccount, and flashseats didn’t work, but it did get the account locked in the same way as my original predicament.


And that was the end of the Flash Seats fiasco. I guess my account is gone. No real way to know for sure. Suspiciously though, no one has been able to get in to any NBA games over the last month…

More account security fun

Just to ensure I wasn’t completely off base with my view of the utter mess of this service, I looked into other instances of people struggling with Flash Seats. It turns out the Detroit Lions dropped Flash Seats and the Timberwolves had to settle with season ticket holders because “use of the digital marketplace Flash Seats makes it too hard for fans to exchange tickets, sell them on the secondary market or even give them away.”


Wasn’t this AXS/Flash Seats site just breached? No wait, that was Ticketfly, the site that still only allows password with length of 20 characters or less.



Another fun tidbit of ticketing information; you can send Ticketmaster a letter if you want to close your account.

Can you do this for anyone’s account?

Send Us a letter
Whether it’s pen to paper or straight from your printer, address all mail to:

Attn: Fan Support
1000 Corporate Landing
Charleston, WV 25311


Marriott’s breach response is so bad, security experts are filling in the gaps

and What the Marriott breach says about security



Facebook Privacy Report from The New York Times

As Facebook is upending the journalism industry, the New York Times is continues their campaign of exposing Facebook’s questionable data use.

Summary from The Download via the MIT Technology Review


NYT’s tl;dr of their report


While it is true that Facebook hasn’t sold users’ data, for years it has struck deals to share the information with dozens of Silicon Valley companies. These partners were given more intrusive access to user data than Facebook has ever disclosed. In turn, the deals helped Facebook bring in new users, encourage them to use the social network more often, and drive up advertising revenue.

Facebook Data Sharing Details

NY Times on Facebook and their partners


Facebook allowed Microsoft’s Bing search engine to see the names of virtually all Facebook users’ friends without consent, the records show, and gave Netflix and Spotify the ability to read Facebook users’ private messages.
The social network permitted Amazon to obtain users’ names and contact information through their friends, and it let Yahoo view streams of friends’ posts as recently as this summer, despite public statements that it had stopped that type of sharing years earlier.

. . .

Facebook, in turn, used contact lists from the partners, including Amazon, Yahoo and the Chinese company Huawei — which has been flagged as a security threat by American intelligence officials — to gain deeper insight into people’s relationships and suggest more connections, the records show.

. . .

Facebook also allowed Spotify, Netflix and the Royal Bank of Canada to read, write and delete users’ private messages, and to see all participants on a thread — privileges that appeared to go beyond what the companies needed to integrate Facebook into their systems, the records show… A spokesman for Netflix said Wednesday that it had used the access only to enable customers to recommend TV shows and movies to their friends.

Facebook Privacy

So by signing in to Spotify with your Facebook account, Spotify has the ability to read all your private Facebook messages.

Facebook empowered Apple to hide from Facebook users all indicators that its devices were asking for data. Apple devices also had access to the contact numbers and calendar entries of people who had changed their account settings to disable all sharing, the records show.

Facebook Privacy

This confusing two sentences reiterates, facebook does not sell user data. Instead, it uses a loophole to sell access to Facebook owned data:

Facebook has never sold its user data, fearful of user backlash and wary of handing would-be competitors a way to duplicate its most prized asset. Instead, internal documents show, it did the next best thing: granting other companies access to parts of the social network in ways that advanced its own interests.

Facebook Privacy

This is not the first time Facebook’s data sharing practices have drawn scrutiny:

In late 2009, it changed the privacy settings of the 400 million people then using the service, making some of their information accessible to all of the internet. Then it shared that information, including users’ locations and religious and political leanings, with Microsoft and other partners.

Facebook called this “instant personalization” and promoted it as a step toward a better internet, where other companies would use the information to customize what people saw on sites like Bing. But the feature drew complaints from privacy advocates and many Facebook users that the social network had shared the information without permission.

. . .

In 2014, Facebook ended instant personalization and walled off access to friends’ information. But in a previously unreported agreement, the social network’s engineers continued allowing Bing; Pandora, the music streaming service; and Rotten Tomatoes, the movie and television review site, access to much of the data they had gotten for the discontinued feature. Bing had access to the information through last year, the records show, and the two other companies did as of late summer, according to tests by The Times.

. . .

