Flash Seats Usability, Security, and Privacy

The Quora Conundrum

Quora reported a data breach earlier this month and the company outlined the stolen data, what they are doing, and what you can do in an email to those affected:

The following information of yours may have been compromised:

  • Account and user information, e.g. name, email, IP, user ID, encrypted password, user account settings, personalization data
  • Public actions and content including drafts, e.g. questions, answers, comments, blog posts, upvotes
  • Data imported from linked networks when authorized by you, e.g. contacts, demographic information, interests, access tokens (now invalidated)

They also have more detail in https://help.quora.com/hc/en-us/articles/360020212652

Did I even know I had a Quora account? Nope.

Quora password reset email

But lo and behold, I did, so it was time to reset my password and delete the account.

Side note, if you logged in with Google or Facebook you may not have an account password, as mentioned in the account deletion FAQ: “if you created the account via Google or Facebook, you will first need to create a password by clicking the “Change Password”

Hi,

We have processed your request for account deletion and your name and content will be completely removed from Quora in 14 days. Note: If you login during the next 14 days, your account will be reactivated and deletion will be canceled.

We’re sorry to see you go, but we hope you consider joining the Quora community in the future.

Thanks,
Quora Support

What happens to all the information Quora knows about me after the account is gone? No idea. Luckily their help page has detailed info on the account deletion process:

Once the 14-day grace period has expired and your account has been deleted, your content and profile will be permanently deleted, and personal data associated with your account will be removed from Quora’s databases.

While it is unfortunate that the breach occurred, Quora clearly disseminated information and had the support network in place to help people manage their accounts effectively.

I do not expect Flash Seats could handle a breach with similar organization and focus.

The Flash Seats Fiasco

Let me preface by saying this came about from buying tickets to an NBA game. A long running, national sports league, with a recent focus on technology. Not the D-League (G-League?) or a college game, but the National Basketball Association.

If you haven’t heard about Flash Seats, not to worry. I didn’t either, but over the course of the ticket buying experience, I learned much more about the service than I wanted to know.

So let’s get started. Select your game from the Nuggets schedule, land on tix.axs.com, choose your seats on tix.axs.com and proceed to checkout on tix.axs.com. Done!

But not so fast, that’s only how buying tickets should work. It’s just after you’ve chosen your seats and are ready to buy when the first mention of the separate Flash Seats service appears for the ticket delivery method.

Flash seats delivery method drop down

If you gloss over the defaults you don’t even notice the distinction that the tickets are not on AXS, but instead on Flash Seats.

Select the details drop down and you will find the following information about ticket delivery options:

– Tickets will be delivered electronically to your Flash Seats account within one (1) week following the official on-sale date

– The easiest, most convenient, and most flexible option. With Flash Seats® digital tickets, there are no paper tickets, and you can quickly enter the event with the Flash Seats Mobile App for IOS or Android, your credit card or driver’s license. You can also transfer tickets to friends or sell your tickets on our secure marketplace.* If applicable*

At the gate, please show your Mobile ID in the Flash Seats app (for IOS or Android), or credit card used during your purchase or your registered driver’s license.

-Your card or mobile device will be swiped at the door by a Guest Services representative using a hand-held device and you will receive a seat locator identifying your seats. For more information about Flash Seats, please visit www.altitudetickets.com/flashseats

Proceed to purchase and you can sign in or create your AXS account with your password manager of choice.

axs_create_acct.png
Notice no mention that this account is in fact for Flash Seats, not AXS as shown at the bottom.

 

Complete the purchase and you’ll get an order receipt from customerservice@altitudetickets.com. When was I on altitudetickets.com? Not sure I was, but did you read the fine print from before? www.altitudetickets.com/flashseats is a thing

Altitude Tickets is powered by AXS utilizing Flash Seats digital tickets to deliver your tickets safely and securely

What?

It feels like this service is the ticketing equivalent of the Amazon arbitragers from A Business With No End.

