The Bots Come Out At Night

Online ticket scalping (or touting) is the act of using abusive software (known as “bots”) to automate the purchase of tickets and sell them on at inflated prices.

This practice damages the reputation of our clients, who want to offer tickets at reasonable prices. Since tickets have been available online, industrial-scale scalpers have used automated bots to systematically profit within the secondary ticket market, at the expense of fans.

Over the few last years, we’ve seen mounting public pressure putting the spotlight on those individuals and companies who profit from selling on the secondary ticket market, which is estimated to be worth over £1 billion in the United Kingdom. Meanwhile, proponents within the ticketing industry, notably the pressure group Fan Fair Alliance, are actively working to generate awareness of the problem on a multiple of different fronts.

Legislation is beginning to catch up with scalpers too. In the United States, the Better Online Ticket Sales Act, or the BOTS Act, was signed into law in 2016. This law effectively makes it illegal to use automated software to buy tickets in order to circumvent the “control measures” used by ticket sellers. In other words, if a ticket seller has actively employed measures to stop scalpers, then you’re breaking the law by using bots to get around them. This does however mean that in order for ticket sellers to prosecute scalpers, they need to provide evidence that they have put adequate measures in place, as well as an audit trail of the accused illicit behaviour.

This month Ticketmaster filed a $10 million suit against Prestige Entertainment, who are alleged to have used bots to scope up thousands of tickets for the Broadway smash hit Hamilton, amongst other high demand ticketed events. It is one of the first major lawsuits since the introduction of the BOTS act, and comes after two years of monitoring and tracking automated transactions, and subsequent sales on the secondary market.

Similar legislation has been lobbied in the U.K. Houses of Parliament, resulting in the independent report into the secondary ticketing market by Professor Michael Waterson. The U.K. moved towards criminalising the use of “digital purchasing software” with the Digital Economy Act 2017, which received royal assent in April and has now become law. It gives the Government the power to make it a criminal offence to use bots in order to bypass maximum ticket purchases set by event organisers.

So, as the gatekeeper for over $500 million worth of online ticket sales for non-profits every year, how can we at Made Media do our bit in the battle against scalpers? Let’s discuss how these bots actually work.

There are three main categories of bots that we see attempting to infiltrate our systems:

1. Drop Checkers or Spinner Bots. Most of the traffic we see are bots waiting for tickets to be released for sale. Usually, we’ve found these bots come out at night. They constantly probe ticketing pages which display availability both before an event that is due to go on sale and after the event is sold out (in case additional performances are put on-sale, or new tickets are released). Amusingly, we had one bot spinning around the booking page for Kylie Minogue for months after the event had sold out. The goal of these bots is to detect when tickets are released and initiate an army of…

2. Acquisition Bots. The goal of these bots is to find the best inventory available for an event and reserve it for purchase. This is the most dangerous kind of bot, because once tickets are held in a bot’s shopping cart, they’re unavailable to other customers. The game is effectively lost at this point. As the ticket scalpers have potentially hundreds of bots at their disposal, they can effectively pick and choose the most valuable tickets for resale at leisure. Causal scalpers can finish the checkout process manually, but larger scale scalpers use…

3. Expediting Bots. Once tickets are selected to buy, scalpers use these kind of bots to automate their actual purchase, they effectively login, enter all the required information to pass through the ticket purchase path, and complete the order from a batch of credit cards. These are usually from a selection of accounts of pre-made accounts created in advance (also farmed using a different kind of bot), and can use fraudulent credit cards for the actual purchase.

These bots are categorised and defined under OAT-005 in the OWASP Automated Threat Handbook, which goes into further detail of their characteristics and traits. Depending on the kind of purchase path, automated software may use CAPTCHA Defeat bots if necessary, which utilise comprehensive databases of image-word mappings to bypass CAPTCHA, which can be beaten easily (although we have high hopes for Google’s Invisible reCAPTCHA, which is on the horizon.)

These bots are usually coordinated by a single purchasing script or custom built software. For example, the website TicketBots sells off the shelf software (currently discounted at $10,000) to completely automate this process of holding inventory and purchasing tickets online via Ticketmaster.

Example user interface for executing spinner bots

We currently integrate with a number of different web solutions that identify and block traffic identified as bots. Given that we develop, host, and maintain many of our clients’ ecommerce solutions, we are well positioned to help keep inventory away from resale websites. Our CrowdHandler platform, for example, sits between customers and the ecommerce path; customers (or bots for that matter) cannot access tickets without first passing through the queue.

In computer science, the task of distinguishing between a bot and genuine customers can be viewed as a classification problem with the goal of, given a large multidimensional dataset, identifying the authenticity of the end user in real time. And, although the tech industry’s latest buzzword, Machine Learning, combined with domain driven heuristics, could play a role in tackling this issue. We’ve found that for these AI-driven solutions to be effective, large training datasets (e.g. web traffic) are required, and a reliable feedback mechanism to inform a learning algorithm.

Machine Learning allows us to identify patterns in bot behaviour that even the most sophisticated bots exhibit—trails they do not realise they’re leaving behind.

One approach we are currently working on uses (anonymous) data we’ve mined, adding AI to the way customers are allowed through the website through the use of Artificial Intelligence and Amazon Web Services. Machine Learning allows us to identify patterns in bot behaviour that even the most sophisticated bots exhibit—trails they do not realise they’re leaving behind. It will better classify between users in the virtual queue who are bots, and those who are genuine fans. And with the use of feedback mechanisms (i.e. supplying the algorithm with data confirmed to be scalpers), this prevention mechanism will learn and adapt as scalpers change their methods and strategies to circumvent detection.

In this way, CrowdHandler effectively acts like a bouncer outside your local nightclub. The algorithm scans users waiting in the queue and analyses multiple attributes about their identity, but also their behaviour up until the point of entering the queue. These scalpers/touts are effectively “bounced” to the back of the queue or blocked completely, allowing real fans access to tickets. And whilst we have some useful heuristic-based blocking rules in place (e.g. frequency of requests combined with number of sessions from a single IP address, user agent strings) there is certainly more experimentation to be done in order to combat the degree of sophisticated attacks these bots present.

So, the battle against bots is an ongoing one. Legislative action is allowing primary ticket sellers (who have preventative measures in place) to seek the prosecution of scalpers/touts, who could be subject to unlimited fines or incarceration. Greater transparency of sellers on secondary ticket markets will help us develop better algorithms for stopping scalpers at the box office. There are other fronts opening up on this fight too, for example Ticketmaster’s Paperless Ticketing program, which challenges how we identify ticket holders at point of entry. All of this provides incentive to invest and enhance our tout / scalper detection system, with the aim of protecting the reputation of our clients.