The Olympics is the most highly attended, complex event in the world. Learn how the people attending the games can ensure they don’t fall victim to mobile scams, malware, and related data risks.

July 12, 2024


Paris Olympics

(Credits: Shutterstock)

Zendata’s CEO, Narayana Pappu, examines and shares insights into some key cybersecurity risks and considerations for the Paris Olympics 2024. The article discusses pre-Olympics data risks, data risks during the Olympics, and the role of AI.

As the world gears up for the Paris Olympic Games 2024, attention turns to the athletic feats that will be on display and the massive cybersecurity challenges of hosting such a high-profile international event. With nearly 3 million spectators expected to attend the 329 events held over a 6-week period, spending an estimated $4 billion, the stakes for cybersecurity are higher than ever.

Olympics have increasingly become a major target for cyber attacks. The Tokyo Olympics 2021 saw a staggering 450 million attempted cyberattacks – a 2.5x increase from the London Olympic Games 2012. For bad actors, the Olympics present an enticing combination of factors: large crowds, a highly distributed event staff with limited physical presence, and zero margin for error or downtime once the events begin. Let’s examine some key cybersecurity risks and considerations for Paris Olympics 2024:

1. Pre-Olympics Data Risks

Cybercriminals are already on the prowl even before the Olympic torch is lit. Fraudulent websites and mobile apps posing as official ticketing or hospitality services aim to steal eager fans’ financial data and personal information. These sites often use domain names that closely mimic official Olympics domains and leverage SEO techniques to rank highly in search results. To date, organizers have identified 77 fake ticket resale sites attempting to scam attendees.

Similarly, sponsors and partners who do not use email authentication tools like DMARC, SPF, and DKIM are at high risk of being impersonated in phishing campaigns. These technical standards help verify that an email came from the claimed sender. Without them, attackers can easily spoof legitimate email addresses to trick recipients.

Some techniques used for domain spoofing:

  • Domain spoofing: Registering domains closely resembling official Olympics websites (e.g., paris2024tix.com). Attackers can then create convincing fake login pages to steal credentials.
  • URL shortening and redirects: Using services like Bitly to create shortened links that redirect to malicious sites, making it harder for users to spot a fake URL.
  • HTML email spoofing: Crafting emails with forged sender addresses and official-looking HTML templates to make them seem legitimate.
  • Lookalike Unicode domains: Registering domains with Unicode characters that visually resemble ASCII characters (e.g., using Cyrillic “a” instead of Latin “a”). This can trick users into thinking they’re on a real Olympics site.

Protective measures: Only purchase tickets from the official Paris Olympics 2024 website and mobile app. Be wary of unsolicited emails claiming to be from the Olympics or sponsors, especially if they request personal data or contain suspicious links. Organizations involved with the Olympics should implement strict email authentication protocols and educate employees about phishing tactics.

2. Data Collection Risks During the Olympics 

Once the games begin, a wide range of technologies will be deployed to manage the event and enhance the fan experience. However, each digital touchpoint introduces new potential vulnerabilities:

Apps

Official Olympics apps have a history of security flaws and excessive data collection. For example, the Beijing Winter Olympics app was found to have serious vulnerabilities Opens a new window that could have allowed attackers to access sensitive data. Cybersecurity watchdogs will closely analyze Paris 2024’s applications for insecure data transmission, unencrypted storage, or overly broad permissions.

Attackers may attempt to distribute malware disguised as legitimate Olympics-related applications or sneak malicious code into official app stores.

Some common techniques used to accomplish this:

  1. Trojanized apps: Taking an existing, legitimate app and injecting malicious code into it before repackaging and distributing it. The added code could steal data or download further malware.
  2. Fake app stores and sideloading: Setting up fraudulent app repositories claiming to offer Olympics apps. If users allow app installations from unknown sources, they could unwittingly sideload malware.
  3. Supply chain attacks: Compromising the software supply chain of legitimate Olympics apps to insert malicious code that ships with the official app.
  4. Drive-by downloads: Exploiting browser or operating system vulnerabilities on websites to automatically download malware without any user interaction.

WiFi

Public WiFi networks at venues are notoriously insecure. Threat actors could attempt to intercept data transmissions using “man-in-the-middle” attacks or distribute malware through compromised access points. To combat this, organizers will likely deploy WPA3-encrypted networks and use captive portals to authenticate users. However, fans should still be cautious. Some other techniques that could be used:

  1. Downgrading HTTPS connections to plain HTTP, allowing the attacker to read or modify supposedly encrypted traffic
  2. Captive portal phishing involves mimicking the login page that appears when connecting to the official Olympics WiFi and tricking users into entering their credentials.
  3. Evil twin WiFi: Setting up a malicious wireless access point with the same name (SSID) as an official Olympics WiFi network. Users may connect to the rogue AP, allowing the attacker to intercept all their traffic.

