Erik van Straten<p>To answer my own question: the barcode (actually a 2D QR-like code) appears to use some kind of TOTP [1] mechanism, as used by apps such as Google Authenticator, Twilio Authy and Microsoft Authenticator.</p><p>Effectively, a ticket is some big number (probably randomly created by the server) that only computers get to know; it is a "shared secret", aka a "seed".</p><p>If you use the Ticketmaster app, such a number will be stored on your phone (and on their server).</p><p>If you use their *webserver* to generate your barcode at the entrance of the event, that number is retrieved by the webserver from the ticketing server, after you've logged on to the website (each of your "tickets", those big numbers, are tied to your Ticketmaster web account).</p><p>Every 15 seconds that "seed" number is, *combined* with the current date and time, "hashed" (*) to generate a new, semi-random, number (either by the app on your phone or by the Ticketmaster webserver). *THAT* resulting number is used to create the barcode, and therefore it will look entitely different every 15 seconds.</p><p>(*) Using cryptography: a kind of blending that will always create the same result if the input is the same - but in such a way that (assuming long, impossible to guess inputs) you cannot retrieve the input from the output; cryptographic hash functions are *one-way* algorithms.</p><p>Important note: TOTP apps also use barcodes, but for an entirely *different* purpose - that is, to transfer the -static- shared secret (seed) from the server to the 2FA Authenticator app on your phone. That barcode is comparable to your password: if a thief can steal *such* a "second factor" barcode, they only need your user ID and password to access your "MFA protected" account.</p><p>So, Ticketmaster is right: there's no risk of "ticket loss" for their customers if the attackers only copied *barcodes*.</p><p>HOWEVER: the remaining, IMO fundamental, question is: did the cybercriminals *also* manage to copy the big random numbers, the "seeds" that *statically* represent the tickets?</p><p><span class="h-card" translate="no"><a href="https://infosec.exchange/@BleepingComputer" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>BleepingComputer</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@lawrenceabrams" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>lawrenceabrams</span></a></span> </p><p>[1] <a href="https://www.protectimus.com/blog/totp-algorithm-explained/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">protectimus.com/blog/totp-algo</span><span class="invisible">rithm-explained/</span></a> (I particularly liked this image from that page: <a href="https://www.protectimus.com/blog/wp-content/uploads/2020/06/TOTP-algorithm-explained.png" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">protectimus.com/blog/wp-conten</span><span class="invisible">t/uploads/2020/06/TOTP-algorithm-explained.png</span></a>)</p><p><a href="https://infosec.exchange/tags/Ticketmaster" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Ticketmaster</span></a> <a href="https://infosec.exchange/tags/Breach" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Breach</span></a> <a href="https://infosec.exchange/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TOTP</span></a> <a href="https://infosec.exchange/tags/AuthenticatorApps" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AuthenticatorApps</span></a> <a href="https://infosec.exchange/tags/Seeds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Seeds</span></a> <a href="https://infosec.exchange/tags/Swifties" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Swifties</span></a> <a href="https://infosec.exchange/tags/Concerts" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Concerts</span></a> <a href="https://infosec.exchange/tags/BarCodes" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BarCodes</span></a> <a href="https://infosec.exchange/tags/QRCodes" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>QRCodes</span></a> <a href="https://infosec.exchange/tags/Concert" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Concert</span></a> <a href="https://infosec.exchange/tags/BarCode" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BarCode</span></a> <a href="https://infosec.exchange/tags/QRCode" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>QRCode</span></a></p>