The outcome of this year's Super Bowl matchup between the Kansas City Chiefs and the San Francisco 49ers on Feb. 11 at the Allegiant Stadium in Las Vegas will likely remain unknown until the last down of the game.
The NFL's continuing digitization of almost all aspects of the event, from ticketing to gate access systems and virtually every other point of contact with fans, has opened new vulnerabilities and targets that its security team has had to secure.
Concerns include threats to arena security, ransomware attacks on critical systems, phishing and credential theft, and threats to personal data and other sensitive information belonging to fans, NFL employees, players, and coaches.
Preparing for the Big Game In a conversation with Dark Reading at the beginning of the 2023/2024 season, NFL CISO Tomás Maldonado had identified AI-enabled phishing attacks and deepfake audio and video scams as adding to the slew of other existing security challenges the league has had to contend with in general.
The NFL itself has been preparing for some time to identify and assess threats to the Super Bowl-easily the most watched TV event each year-and to implement plans for dealing with them.
Last September, league officials in coordination with 100 other stakeholders, including the US Department of Homeland Security and the Cybersecurity and Infrastructure Agency, conducted a tabletop exercise where they ran through a series of attack scenarios that together had a cascading impact on physical systems supporting the event.
The Security Implications of Sporting Event Digitization Karl Mattson, field CISO at Noname Security, views API-related security issues as likely a big focus for attackers this year, given the NFL's extensive digital transformation in recent years.
The most likely scenario, if an API-related attack were to happen, is a large-scale compromise of NFL fan personal information stolen, which may include authentication or biometric information, he notes.
The same is true for advertisers who air commercials during the event, and set up a new website or service to field consumer response.
Mattson points to the memorable 2022 Super Bowl ad by Coinbase that included only a bouncing QR code, which pointed viewers to a promotion website the company had set up for the ad. The website ended up crashing shortly after the ad aired because of the sheer volume of visitors.
Physical event-specific and public infrastructure to support the Super Bowl are also enabled by API-first technologies.
The stadium's 5G network, local security and emergency services, and public utility systems all use API-based services for routine operations that attackers could potentially seek to disrupt, Mattson says.
The phenomenon has created a breeding ground for new and evolving scams targeting events like the Super Bowl, says Stuart Wells, CTO at Jumio.
Exacerbating the situation is the relative lack of privacy protections in many of the betting apps that people use to make wagers during events like the Super Bowl.
A new study by data privacy company Incogni examined seven of the most popular betting apps; most of them are collecting and sharing private data extensively without proper disclosure.
The biggest data hog was DraftKings, which Incogni found was gathering 22 data points from users, including their precise location, contacts, messages, photos, and videos.
Betting apps from Caesars, Sky Bet, and William Hill were relatively close behind, gathering 17 data points each, including precise location, in-app search history, health information, and purchase histories.
Caesars led the rest when it came to sharing the data it collects from user devices with third parties.
Super Bowl fans should also expect a surge of fake tickets and counterfeit merchandise in online marketplaces, tempting fans with jerseys, hats, and memorabilia that look real but are cheaply made and lack official logos, Well says.
Risks to organizations that permit work-related devices for personal use without any controls include a heightened likelihood of malware infections and phishing attacks.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 08 Feb 2024 17:25:22 +0000