Facial recognition and other biometric identification systems

While potentially adding a layer of physical security, they also collect highly sensitive personal data that must be secured. If hackers breach the databases where this biometric information is stored, it could be sold on the dark web or used for identity theft. Recent research has also uncovered racial and gender bias in many commercial facial recognition algorithms, leading to cases of misidentification.

Location tracking via smartphone apps, wearables, and venue beacons

These allow organizers to analyze crowd flow. However, it also generates sensitive data that must be anonymized and secured. If exposed, this location data could enable stalking or be used to infer sensitive details about an individual’s activities and associations.

Attendees should:

  1. Avoid transmitting sensitive data like passwords or financial details over public WiFi
  2. Consider using a trustworthy VPN service to encrypt traffic
  3. Be judicious about granting location permissions or using facial recognition check-ins. 
  4. Consider using a “burner” phone with only essential apps installed. This can help compartmentalize data. It is also wise to provide minimal real info when setting up accounts or profiles.

3. The Role of AI at Olympics

Artificial intelligence will play a larger role than ever at Paris 2024, but it’s a double-edged sword from a cybersecurity perspective:

Benefits of AI

  • AI-powered network monitoring tools can rapidly detect anomalous activity that may signal an attack, allowing for faster response. ML models trained on past threat data can predict and proactively block emerging exploits.
  • Intelligent automation via SOAR (security orchestration, automation, and response) platforms could help overwhelmed security teams manage the high volume of alerts associated with an event of this scale. AI can streamline workflows and decision-making.
  • AI-enhanced surveillance and anomaly detection can bolster physical security by identifying suspicious behavior or objects in real-time. Computer vision algorithms can spot security risks that human eyes may miss in the bustling Olympic environment.

AI Risks

  • Thanks to AI-generated content, social engineering scams, such as phishing emails and fake websites, are becoming increasingly sophisticated. Large language models like GPT-4 can craft extremely convincing text optimized to deceive. Scammers may use AI to generate fake news articles, social media posts, or even cloned voices to boost the credibility of their lures.
  • Deepfake videos, created using AI techniques like autoencoders and GANs, could spread disinformation or cast doubt on the integrity of the games. For instance, a deepfake could falsely depict an athlete cheating or make it seem like a judge was bribed. In an international event with so many moving parts, quickly distinguishing fake content from reality may be difficult.
  • If not configured securely, chatbots and virtual assistants deployed for Olympics customer service could be prone to “hallucinations” or exploited to harvest personal data. Like Microsoft’s Tay bot, which was influenced to spew hate speech, an AI chatbot without proper safeguards could be hijacked to spread misinformation or offensive content. Generative AI’s ability to create highly realistic fake content raises the stakes significantly.

France’s planned use of AI-powered surveillance tools also raises red flags among privacy advocates. While billed as necessary for physical security, the government’s exceptions to facial recognition bans tend to long outlive the events used to justify them. There is a valid concern that intrusive surveillance erected for the Olympics will simply become the new normal afterward, enabling the tracking of citizens without their knowledge or consent.

To mitigate AI risks, Olympics organizers must implement robust content moderation, verifying the integrity of videos and images using tools like digital watermarking. AI systems should be rigorously tested for security flaws and bias before deployment. Facial recognition use must come with strong restrictions on data retention and sharing. Transparency around AI use and data practices is key to maintaining trust.

Conclusion

Paris 2024 organizers face an immense cybersecurity challenge in delivering a successful, safe Olympics. With cyber threats growing in volume and sophistication, robust digital security measures informed by previous incidents and emerging threats are essential. The Olympics’ technology partners must work together to implement defense-in-depth, focusing on agile threat detection and rapid incident response.

MORE ON CYBER RISK MANAGEMENT

The Data Driving Your Business Risk: How to Measure Your Company’s Cybersecurity Exposure
The State of Cybersecurity and Cybercriminals a Year After the Explosion of LLMs
Retail Cyberattacks: Avoiding an Unexpected Single Point Of Failure

Narayana Pappu

Narayana Pappu started in Data Science at Fannie Mae before the term existed. He was tasked to build a better home price index than what was available in the market. For 15 years after that, at PayPal, Coinbase, and Doctor on Demand, he built and scaled low-latency and high-volume internal investigation, graph, and entity resolution tools for risk management and compliance. He also launched consumer/merchant lending solutions in the US, UK, and Germany with over 5 billion dollars in annual transaction volumes each. And drove projects around data monetization with partnerships between PayPal, advertising, and payment networks; his expertise lies in building complex data solutions that are easy to implement, use, and generate incremental value.