Security experts and media pundits warn people to avoid posting pictures of their tickets online. Many people follow this rule, but not everyone. Time and time again and again, and again, we see photos of tickets on social media, especially on Instagram. Just check the #tickets hashtag and you’ll see.
Why is doing this a bad idea again?
The problem with these types of posts is that people post tickets for events happening in the future and forget to blur out or cover up the barcodes and figures beneath them. Bad guys can copy the this information from these photos and use them to duplicate tickets — and resell them or visit the event at the expense of the victims.
The same rule holds true for airplane tickets: hooligans won’t take your place on the plane but they can literally ruin your trip — book the worst seats for you or even cancel your return tickets. All of the necessary information for this trick is printed on your airline tickets, so don’t post them online. Just don’t do it.
Is it really that serious?
Do you remember an Australian woman named Chantelle who won $825 at Melbourne Cup horse race? She posted a selfie with her ticket and lost all of the prize money.
Almost every huge event attracts cybercriminals attention. Last year British citizens lost £5.2m to ticket fraud and the situation has not changed for the better. Major sporting events such as the Rugby World Cup or the Euro 2016 championships are on the top list of ticket scams. Concerts and festivals come next.
— Kaspersky Lab (@kaspersky) November 6, 2015
Ticket services typically have rules that say that every client must not provide data from the ticket to third parties. Publishing a photo of your ticket online equals to sharing your data with anyone who sees the picture. So if you do it, don’t blame the ticket services — they cannot do anything should you disregard their rules and give your ticket away to strangers.
Posting tickets online is also a great way to alert burglars to the date and time that you will be away from your home.
Why do they make individual tickets with names if one can easily forge them?
When one person posts their ticket picture online, that can start a slippery chain of events where another one buys a fraudulent ticket from private sellers and the original purchaser or duplicate purchasers cannot attend the event – simply because someone else used their tickets and gotten there before them. Is there any way to solve this problem? Of course, event managers can verify your ID at the entrance — something like two-factor verification. But in real life, this approach is far from perfect.
For starters, ticketholders can become irritated if there is strict control matcing tickets to names. Secondly, it’s not practical. If the event gathers hundreds of people you can check their identities and not spend too much time doing that. If it gathers 30,000 people — it’s almost impossible. Imagine a concert that doesn’t start because visitors stay in queue for hours. Nobody would want to miss the beginning of the concert because of strict security measures.
Be carefull guys, always hide the barcodes when you post a picture of your ticket(s) online! You never know… #Dominator
— Dominator Festival (@DominatorFest) April 4, 2015
In addition, it’s plainly dangerous to have licenses, passports or other forms of official ID out in the open at mass events — thieves can easily steal such things in the crowd. From the other side, concert managers can meet victims halfway and offer them some seats — even if they won’t be as good as those they’ve bought in advance. This approach also has its own disadvantages. Some people abuse the situation: they give their tickets to the friends to let them come in for free and go to event managers to solve the “problem”. That’s why many ticket inspectors don’t believe people with already used tickets.
Unfortunately, there is no universal solution to this problem — we would have to invent a new ticket identification system to do that. Until that time all of us should be vigilant and never publish tickets and documents online.
— Ont Police Reports (@OntPoliceReport) July 15, 2016
Is there any way to post tickets safely?
Yes, there is a semisafe way. If you want to post a ticket online you need to know what to hide. That’s why you have to be familiar with barcodes and how they work.
There are 1D barcodes used to code small pieces of information and 2D bar codes — to pack big amount of data.
1D bar code is based on the binary code. Well, ok, it’s a bit more complicated: each denary digit is formed with 7 lines which can be either white or black. Sometimes black lines are not separated with white lines thus making thicker black lines. The last bars of the code usually denote check digits, that are used to confirm the reading accuracy. Cinema, concert and airplane tickets often contain several check digits that confirm data provided in the barcode.
— Latest Hacking News (@7H3Wh173R4bb17) June 15, 2016
One of the most widespread 2D barcodes is QR-code. Mostly it’s used to quickly open websites on mobile devices, but not always: for example, you can find them on India’s IRCTC train tickets. Many flight boarding passes also contain a 2D barcode (not exactly QR, but a PDF417). Here is a good page that tells about the use of 2D barcodes for ticketing on Quora.
2D barcodes consist of black and white squares, which are – you’ve guessed it – also 1 and 0. But 2D barcodes are more complicated than 1D, as they usually have not only some check digits, but also special areas used for the cameras to recognize 2D barcodes as barcodes. For example, QR codes have these three distinguishable squares in their corners.
If you want to post tickets online you need to blur out the barcode entirely together with figures below. Though ticket inspectors use scanners to read barcodes only, criminals can recover the code from the figures given below.
Are you really going for a Coldplay gig if you haven't posted a picture of your ticket online?
— Azeem Banatwalla (@TheBanat) June 16, 2016
All in all we don’t recommend posting tickets on the Internet before the event even if you blur over the code — criminals with proper experience in social engineering can lure the missing data out of you and your surroundings. If you want to share the joy with other people you can simply write something like this: “Hi, everybody! I’m going to the Black Sabbath farewell concert!”