Social Engineering at the Superbowl

Two Irish men easily defeated the complex, coordinated security efforts at the Superbowl with nothing more than a smile. What can security leaders learn from their sneak-in success?

super bowl crash
Richard Whelan

As someone who is, at most, ambivalent about sports, living in Massachusetts – an area that is known (just slightly) for several championship teams and fanatical sports fans – means generally feeling like the one kid left out of the joke most of the time. 

No, no, I don’t HATE sports. I’ll take my kids to a game any day – I just enjoy the snacks at the arena more than the actual sporting event.

And, no, it’s no burden to live in so-called Title Town while largely ignoring all of the titles, but I will admit to enjoying the eventual quiet (lack of sports talk) that arrives for a few months after the flurry of baseball and football season are over, and while only a handful of people, like my husband, actually pay attention to the Bruins. And sometimes the Celtics.

So today, with the Superbowl over and another Patriots title secured, as my fellow Bay Staters (that’s the POLITE way to refer to a Massachusetts resident) watched the Patriots victory parade roll down the main streets of snow-clogged Boston, I quietly got my work done, blissfully ignoring the celebration. Then, this headline catches my eye:

Two ticketless but 'super confident' fans sneaked their way into $25,000 seats at the Super Bowl

And once again I am drawn back in – much as I’d prefer not to be.

Here’s the story:

Apparently these blokes (yes, I probably sound ridiculous using the word ‘blokes’) flew to Arizona from their native Ireland, hoping to purchase Superbowl tickets on site. They had no luck – so instead snuck in to the arena with a group of First Aid workers and managed to look confident and comfortable enough that no one questioned them. According to the two guys, who proudly posted pictures of themselves all over Twitter, their tactic was simply to act “superconfident” - and it paid off in the form of free admission to one of the most expensive annual events in professional sports.

They proceeded to seat hop for a bit until they were ultimately tipped off by someone else in the stadium to two open seats in the fourth row. Seats that were going to be vacated at the half-time show and that typically sell for $25,000 each. The two enjoyed the rest of the game in those seats, sitting next to former Superbowl champion Lawyer Milloy. Wow.

Why do I care? Because it’s an important security lesson.

Security at the Superbowl is a massive, expensive, coordinated effort that includes state, federal and local law enforcement and organizations. The planning and work that goes into securing thousands of fans and players each year is long and intense - and yet it only took two determined Irish guys with a will and a smile to poke through it.

That’s troubling.

The guys who snuck in employed one of the most basic social engineering tools there is: confidence.

As Chris Hadnagy, social engineering expert and Chief Human Hacker at Social-engineer, Inc., notes, the sneak-in wasn’t particularly sophisticated, but it didn’t need to be.

“This is classic social engineering,” said Hadnagy when I asked him about it. “They looked for an opportunity and took it, walking in with a group that was allowed.  This gives them automatic trust, and once inside they are already ‘accepted’ as part of the tribe.  These accounts are funny to read, but the same principles are used when a malicious attacker bypasses security.”

Social engineering has been the reason behind several high-profile breaches in recent years, including those that impacted RSA and eBay. And in this week’s CSO Insider, we examine how corporate insiders gain access through social engineering and confidence that leads them to sensitive assets, which they then sell for profit to competitors. Social engineering is not often complex or technical, but it is often one of the most effective ways to breach corporate assets.

Who looks confident and confortable in your organization, but might not belong? Best to take a second, or third, look before someone sits in your $25,000 seat without permission.

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)