Unnecessary information when booking a ticket - being set up for identity theft?

Today I wanted to book an on-line ticket to see the Melbourne International Flower and Garden show. I was directed to the INTIX ticket site. To buy a ticket you had to create an on-line account, which I thought was unnecessary but because I know exactly how bad the queues during the show I decided to make an account. In order to pay you need to put in your date of birth and gender as well as your credit card details and address, email address and phone number.

I found the request for date of birth and gender totally unnecessary and potentially setting one up for identity theft if the company was hacked. If Medibank, Optus etc and today Financial Latitude have been hacked it looks like any company could be hacked. I was in the Medibank hack and it has left me feeling very vulnerable. Consequently I did not carry on with the booking.

I emailed the company about it and was told “these are questions required by the government to translate demographics to the event” and that " the question of date of birth and identify as has been a question on each purchase process for the last 7 years (minus the two years it didn’t happen due to COVID)".

I have attended many other events where I have booked on-line included cultural events such as RISING, the Melbourne Symphony Orchestra and this has not been a requirement.

Does anyone else see this as a security risk and is there anything else one can do about it other than not booking on-line?

18 Likes

I see it as collecting additional unnecessary information about a consumer.

The comment ‘these are questions required by the government to translate demographics to the event’ is interesting as I am finding more and more that non-critical government forms allow one to opt out of providing such information. Usually there is an option ‘Prefer not to say’ Likewise with surveys and such like. If the government don’t need to collect such information for non-critical forms, why is a ticket seller do such as using this as an excuse.

For things like plane tickets I can see why DoB/some identify information is required to verify the passenger is who they say they are when checking in (esp. in the world we currently live), but DoB for an International Flower and Garden show is an overkill and seems to be data harvesting. If it was mandatory, I would be like you wouldn’t pre-book tickets and would instead try and purchase on the day at the venue where possible…or put in false information if I wanted to go and couldn’t avoid providing the information to get tickets.

12 Likes

In considering the risk it’s important to determine where the ticketing agency is based, and also the promoter or related parties.

The following suggests INTiX is owned by a European equity company.
https://www.crunchbase.com/organization/intix

It’s not unique?
From another booked event, in this example one organised by Eventbrite for ASIC, attendees received advice re the booking including,

For those who read from the link, date of birth was not required for a booking.

6 Likes

I call BS but

Just lie.

See previous. :wink:

7 Likes

There seems to be an Australian branch, INTiX Australia. Somewhere in the two longish documents you are supposed to read and immediately comprehend and agree to; before creating an account they claim not to send your data overseas without permission… sure I believe it;) How could I prove it if they did, anyway? So I guess they could claim the same as Eventbrite. Though why a company operating in Australia does not need to comply with the laws of a country it operates in I don’t know.

I couldn’t find any other company selling tickets to the Melbourne International Flower and Garden show.

4 Likes

Just a quick review of all the information:

date of birth

high risk for identity theft - you need to lie

gender

low risk for identity theft - pretty meaningless these days - always choose the “extra” options if they are available (and a lot of government stuff these days is giving those extra options or not asking at all)

credit card details

obviously some financial risk, depending on whether the organisation is “best practice” or “rubbish” - usually unavoidable if you have to pay (and you are booking online)

address

If this is a billing address then fair enough (to go with the CC details)

email address

Sometimes stated as mandatory but not really important as you can have as many different email addresses as you can be bothered creating. Often captured for spam purposes.

phone number

If unavoidable then try to give a fixed line number (if available) so that they can’t spam you forever / to reduce risk of misuse.

7 Likes

It appears tickets are available at the gate…

3 Likes

For a premium price and not guaranteed?

I’ve joined the queue at similar events, some with no fee to enter. Ticketing and entry has still been subject to a registration process where one surrenders various personal details. It’s data collection which seems to have broad reach.

In the instance of the ticket conditions of sale and entry to the Melbourne Flower Show include,

There’s little to clarify whether any personal data or registration is required for a ticket purchase at the gate. I’d suggest on previous experience at other like events it’s probable.

