Wimbledon, Euro 2016, Olympics - its a year of sport. But as sports teams, organisations and tournaments embrace cloud, mobile and analytics, how are they threatened by cyber attacks and hackers? What do hackers wants from these targets and how do they plan to get what they want?
Lisa Baergen, director at NuData Security, a security company that mitigates fraud using passive biometrics, has provided her opinion on this topic.
Large sports teams and large sporting events are attractive to cyber criminals on several levels. Not only are they highly visible, and present large targets of opportunity for criminals who may be looking to earn a name for themselves, teams also amass large repositories of valuable performance and health stats and analytics on players and games.
Thieves and hackers are attracted to this valuable data like bears to honey because it can be sold to legitimate industries including the media and fantasy sports gamers, but also bookies and organised crime involved in illegal betting and gambling. Opponents and rival events could also be interested in getting a leg-up on their rival with insider information.
Also, these organisations also conduct a high volume of e-commerce transactions. Teams and events are increasingly transacting online for bookings and sales, and of course, are fully embracing mobile payment options making them at risk for malware and phishing attacks, akin to the risk profile that large e-comm and m-comm vendors have.
First of all, the team or organisation could be targeted for a breach that exposes personally identifiable information of their customers, fans, and even their players and staff. Several large attacks in recent years have borne this out, for example the 2015 “Team Sky” attack that went after performance data in order to discredit Tour De France leader Froome. Sometimes these attacks can also be politically motivated, as in the FC Barcelona attack that sought to embarrass the team on their twitter account.
If the breach has been successful in gathering data, this info can often lie dormant while the hacker attempts to amass more data points in order to add value. The data is compiled into sets called “fullz”. Once complete, these identity packages sell for more, and can be used by fraudsters to take over accounts in all kinds of places, or on the team and event sites to purchase tickets or collectables for resale.
Sports teams, just like high profile retailers, can protect against these identity thieves by ensuring they fully understand who is turning up at the account login page. The advantage they have is that fans typically return again and again and a behavioural biometric tool could be a very useful in building a solid profile of the good user in order to provide real-time verification.
By not waiting until transaction, but building a more complete identity profile of the user over time, behavioural biometrics (BB) tools empower online vendors to investigate at any point when high-risk activity is detected but present no friction to users until the vendor chooses to introduce it. This can greatly enhance the customer’s experience at login or checkout. With the knowledge that false declines can account for 32% of lost customers, basically handing the customer to a competitor, removing friction for customers you are a certain are good customers will improve their experience with that brand.
The biggest emerging threats are in the less secure mobile space with highly sophisticated malware and Trojans that can lurk on a user’s device observing and collecting everything the user does, says and sees with it -- stealing all account data and PII information, sometimes taking over the camera and microphone, and, of course, is completely invisible to the user. Most commonly downloaded via apps, these software interlopers present a significant risk to all online merchants, financial institutions and online sporting providers.