Bots For Buying Tickets
Everything you need to know about ticket bots – Queue-it
3. Who uses ticket bots?
When you think of the people behind ticket bots, you probably conjure up images of a hacker or criminal type, camped out in a basement. But the reality is different. For example, hospitality agencies can use ticket bots to snag premium seats to include in their package deals.
There are five main types of ticket bot operators, each with their own objectives.
Who launches bots
Bot objectives
Ticket brokers
Scrape ticket details
Continuously scanning seat map inventory for newly released seats
Instantly purchase any available tickets for resale
Individual scalpers
Hospitality agencies
Continuously scanning seat map inventory for premium seats
Instantly purchase best-available tickets for resale
Corporations
Criminals
Take over accounts to steal tickets or transfer to another account
Conduct credit card fraud and loyalty program fraud (e. g. sports team season ticket holders)
4. Are ticket bots illegal?
Online ticketing bots have been around for at least 20 years. But it’s only in the last 5 years that governments have begun targeting bots with legislation. Depending on where you live, online ticket bots might be illegal—at least technically speaking.
United States
In 2016, the U. S. Congress passed the Better Online Ticket Sales (BOTS) Act. It made it illegal to buy tickets to events by evading security measures and breaking purchasing rules set up by the ticket issuer. It also banned the resale of such illegally bought tickets.
RELATED: How the BOTS Act Impacts the Ticketing Industry [Webinar]
European Union
In April 2019, the European Union Parliament voted to ban the use of ticket bots, either to buy tickets for resale or “to bypass any other technical means put in place by the primary seller to ensure accessibility of tickets for all individuals. ” It also requires professional resellers to identify themselves on online marketplaces.
The legislation marks the first EU-wide legislation on the topic, and also leaves the door open for member states to pass additional laws regarding ticket resale (several already have such laws). The Council of the EU adopted the legislation in November 2019, so EU member states will now have two years to transform the regulations into national law.
United Kingdom
In 2017, the U. K. passed a law that outlaws ticket bots used to exceed ticket purchase limits and requires secondary sellers to provide a unique ticket number with details of seats or standing location.
Australia
In 2017, the Australian state of New South Wales passed anti-bot legislation, which also included a resale cap at no more than 10% over the face value of the ticket. The following year, the state of South Australia ratified the Fair Trading (Ticket Scalping) Amendment Bill to crack down on ticketing bots.
Canada
Although there isn’t yet a nationwide ticket bot law in Canada, several provinces have passed or are considering legislation.
In 2017, Ontario province passed the Ticket Sales Act, which bans tickets from being resold at more than 50% above the face value and makes it illegal to knowingly resell tickets that were purchased by bots.
In 2018, Alberta province implemented their own ban, and British Columbia followed suit in 2019 with their own Ticket Sales Act, which also bans speculative ticket resale where the reseller doesn’t have the ticket in his or her possession.
5. Has legislation been effective?
Enforceability isn’t easy
Enforceability is an ever-present issue with ticketing legislation. Just because a law is on the books doesn’t mean it’s followed. Strong enforcement is necessary to curb illegal behavior.
Indeed, when the Ontario ban originally passed, attorney general Yasir Niqvi acknowledged the difficulty of enforcing the bot ban, as many bot operators are located outside of the province. He cited the 50% resale cap as an easier enforcement tool. Two years later, in 2019, Ontario’s government rolled back the 50% resale cap, saying it wasn’t enforceable.
Similarly, in the U. the BOTS Act’s bark has been worse than its bite. In 2018, two year’s after the BOTS Act’s passage, the Federal Trade Commission—the agency tasked with enforcing the law—couldn’t comment on any instances of enforcement.
Even when the law was passed, the Congressional Budget Office judged it unlikely that substantial enforcement would take place.
“CBO estimates that [revenues from civil penalties] would be insignificant because of the small number of cases that the agency would probably pursue. ”
The first (and so far only) BOTS Act enforcement action took place in 2021, when 3 New York-based ticket resellers were fined $31 million for buying more than 150, 000 tickets, circumnavigating Ticketmaster’s purchase limits and reselling for millions of dollars.
The financial incentives are too lucrative
Using bots to scalp tickets is a perfect example of rent-seeking behavior (economist talk for leeching) that adds no benefit to society. But as long as there’s a secondary market to sell tickets at markups of over 1, 000%, bad actors will fill the void to take advantage.
Indeed, the U. ticket resale market alone has ballooned to $5 billion. Ticketmaster reported that it blocks 5 billion bot attempts every month. The financial incentive is simply too strong and the threat of legal action too weak to stop malicious bot operators.
