Simon Clayton, chief ideas officer, at RefTech looks at how exhibition organisers can protect their events from scammers.
You may, like me, be one of a lot of people who have seen the video showing YouTuber Max Fosh “breaking into” the International Security Expo at Olympia.
The video has gone viral, and it’s not hard to see why; it’s entertaining for someone that doesn’t understand our industry. But is it an example of how easy it is to have lax security at an event or is it someone just trying to be sensationalist?
Most events encourage visitors to pre-register but it’s often possible to register online or onsite on the day of the event. With most exhibitions, visitors are issued a badge to try and ensure only registered people can get into the event – they aren’t closed events, the organisers just like to know who is there and to collect their data for lead retrieval/etc, and everyone likes to know how many people were there. The International Security Expo is not a closed event, they don’t have a vetting process for their visitors because it’s a general trade show for security products and there’s thousands of industry professionals who might want to attend to see what the latest offerings are from suppliers. So our intrepid “hacker” could have just registered on the event website and walked in anyway but that’s not “exciting” for his YouTube audience.
Instead, he fakes a badge with a jokey name and makes a big deal about gaining entry. Now the interesting bit for us in the events industry is that he faked a badge by going onto social media and looking for people who had posted photos from the event with their badges visible. In some events, this could be a serious problem but, in this case, the repercussions are pretty much non-existent.
If your event does vet the attendees or charges for entry then this should set alarm bells ringing because his approach could lead to people attending who you don’t want to be there for whatever reason, or haven’t paid for entry.
It was easy for Max to just go to social media and find people who were taking photos of themselves with their badges to see what the badge looked like. It was also easy for him to mock up a roughly right looking badge by grabbing the event logo (and sponsors logos) from the website and adding some barcodes in the right places. He then picked up a lanyard on his way in.
If he’d known a little bit about our industry, he would have realised that creating an exhibitor badge would have been just as easy and would have allowed him to just walk round pretty much anywhere – and could even have allowed him entry before the bag searches were in operation, and there’s a lot of valuable equipment sitting around on empty stands too…
In the video, Max gets very nervous when he presents his badge to the person who needs to scan him in, but he needn’t have worried; a standard scanner just records the barcodes and then the information is downloaded later. Max’s badge has two barcodes – he has faked these up with easily available online tools – the first barcode says 12345 whilst the second barcode ‘Rick Rolls’ you with a YouTube link. The scanner doesn’t react to a fake barcode, it is simply recorded. I suspect most registration companies will, like we do, get people standing around scanning cans of Coke and all sorts of rubbish. So, if you get a barcode that doesn’t follow format or isn’t valid, it’s probably just discarded. We could report on that stuff, but what’s the point? We could tell you when they were scanned and where, but we wouldn’t have an image of them, so it doesn’t help.
So, if this could impact your events, what can you do?
Ask your registration company for ‘real time verification scanning’ for your event. These are scanners that link back to a database and will verify (in real time) that the badge scanned is real, the visitor is registered and, if applicable, the admission fee has been paid. This type of scanning can also ensure that only the latest version of an attendee’s badge is allowed in so someone going to the desk having “lost” their badge doesn’t end up with a duplicate which at expensive conferences is definitely a thing.
If you have different levels of visitors who have access to different areas you can even have these scanners at the entry points of each conference room to ensure delegates can only attend the parts that they have paid for or only get one visit to lunch each day.
We also have found people turn up to events with last year’s badge or email and they often look similar but present a data protection issue if the barcode on that email now relates to someone else. To negate this, you could also ask your registration company if they can create event-based barcodes; which contain a short code that changes every year.
We have a responsibility to our visitors and exhibitors to know exactly who is entering our events. Let’s not allow Max and his cohorts to scam the scanners.