The most confusing thing about all this is that AXS has its own ticketing service. And the NBA uses 80% of it. Why not just use AXS 100%?

fs_email_app.png

As an aside, for those of you following along at home, here’s the flow to purchase tickets (links are only approximate as specific event links are unique and tough to for any period of time):

  1. NBA.com: https://www.nba.com/nuggets/schedule/home-schedule
  2. altitudetickets.com: https://www.altitudetickets.com/events/category/basketball
  3. tix.axs.com: (specific event link)
  4. Flash Seats: The Future of Ticketing Today (event tickets)

Download AXS app because you don’t realize until after the fact that Flash Seats is a thing.

axs_app.png

Discover the log in doesn’t work on AXS

Go back and download the flash seats app. 5 star reviews. They are similarly ranked in the Entertainment category, so Flash Seats isn’t just some one-off unused app. no matter what quality of the app lets on.

fs_app.png

Log in with the same AXS/Flash Seats log in stored in your password manager of choice. Password is still incorrect… Try online, maybe the mobile app doesn’t work. Nope.

fs_failed_login.png

Reset your password. Maybe something messed up with the password manager.

fs_reset_email.png

Nope, password manager didn’t break spontaneously only on this site. Need further investigation.

fs_further_inv.png

Call 888-360-SEAT and let the fun begin…

Remember, the game starts in 30 minutes and we can’t access the tickets we just bought. I’ll try to remain calm (somewhat unsuccessfully), but imagine this on the scale of everyone buying tickets for every NBA game every night of the season.

(It is worth noting not every NBA team uses Flash Seats. I had not been to an NBA game in a while and didn’t realize that at first. Yet the Cavaliers, Nuggets, Rockets, Clippers, Lakers, Jazz, and Timberwolves plus some NHL teams use Flash Seats to manage tickets.)

Here’s a rough transcript of the call:

Hi, thanks for calling Altitude Tickets, oh I mean AXS, hold on, Flash Seats. Hi, I have tickets to a game in 20 minutes and I can’t access my account I just created. Ok, what would you like to be your new password. Uhh, I have to create a password with you over the phone? Yep! Well that sounds secure. It’s our policy. Makes sense. So what will it be? I guess “password“. Great, that’s what I was going to suggest. The password “password” is allowed on your service? Yep, that’s our policy. Makes sense. We strive for security. So I can get my tickets now? Yep, just log in to your account with your new password. Ok. Ok. Well have a good night. And you as well sir. One more thing, can you connect me with your security department? What? Makes sense, good night.

Good news. Password “password” works. I can log in to get the tickets (and change my password to something more secure, like correcthorsebatterystaple (please don’t use that as your password)).

Just in time to get to the arena and skip line at the Flash Seats Help Desk. I think the person with the most ridiculous problem of the night won a Tundra.

fs_help_desk.jpeg
Not the best photo, but in a way, it sort of sums up the experience

The game was fun though. Nugs won! And we almost won nugs.

nugs.jpeg

Deleting the account

But wait, there’s more! I couldn’t let this account stick around. Given the airtight security measures I wanted to remove the account as soon as it was no longer needed. (Are single use accounts a thing yet?). Here’s how to delete your Flash Seats account:

Before starting, remove any contact and payment info that may have been saved in your account. Don’t trust the service to do this for you.

Then go to the Contact Us page.

Don’t worry, nothing in the form is a required field and there is no parameter validation, so just enter your email and “delete account” as your phone number and Flash Seats should get the message.

A few days later this message shows up in my inbox:

fs_acct_merge.png

Huh? What do you mean my accounts were merged? What is this deletedaccount@flashseats.com? Let’s find out…

I replied to the above email mentioning it’s confusing nature and reminded them I wanted to delete all my account information, not have them archive my info under the guise of this Deleted Account pseudonym. Here’s what they said:

Hi Ryan,

Thank you for contacting Flash Seats. That is the deletion method that we have for Flash Seats accounts.

Thank you,
Flash Seats

Fair point.

So with my new enlightenment on how Flash Seats handled user data privacy, just for fun I tried logging in to my Flash Seats account identified by deletedaccount@flashseats.com.

My attempts of password, deletedaccount, and flashseats didn’t work, but it did get the account locked in the same way as my original predicament.

fs_deleted_acct.png

And that was the end of the Flash Seats fiasco. I guess my account is gone. No real way to know for sure. Suspiciously though, no one has been able to get in to any NBA games over the last month…

More account security fun

Just to ensure I wasn’t completely off base with my view of the utter mess of this service, I looked into other instances of people struggling with Flash Seats. It turns out the Detroit Lions dropped Flash Seats and the Timberwolves had to settle with season ticket holders because “use of the digital marketplace Flash Seats makes it too hard for fans to exchange tickets, sell them on the secondary market or even give them away.”