3 Likes

Only the high tea tickets are nominated as having limited numbers. Similar information isn’t outlined for general entry tickets. Looking at some of the days, High teas and some workshops are already sold out.

Pricing isn’t provided so one doesn’t know how much of a discount there is for pre-purchase tickets. I also don’t know if there is a online booking fee which would erode any savings.

5 Likes

I am not adverse to real security measures such as scanning bags.

MIFGS is supposed to be cashless so they can collect any data that goes with our card anyway. Places like the zoo ask for your postcode.

If age data had been asked via a questionaire with an age range I would have filled it in but a DOB seems ridiculous. I can easily understand why people put in a fake age just to continue.

6 Likes

If I feel that the information is being unjustifiable requested I take great delight in creating mis-information just to thwart their systems. In the eyes of many organisations I must be the oldest person on the planet, having been born in 1900. Likewise for gender or anything else that’s being requested purely for marketing purposes, and is a compulsory question, just enter garbage.

11 Likes

You can always use a false date of birth wherever a real DOB is not really required or punishable.
Choose a false date that is easy to remember and use it whenever the need arises. This way, if you are ever required to type in your false DOB, you can remember what it was.
Examples:
5/6/78
11/11/2011
There are now other options for sex as well.
BB

5 Likes

Yes, although the options can vary between questionnaires. Some include an option “would rather not say”. Similar answer for age. Others have the option “other” and may or may not request an answer.

1 Like

For what it’s worth I NEVER give my correct date of birth for anything apart from secure government sites, I use the wrong month and/or a different year.
I too am concerned about identity theft and so far so good.

10 Likes

What I do is provide a consistent but incorrect date of birth to any organization that I think should not need to know my date of birth but asks for it. This does create a bit of confusion on Facebook.

6 Likes

I am fully equipped with a consistent fake name, DOB, and an email address which does not reveal my real identity. I will use some or all of these if the occasion demands. The email address is specifically for emails which could become a nuisance. Most organisations seem to give no real thought about determining which data is necessary, they just think about what they’d like to have.

6 Likes

I would certainly agree with providing a false DOB where I consider this unnecessary information, but I’m not so keen on the “consistent” approach. Consider that DOB may be used as a factor when verifying your identity later, so if your fake DOB has been harvested from one site it may be used to verify you on another. I prefer unique rubbish information, for the same reason I prefer unique passwords for every site I register with, and my “password safe” software is full of all such info.

4 Likes

I also had problems booking through Intix for the flower show. I booked on 2 Feb but the program failed after it took my Amex number & would not accept my mobile phone number. My Amex account was debited but no tickets in my Intix account. I complained & got standard acknowledgements but no tickets. I then got emails asking “did you forget your MIFGS tickets”. Still no tickets. On 20 Feb I advised that I would dispute the Amex debit with Amex & the debit was deleted. In March I started the process again on my iPad & was successful. My 1st attempt I was using Firefox on my desktop while my iPad uses Safari so perhaps Intix used popups that are blocked by Firefox but allowed by Safari?

I never give my correct date of birth. It is not needed except for marketing.

I never give my full first name. Just my initial as this matches my credit card.

I never allow a website to store my credit card details.

I have now deleted my Intix account.

If I receive any future marketing emails from Intix I will mark them as “junk”.

I do not recommend Intix & their customer service was useless.

7 Likes

Good point, @duncan. If you’re going to use a fake DOB, make it a different one for every account. The consistency should be in how you select the fake date, not the date itself.

For example: use a random birthdate generator like https://theonegenerator.com/generators/date/birthday-generator/ - and keep a record of which birthdate you’ve used on which site … :slightly_smiling_face:

1 Like

Some password managers also allow notes to be added to the login/website URL. This is useful for adding information such as email address, DoB, alias etc used for particular websites. We use ours for this as you can also store information even if a website doesn’t need login credentials.

2 Likes