Categories
Thoughts

Flash Seats Usability, Security, and Privacy

The Quora Conundrum

Quora reported a data breach earlier this month and the company outlined the stolen data, what they are doing, and what you can do in an email to those affected:

The following information of yours may have been compromised:

  • Account and user information, e.g. name, email, IP, user ID, encrypted password, user account settings, personalization data
  • Public actions and content including drafts, e.g. questions, answers, comments, blog posts, upvotes
  • Data imported from linked networks when authorized by you, e.g. contacts, demographic information, interests, access tokens (now invalidated)

They also have more detail in https://help.quora.com/hc/en-us/articles/360020212652

Did I even know I had a Quora account? Nope.

Quora password reset email

But lo and behold, I did, so it was time to reset my password and delete the account.

Side note, if you logged in with Google or Facebook you may not have an account password, as mentioned in the account deletion FAQ: “if you created the account via Google or Facebook, you will first need to create a password by clicking the “Change Password”

Hi,

We have processed your request for account deletion and your name and content will be completely removed from Quora in 14 days. Note: If you login during the next 14 days, your account will be reactivated and deletion will be canceled.

We’re sorry to see you go, but we hope you consider joining the Quora community in the future.

Thanks,
Quora Support

What happens to all the information Quora knows about me after the account is gone? No idea. Luckily their help page has detailed info on the account deletion process:

Once the 14-day grace period has expired and your account has been deleted, your content and profile will be permanently deleted, and personal data associated with your account will be removed from Quora’s databases.

While it is unfortunate that the breach occurred, Quora clearly disseminated information and had the support network in place to help people manage their accounts effectively.

I do not expect Flash Seats could handle a breach with similar organization and focus.

The Flash Seats Fiasco

Let me preface by saying this came about from buying tickets to an NBA game. A long running, national sports league, with a recent focus on technology. Not the D-League (G-League?) or a college game, but the National Basketball Association.

If you haven’t heard about Flash Seats, not to worry. I didn’t either, but over the course of the ticket buying experience, I learned much more about the service than I wanted to know.

So let’s get started. Select your game from the Nuggets schedule, land on tix.axs.com, choose your seats on tix.axs.com and proceed to checkout on tix.axs.com. Done!

But not so fast, that’s only how buying tickets should work. It’s just after you’ve chosen your seats and are ready to buy when the first mention of the separate Flash Seats service appears for the ticket delivery method.

Flash seats delivery method drop down

If you gloss over the defaults you don’t even notice the distinction that the tickets are not on AXS, but instead on Flash Seats.

Select the details drop down and you will find the following information about ticket delivery options:

– Tickets will be delivered electronically to your Flash Seats account within one (1) week following the official on-sale date

– The easiest, most convenient, and most flexible option. With Flash Seats® digital tickets, there are no paper tickets, and you can quickly enter the event with the Flash Seats Mobile App for IOS or Android, your credit card or driver’s license. You can also transfer tickets to friends or sell your tickets on our secure marketplace.* If applicable*

At the gate, please show your Mobile ID in the Flash Seats app (for IOS or Android), or credit card used during your purchase or your registered driver’s license.

-Your card or mobile device will be swiped at the door by a Guest Services representative using a hand-held device and you will receive a seat locator identifying your seats. For more information about Flash Seats, please visit www.altitudetickets.com/flashseats

Proceed to purchase and you can sign in or create your AXS account with your password manager of choice.

axs_create_acct.png
Notice no mention that this account is in fact for Flash Seats, not AXS as shown at the bottom.

 

Complete the purchase and you’ll get an order receipt from [email protected]. When was I on altitudetickets.com? Not sure I was, but did you read the fine print from before? www.altitudetickets.com/flashseats is a thing

Altitude Tickets is powered by AXS utilizing Flash Seats digital tickets to deliver your tickets safely and securely

What?

It feels like this service is the ticketing equivalent of the Amazon arbitragers from A Business With No End.

The most confusing thing about all this is that AXS has its own ticketing service. And the NBA uses 80% of it. Why not just use AXS 100%?

fs_email_app.png

As an aside, for those of you following along at home, here’s the flow to purchase tickets (links are only approximate as specific event links are unique and tough to for any period of time):

  1. NBA.com: https://www.nba.com/nuggets/schedule/home-schedule
  2. altitudetickets.com: https://www.altitudetickets.com/events/category/basketball
  3. tix.axs.com: (specific event link)
  4. Flash Seats: The Future of Ticketing Today (event tickets)

Download AXS app because you don’t realize until after the fact that Flash Seats is a thing.

