My football team AFC Ajax enjoys successful years hence the demand for tickets is high. I strongly believe that these seats should be affordable and available to real fans. AFC Ajax sells their tickets under a policy via its website, a combination of systems with increasing complexity. Before the 2018–2019 UEFA Champions League matches, I decided to test the security of this ticket shop. With success, I was able to buy more tickets than allowed. A security risk analysis of the vulnerabilities that is relevant in the design of various cloud architectures.

Approach

AFC Ajax uses a generic system by Eventim for its ticket shop. But it wants to sell its tickets according to its cardholders’ policy. This requires an additional system, probably not fully integrated into this website. The interdependence of two systems is a balance between opportunity and risk (Fenton & Neil, 2012), and as Sanders (2014) states: “for most systems, perfect security is elusive”. The definition of risk is the likelihood and impact of an event. In this case, the reward is a Champions League ticket, the guardian is the cardholders’ policy check, and the utility is the reward minus the costs of passing the guardian. Pieters (2013) defines _‘the weakest link’ _in information security as the guardian with the highest induced risk (maximal utility). There were multiple possible attack paths with different utilities. At first, I was thinking about monitoring website traffic. Or search for a hidden field or Boolean. Actually, editing the protected input fields turned to be the weakest link.

#soccer #cybersecurity #tickets #security #risk