Microsoft officials said that Bing was using the data to build profiles of Facebook users on Microsoft servers. They declined to provide details, other than to say the information was used in “feature development” and not for advertising. Microsoft has since deleted the data, the officials said.

Facebook Privacy

More examples of how Facebook shared your data, from NY Times


Facebook’s response


We’ve been public about these features and partnerships over the years because we wanted people to actually use them – and many people did. They were discussed, reviewed, and scrutinized by a wide variety of journalists and privacy advocates.

But most of these features are now gone. We shut down instant personalization, which powered Bing’s features, in 2014 and we wound down our partnerships with device and platform companies months ago, following an announcement in April. Still, we recognize that we’ve needed tighter management over how partners and developers can access information using our APIs. We’re already in the process of reviewing all our APIs and the partners who can access them.

. . .

We’ve shut down nearly all of these partnerships over the past several months, except with Amazon and Apple, which people continue to find useful and which are covered by active contracts; Tobii, an integration that enables people with ALS to access Facebook; and browser notifications for people who use Alibaba, Mozilla and Opera.

Facebook’s Partners

Facts About Facebook’s Messaging Partnerships


People could message their friends about what they were listening to on Spotify or watching on Netflix, share folders on Dropbox, or get receipts from money transfers through the Royal Bank of Canada app. These experiences were publicly discussed. And they were clear to users and only available when people logged into these services with Facebook. However, they were experimental and have now been shut down for nearly three years.

. . .

No third party was reading your private messages, or writing messages to your friends without your permission. Many news stories imply we were shipping over private messages to partners, which is not correct.

Facebook’s Messaging Partnerships

Op Ed from the New Yorker


But the case reflects a fundamental problem: Facebook was so determined to grow, and to cement the commercial partnerships that would help it grow, that it didn’t pause to build tools that could parcel out narrow slices of information.
. . .
‘Trust is the willingness to accept vulnerability. In a personal relationship, it is the willingness to self-disclose and be honest. For Facebook, it is the very willingness of the informed to participate in their platform.’

How Much Trust Can Facebook Afford to Lose

Google transferred ownership of Duck.com to DuckDuckGo

This made quite the ruffle today when Google transferred the domain duck.com to the privacy focused search engine DuckDuckGo.

Google’s ownership of Duck.com was previously a source of frustration for DuckDuckGo, when it would redirect users to Google’s rival homepage instead of DuckDuckGo. Google kindly tried to clear up this confusion in July by adding a DuckDuckGo link to the page. Visiting Duck.com now redirects users straight to DuckDuckGo.

via The Verge

The best part is the previous page for duck.com

Please note that On2 was previously called the Duck Corporation. So if you typed Duck.com, you are redirected to On2.com:

  • If you meant to visit ducks.com, click here. Note that it redirects to Bass Pro Shops.
  • If you meant to visit the search engine DuckDuckGo, click here.
  • If you want to learn more about ducks on Wikipedia, click here.

Also on Hacker News and Twitter:

Search away


Location Data Privacy in Apps

The New York Times released a report (with some fancy graphics) detailing location data use by apps for advertising, outside the main purpose of the app. Only 10 apps were covered in depth, but the findings reveal how some advertising companies aggregate location data from apps.

At least 75 companies receive anonymous, precise location data from apps whose users enable location services to get local news and weather or other information, The Times found. Several of those businesses claim to track up to 200 million mobile devices in the United States — about half those in use last year. The database reviewed by The Times — a sample of information gathered in 2017 and held by one company — reveals people’s travels in startling detail, accurate to within a few yards and in some cases updated more than 14,000 times a day.

[Learn how to stop apps from tracking your location.]

An app may tell users that granting access to their location will help them get traffic information, but not mention that the data will be shared and sold. That disclosure is often buried in a vague privacy policy.

via NY Times

Remember, even with location services disabled, apps and websites and still track your approximate location.

The Times app did not request precise location data and did not send it. It sent location data to several companies based on an IP address that placed the device elsewhere within the city.

via NY Times

IP based location tracking came up during the Facebook Congressional hearings and is a way Google can personalize search results when logged out or in private browsing windows. And don’t forget Google’s “Location History” and “Web and App Activity both cover location services.

The most unnerving finding of the report is how apps hide code that exports your location to advertisers behind opaque privacy policies.