axs_app.png

Discover the log in doesn’t work on AXS

Go back and download the flash seats app. 5 star reviews. They are similarly ranked in the Entertainment category, so Flash Seats isn’t just some one-off unused app. no matter what quality of the app lets on.

fs_app.png

Log in with the same AXS/Flash Seats log in stored in your password manager of choice. Password is still incorrect… Try online, maybe the mobile app doesn’t work. Nope.

fs_failed_login.png

Reset your password. Maybe something messed up with the password manager.

fs_reset_email.png

Nope, password manager didn’t break spontaneously only on this site. Need further investigation.

fs_further_inv.png

Call 888-360-SEAT and let the fun begin…

Remember, the game starts in 30 minutes and we can’t access the tickets we just bought. I’ll try to remain calm (somewhat unsuccessfully), but imagine this on the scale of everyone buying tickets for every NBA game every night of the season.

(It is worth noting not every NBA team uses Flash Seats. I had not been to an NBA game in a while and didn’t realize that at first. Yet the Cavaliers, Nuggets, Rockets, Clippers, Lakers, Jazz, and Timberwolves plus some NHL teams use Flash Seats to manage tickets.)

Here’s a rough transcript of the call:

Hi, thanks for calling Altitude Tickets, oh I mean AXS, hold on, Flash Seats. Hi, I have tickets to a game in 20 minutes and I can’t access my account I just created. Ok, what would you like to be your new password. Uhh, I have to create a password with you over the phone? Yep! Well that sounds secure. It’s our policy. Makes sense. So what will it be? I guess “password“. Great, that’s what I was going to suggest. The password “password” is allowed on your service? Yep, that’s our policy. Makes sense. We strive for security. So I can get my tickets now? Yep, just log in to your account with your new password. Ok. Ok. Well have a good night. And you as well sir. One more thing, can you connect me with your security department? What? Makes sense, good night.

Good news. Password “password” works. I can log in to get the tickets (and change my password to something more secure, like correcthorsebatterystaple (please don’t use that as your password)).

Just in time to get to the arena and skip line at the Flash Seats Help Desk. I think the person with the most ridiculous problem of the night won a Tundra.

fs_help_desk.jpeg
Not the best photo, but in a way, it sort of sums up the experience

The game was fun though. Nugs won! And we almost won nugs.

nugs.jpeg

Deleting the account

But wait, there’s more! I couldn’t let this account stick around. Given the airtight security measures I wanted to remove the account as soon as it was no longer needed. (Are single use accounts a thing yet?). Here’s how to delete your Flash Seats account:

Before starting, remove any contact and payment info that may have been saved in your account. Don’t trust the service to do this for you.

Then go to the Contact Us page.

Don’t worry, nothing in the form is a required field and there is no parameter validation, so just enter your email and “delete account” as your phone number and Flash Seats should get the message.

A few days later this message shows up in my inbox:

fs_acct_merge.png

Huh? What do you mean my accounts were merged? What is this [email protected]? Let’s find out…

I replied to the above email mentioning it’s confusing nature and reminded them I wanted to delete all my account information, not have them archive my info under the guise of this Deleted Account pseudonym. Here’s what they said:

Hi Ryan,

Thank you for contacting Flash Seats. That is the deletion method that we have for Flash Seats accounts.

Thank you,
Flash Seats

Fair point.

So with my new enlightenment on how Flash Seats handled user data privacy, just for fun I tried logging in to my Flash Seats account identified by [email protected].

My attempts of password, deletedaccount, and flashseats didn’t work, but it did get the account locked in the same way as my original predicament.

fs_deleted_acct.png

And that was the end of the Flash Seats fiasco. I guess my account is gone. No real way to know for sure. Suspiciously though, no one has been able to get in to any NBA games over the last month…

More account security fun

Just to ensure I wasn’t completely off base with my view of the utter mess of this service, I looked into other instances of people struggling with Flash Seats. It turns out the Detroit Lions dropped Flash Seats and the Timberwolves had to settle with season ticket holders because “use of the digital marketplace Flash Seats makes it too hard for fans to exchange tickets, sell them on the secondary market or even give them away.”

Ticketfly

Wasn’t this AXS/Flash Seats site just breached? No wait, that was Ticketfly, the site that still only allows password with length of 20 characters or less.

ticketfly_password

Ticketmaster

Another fun tidbit of ticketing information; you can send Ticketmaster a letter if you want to close your account.

Can you do this for anyone’s account?

Send Us a letter
Whether it’s pen to paper or straight from your printer, address all mail to:

Ticketmaster
Attn: Fan Support
1000 Corporate Landing
Charleston, WV 25311

Marriott

Marriott’s breach response is so bad, security experts are filling in the gaps

and What the Marriott breach says about security

 

🏀🎟🔐

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.