Ticketfly

Wasn’t this AXS/Flash Seats site just breached? No wait, that was Ticketfly, the site that still only allows password with length of 20 characters or less.

ticketfly_password

Ticketmaster

Another fun tidbit of ticketing information; you can send Ticketmaster a letter if you want to close your account.

Can you do this for anyone’s account?

Send Us a letter
Whether it’s pen to paper or straight from your printer, address all mail to:

Ticketmaster
Attn: Fan Support
1000 Corporate Landing
Charleston, WV 25311

Marriott

Marriott’s breach response is so bad, security experts are filling in the gaps

and What the Marriott breach says about security

 

🏀🎟🔐

What the Marriott Breach Says About Security

Your personal data is already stolen. Here’s what you need to be doing:

via Krebs on Security

 

How Criminals Steal $37 Billion a Year

It is increasingly difficult to trust someone calling from a phone call you don’t recognize. Not only are scammers calling from numbers that seem to be in your area, but they are also impersonating family members in distress.

The dirty little secret about elder exploitation is that almost 60 percent of cases involve a perpetrator who is a family member, according to a 2014 study by Lachs and others, an especially fraught situation where victims are often unwilling, or unable, to seek justice. Such manipulation sometimes involves force or the threat of force

via Bloomberg

This trick has been around for a while, but there are new defenses available to guard against the scam.

On Feb. 5, the Financial Industry Regulatory Authority, an industry body, put into effect “the first uniform, national standards to protect senior investors.” It now requires members to try to obtain a trusted contact’s information so they can discuss account activity. It also permits firms to place temporary holds on disbursements if exploitation is suspected.

Bloomberg

Interesting idea; a two person authentication for account transactions, but it still may be easy to beat the system.

Loewy, who left her job as a prosecutor in 2014 to join EverSafe, a startup that makes software to monitor suspicious account activity, is underwhelmed by the industry projects.

“They may say they’re focused on it, but they aren’t really doing much more than training employees,” she says. “Exploiters know what they’re doing. They take amounts under $10,000 that they know won’t get picked up by fraud and risk folks at banks. And they steal across institutions over time.”

Bloomberg

And remember, if you get a text from a short-code number with 5 or 6 digits, you can verify the identity of the sender with the Short Code Directory.

Is this a legit Fortnite V-Buck site? Probably not.

Fortnite has caused quite the security kerfuffle. Between releasing the Android app outside the Google Play Store, and an insane desire for V-Bucks, scams are running rampant.

Wired put out this article yesterday entitled Fortnite scams are even worse than you thought, and it made me sad that people are being tricked (that’s for tomorrow 🎃).

I made a simple browser extension as a helpful reminder of legitimate V-Buck sites. It will give you a green thumbs up on real V-Bucks websites, and a red thumbs down for sites where you can’t safely purchase V-Bucks. Check it out on GitHub.

If all else fails, to stay safe, remember: ONLY BUY V-BUCKS IN THE GAME.

Installation

Download the extension files by clicking “Clone or download > Download Zip” on Github
Follow steps 1, 2, and 3 here to install the extension
(Yes, enabling developer mode to sideload extensions is a similar security whole to what Epic is doing with Fortnite on Android. I’ll look into publishing the extension officially.)

Test out the extension!

V-Bucks for PlayStation:
https://store.playstation.com/en-us/product/UP1477-CUSA07022_00-MTX01K0000000000

psn_vbucks

V-Bucks for Xbox:
https://www.microsoft.com/en-us/p/fortnite-1-000-v-bucks/c0f5ht9nv86p

xbox_vbucks.png

V-Bucks for PC/Switch/iOS/Android are only available in game, but here’s a link to Epic Games explaining that:
https://www.epicgames.com/fortnite

epic_vbucks.png

Don’t buy V-Bucks on eBay:
https://www.ebay.com/sch/i.html?_nkw=v+bucks

ebay_vbucks.png

Video demo

It’s all out the gifs

Other Fortnite Links and Security Tips

Here’s how to get Fortnite on Android:
https://www.epicgames.com/fortnite/en-US/mobile/android/get-started

How to protect your Epic account:
https://www.epicgames.com/fortnite/en-US/news/protecting-your-epic-account

Epic on V-Buck Scams:
https://epicgames.helpshift.com/a/fortnite/?s=epic-accounts&f=account-security-bulletin&p=all

And a reminder from Wired:

 

I’ll wrap up by saying I don’t endorse actually purchasing these things, but for those of you who do buy, stay safe out there!