Frequently, location data companies make packages of code that collect phones’ whereabouts. Developers who add this code to their apps can get paid for location-targeted ads, or earn money for providing the location data, or get free mapping or other services for their apps.

via NY Times

If we can’t communicate use of location with transparency, what will happen when biometric and facial recognition technologies are embedded in every camera and device:

“people deserve to know when [facial recognition] technology is being used, so they can ask questions and exercise some choice in the matter if they wish. Indeed, we believe this type of transparency is vital for building public knowledge and confidence in this technology. New legislation can provide for this in a straightforward approach:

  • Ensuring notice. The law should require that entities that use facial recognition to identify consumers place conspicuous notice that clearly conveys that these services are being used.
    Clarifying consent.The law should specify that consumers consent to the use of facial recognition services when they enter premises or proceed to use online services that have this type of clear notice.”
  • via Facial recognition: It’s time for action
  • What the Marriott Breach Says About Security

    Your personal data is already stolen. Here’s what you need to be doing:

    via Krebs on Security


    How Criminals Steal $37 Billion a Year

    It is increasingly difficult to trust someone calling from a phone call you don’t recognize. Not only are scammers calling from numbers that seem to be in your area, but they are also impersonating family members in distress.

    The dirty little secret about elder exploitation is that almost 60 percent of cases involve a perpetrator who is a family member, according to a 2014 study by Lachs and others, an especially fraught situation where victims are often unwilling, or unable, to seek justice. Such manipulation sometimes involves force or the threat of force

    via Bloomberg

    This trick has been around for a while, but there are new defenses available to guard against the scam.

    On Feb. 5, the Financial Industry Regulatory Authority, an industry body, put into effect “the first uniform, national standards to protect senior investors.” It now requires members to try to obtain a trusted contact’s information so they can discuss account activity. It also permits firms to place temporary holds on disbursements if exploitation is suspected.


    Interesting idea; a two person authentication for account transactions, but it still may be easy to beat the system.

    Loewy, who left her job as a prosecutor in 2014 to join EverSafe, a startup that makes software to monitor suspicious account activity, is underwhelmed by the industry projects.

    “They may say they’re focused on it, but they aren’t really doing much more than training employees,” she says. “Exploiters know what they’re doing. They take amounts under $10,000 that they know won’t get picked up by fraud and risk folks at banks. And they steal across institutions over time.”


    And remember, if you get a text from a short-code number with 5 or 6 digits, you can verify the identity of the sender with the Short Code Directory.

    Nobody is immune to ads

    In his post Nobody is immune to ads, Georges Abi-Heila explores the psychology of how humans react to the barrage of brands and ads we see every day.

    There’s no scientific consensus on the number of ads we’re exposed to daily, as estimates vary from a few hundreds to thousands. Why is it so hard to get a reasonable figure? Because it depends on a variety of factors that greatly affect the final result (sorted by level of importance):

    What is considered an ad?
    Including brand labels and logos can increase 10x the final result.
    Think about every time you pass by a brand name in a supermarket, the label on everything you wear, the condiments in your fridge, the cars on the highway…
    Where does the subject live?
    The denser your living environment, the more ads you’re exposed to as companies fiercely compete for your attention (and, ultimately, your wallet). Visual pollution is one of the drawbacks of living in big city…
    What is the subject’s job?
    During work hours, a hotel receptionist sees a lot less ads than a truck driver which is less exposed than a social media manager.

    Want to see an interesting example? Have an iPhone? Ignore for a moment all the brands you see from the icons on your home screen, this one is more subtle. What does it say in the top left corner? 

    The Verge iPhone 8 Review

    So every time you pick up your phone you are served an ad for your cell carrier. Why does it exist? Do you frequently forget you are on the AT&T network?

    It is worth noting, the notched iPhones no longer show the carrier name, so his redditor has the right idea.

    The Verge iPhone X Review

    Is it a big change? No. But one less ad in the thousands you see in a day.

    As a bonus, check out the streets of Sao Paulo. The city has a law that prohibits outdoor advertising. The story is covered in a post by 99% Invisible.

    21 Lessons for the 21st Century

    Yuval Noah Harari on the Talks at Google podcast (and in video form)

    He’s marketing his new book extremely well and a New York Times interview on the subject garnered attention:

    It made him sad, he told me, to see people build things that destroy their own societies, but he works every day to maintain an academic distance and remind himself that humans are just animals. “Part of it is really coming from seeing humans as apes, that this is how they behave,” he said, adding, “They’re chimpanzees. They’re sapiens. This is what they do.”

