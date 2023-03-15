The second phase of Olympic Games ticket sales opens on Wednesday. As during the first period, future buyers must register for a draw before hoping to acquire the precious sesame.

At a time of ever-increasing cyberattacks in administrations or hospitals, ticketing security for the Paris 2024 Olympic and Paralympic Games was a major issue. In total, 10 million tickets will be sold for the Olympics, and 3.5 million for the Paralympics. By way of comparison, the last World Cup in Qatar gathered nearly three million spectators in its stadiums, according to figures from Fifa.

These volumes make this ticket office a target for cybercriminals. “They have a speed and a habit of seizing all the major events in order to be able to do what they do on a daily basis: earn money on the backs of their victims. There is no reason for the Olympics and/or a ticketing of this magnitude is no exception, and even more so with regard to the price of certain tickets. Because the more expensive it is, the rarer it is, and the more it attracts”, says Benoit Grunemwald, cybersecurity expert at ESET, a company that develops computer security software and services.

This ticket office therefore constituted a “challenge”. Damien Rajot, commercial and on-site experience director at Paris 2024, recognizes that it was necessary “manage the volume of more than 750 sessions”, for simultaneous purchase, worldwide. As the second phase of ticketing is launched on Wednesday March 15, franceinfo: sport has deciphered the methods used by the Paris 2024 Organizing Committee for the Olympic and Paralympic Games (Cojop) to counter these threats.

Cyberattacks on the rise

Although cybercriminal attacks on ticket offices are difficult to quantify, the National Syndicate of Musical and Variety Shows Prodiss carried out a study in 2017, showing that illicit sales affected up to one in four tickets. At the same time, “the evolution of the number of court decisions concerning the illicit resale on the secondary market of tickets in the sports sector has increased by 250% between the period 2008-2010 and the period 2020-2022″, has reported the integrated group of lawyers and notaries De Gaulle Fleurance.

To deal with these varied threats – fraud, usurpation and the black market – the organizers of Paris 2024 have “set up from the start a reflection to manage the volumes and find a solution to sell something very complex in a secure way, in a short time”, emphasizes Damien Rajot, “even if zero risk does not exist”, he specifies.

“If consideration for fraud is taken into account by Paris 2024, we know that in cybersecurity, there is no solution that works 100%.” Benoit Grunemwald, cybersecurity expert at ESET at franceinfo: sport

“There is always a flaw in the system, and cybercriminals are resourceful. The efforts are there, we will see if it is enough”, remarks again on Benoit Grunemwald’s side, before predicting: “It’s a safe bet that there will be major maneuvers against the event because everyone will be looking towards the Olympics.”

The draw and purchase slots, security against robots

This was a great novelty. To obtain places at the Paris Games, you must already register for a draw, then be drawn so that you can then buy tickets for the competitions. The buyer is then assigned a 48-hour buying window. “Going through a registration phase and buying slots allows you to spot robots, and avoid having people who organize multi-sales in all directions”, explains Damien Rajot.

An effective system according to Corinne Henin, cybersecurity expert. “This mechanism of registering by email, drawing and then limiting to 30 tickets per account, to a certain extent prevents a robot from connecting, buying many tickets and then reselling them. Because it requires a lot of manipulation for little tickets at a time”, she analyzes. The slot purchase system also made it possible to spread out the flows, thus avoiding endless queues when purchasing. The objective was indeed not to repeat the bad user experience of the Rugby World Cup among others, where the sales platform had been saturated from its opening.

An official resale platform to fight against the black market

Buying tickets a year and a half in advance presents a risk for buyers, who may no longer be available on the D-day. For this, the Cojop has announced that it will set up a single resale platform in 2024. “We want to control and organize this platform in order to avoid any form of over-commercialization and speculation”, says Damien Rajot. Thus, the tickets can only be resold on this site, at the purchase price.

100% digital banknotes and a unique application to avoid counterfeit banknotes

Other security announced by Paris 2024: tickets will only be offered in digital format and will be nominative. No paper tickets will be accepted. Tickets will only be issued and validated on a dedicated official mobile application. And the organizers warn: they will only be sent to buyers a few weeks before the Games. “To fight against counterfeit tickets, digital tickets are effective. Already, they are more difficult to copy than paper tickets. Then, issuing them at the last moment leaves less time for scammers to study what they look like”, says Corinne Henin, cybersecurity expert.

“If there is a small error in the ticket, they will have less time to find it. It is security in obscurantism.” Corinne Henin, cybersecurity expert at franceinfo: sport

However, for the system to work, user support is necessary to guide him in the procedure to follow, give him the right information, help him prepare for his visit, etc. “It’s very important, especially at the Olympics where you go to several sites in the same day. There is a need to be able to broadcast information to people live”, admet Damien Rajot.

Especially to avoid as much as possible that the spectators fall into phishing campaigns. “We can imagine these being launched before D-Day, or when the ticket becomes available, with an invitation to download a fake ticketing application. On arriving at the venue, you could receive a text message saying ‘ Welcome to the Paris Olympics, update your password'”, details specialist Benoit Grunemwald. And thus have access to your personal data to retrieve your real ticket.

Dynamic QR codes, an additional level of security

In addition to being digital, the tickets will be in the form of dynamic QR codes, generated in a specific time slot just before the event. “A QR code is a way of writing data that is easily readable by a computer. A dynamic QR code is made up of a URL and what is behind the URL will change regularly.is an additional level of security”, popularizes Corinne Henin, cybersecurity expert. “This type of QR code, which rotates, makes it more difficult to hack and/or have someone scan the QR code for you or make a copy of it”appuie Benoit Grunemwald.

Despite a system judged “rather safe” by the experts interviewed, “Threats are never obsolete, tranche Benoit Grunemwald. We have to protect ourselves against A, B, C, D, and that changes very quickly and adds up. And maybe A and B are no longer exploitable, but users still need to have good cybersecurity hygiene, i.e. update their devices well, have good passwords, and a double authentication. We keep repeating it, but it’s not going to stop.” Because the threat will not weaken, quite the contrary.