    . . .

    “It’s just a rule of thumb in history that if you are so much coddled by the elites it must mean that you don’t want to frighten them,” Mr. Harari said. “They can absorb you. You can become the intellectual entertainment.”

    . . .

    He told the audience that free will is an illusion, and that human rights are just a story we tell ourselves. Political parties, he said, might not make sense anymore. He went on to argue that the liberal world order has relied on fictions like “the customer is always right” and “follow your heart,” and that these ideas no longer work in the age of artificial intelligence, when hearts can be manipulated at scale

    Not the most heartening view of the future.

    21 Lessons is also recommended by Bill Gates as one of 5 books he loved in 2018 (to further corroborate Harari’s points)

    The trick for putting an end to our anxieties, he suggests, is not to stop worrying. It’s to know which things to worry about, and how much to worry about them. As he writes in his introduction: “What are today’s greatest challenges and most important changes? What should we pay attention to? What should we teach our kids?”

    Or maybe we should be a bit more like Newt Scamander

    My philosophy is that worrying means you suffer twice.


    The Exponent podcast is back! And there’s a lot of news regarding pressure to change existing App Store pricing models.

    it seems incredibly worrisome to me anytime any company predicates its growth story on rent-seeking: it’s not that the growth isn’t real, but rather that the pursuit is corrosive on whatever it was that made the company great in the first place. That is a particularly large concern for Apple: the company has always succeeded by being the best; how does the company maintain that edge when its executives are more concerned with harvesting profits from other companies’ innovations?

    via Stratechery and Exponent

    Plus, after shipping Fortnite outside of the Google Play Store, Epic Games is moving in on Steam with a new game store and taking a smaller cut of sales.

    Developers receive 88% of revenue. There are no tiers or thresholds. Epic takes 12%. And if you’re using Unreal Engine, Epic will cover the 5% engine royalty for sales on the Epic Games store, out of Epic’s 12%.

    via Unreal Engine Blog

    The case for slowing everything down a bit

    Ezra Klein on increased digital friction:

    I believe that one reason podcasts have exploded is that they carry so much friction: They’re long and messy, they often take weeks or months to produce, they’re hard to clip and share and skim — and as a result, they’re calmer, more human, more judicious, less crazy-making.

    Klein and Jaron Lanier discuss just that, in a podcast.

    Writing . . . is full of friction. It’s hard and slow, and the words on the page fall short of the music and clarity I imagined they’d have. But it is, in the end, rewarding. It’s where I have at least a chance to create something worth creating. The work is worth it.

    via Vox

    Is this a legit Fortnite V-Buck site? Probably not.

    Fortnite has caused quite the security kerfuffle. Between releasing the Android app outside the Google Play Store, and an insane desire for V-Bucks, scams are running rampant.

    Wired put out this article yesterday entitled Fortnite scams are even worse than you thought, and it made me sad that people are being tricked (that’s for tomorrow 🎃).

    I made a simple browser extension as a helpful reminder of legitimate V-Buck sites. It will give you a green thumbs up on real V-Bucks websites, and a red thumbs down for sites where you can’t safely purchase V-Bucks. Check it out on GitHub.

    If all else fails, to stay safe, remember: ONLY BUY V-BUCKS IN THE GAME.


    Download the extension files by clicking “Clone or download > Download Zip” on Github
    Follow steps 1, 2, and 3 here to install the extension
    (Yes, enabling developer mode to sideload extensions is a similar security whole to what Epic is doing with Fortnite on Android. I’ll look into publishing the extension officially.)

    Test out the extension!

    V-Bucks for PlayStation:


    V-Bucks for Xbox:


    V-Bucks for PC/Switch/iOS/Android are only available in game, but here’s a link to Epic Games explaining that:


    Don’t buy V-Bucks on eBay:


    Video demo

    It’s all out the gifs

    Other Fortnite Links and Security Tips

    Here’s how to get Fortnite on Android:

    How to protect your Epic account:

    Epic on V-Buck Scams:

    And a reminder from Wired:


    I’ll wrap up by saying I don’t endorse actually purchasing these things, but for those of you who do buy, stay safe out there!