Legislation can’t keep up with the technology
In such a rapidly evolving space, legislation becomes outdated as soon as it’s passed. The U. BOTS Act, for example, doesn’t appear to apply to people who purchase tickets where they’ve only used bots to reserve the tickets (as Denial of Inventory bots do). The newest iteration of bots will continue to outpace and outmaneuver the legal roadblocks.
It’s clear that the ticketing industry cannot rely on legislation to solve the ticketing bot problem. The onus remains on venues, ticketing organizations, and online platforms to defend against malicious bots during online ticket sales. And companies that aren’t perceived as doing enough to battle bots are playing with fire. Public outrage can quickly turn on such organizations, and potential legal actions can follow in its footsteps.
RELATED: The Battle Between Bad Bots and Ticketing [Webinar]
6. How do you beat bad ticket bots?
Ticketing was the first industry to suffer the plague of bots. And given the fortune that successful bot operators can make, ticketing bots aren’t going away anytime soon.
We’ve seen limited impact from ticket bot legislation thus far. So ticketing organizations are best positioned to adapt to the constantly evolving bot threat.
A full-fledged plan to deal with ticket bots must span several levels, from concrete technical tactics to comprehensive bot mitigation solutions to larger ticketing strategy.
Detailed monitoring
Monitoring is key because behavior is what helps you tell real fans from bad bots.
For example, we know the majority of stolen credentials fail during a credential stuffing attack. So, if you have monitoring that reports a sudden spike of traffic to the login page combined with a higher than normal failed login rate, it indicates account takeover attempts by bots.
Another example is if there is a high concentration of visitors using the same IP address. At Queue-it, we’ve found over 50% of the bots blocked by our virtual waiting room’s abuse and bot protection emanate from the same IP address. The bots are trying to simulate real users on a massive scale but getting unique IP addresses is an additional step that not all bot operators take.
Bot mitigation solutions
Bots have changed the economics of the ticketing business, so ticketing organizations need to change the economics of bot attacks. That means targeting each bot attack vector and increasing the costs bot operators incur in order to overcome the protections.
On account creation, for example, bot mitigation tools validate biometric data like mouse movements, mobile swipe, and accelerometer data to distinguish bots from real users, and then feed that data into machine learning algorithms. You can also block or enforce Google’s reCAPTCHA on traffic from known bot hosting providers and outdated browsers typically used to run ticket bots.
During the onsale itself, you can target the speed and volume advantages that bots enjoy. A tool like a virtual waiting room can help neutralize both. Bots that arrive before the onsale starts are placed in a pre-queue together with legitimate users. When the event launches, everyone in the pre-queue is randomized. This eliminates any advantage in arriving early or hitting the web page milliseconds after the start of the sale.
Ticketing organizations can require visitors to enter known data, such as a membership number, to enter the virtual waiting room. Combining known data like this makes impersonating real users exceptionally expensive and complex, and is thus a powerful way of combating bots’ volume advantage.
Finally, you can implement bot mitigation tactics on the ticket payment step similar to how you would on account creation to flag brute-force attacks like carding or card cracking. Stopping fraudulent account creation also helps prevent online card fraud.
New (and old) ticketing strategies
Shifts in ticketing strategies can play an equally vital role in battling bots. We’ve already seen several examples where ticket bot regulations also include caps on ticket resale prices to remove some of scalpers’ financial incentive.
With the expanded adoption of smartphones, mobile ticketing is a promising strategy to curb scalping. The paper ticket is “this paper entity that can be spoofed and subject to fraud, ” says Kristin Darrow, senior vice president at Tessitura Network. Mobile ticketing puts more control measures in place, such as tracking the transfer of tickets and limiting sales by geographic area. In 2019, Spanish festival Primavera Sound became the first major music festival to go completely mobile with their ticketing, and has features like a QR code that only appears two hours before the concert to keep tickets from being sold on secondary markets.
What’s old is also new again. Paperless ticketing—where the purchaser uses his or her credit card and a form of ID to enter the event instead of a ticket—”has been around for over 25 years, ” says ticketing insider Ian English. The strategy certainly has tradeoffs, in that it is rigid and can be difficult to transfer tickets or purchase on behalf of someone else. But it has documented effectiveness in battling scalpers and reducing tickets on the secondary market. High-demand shows like Hamilton continue to experiment with the approach.
7. Restoring fairness to online ticketing
The ultimate goal is to restore fairness to online ticketing. Here’s how Edward Roberts, Director of Product Marketing at Distil Networks (now part of Imperva), describes what fairness means to the different players in the ticketing industry:
For a fan, a fair experience is getting the same chance as any other fan to purchase available tickets at face value.
For an artist, it is getting tickets into the hands of enthusiastic fans into their shows.
For a ticketing company, it’s providing access to real humans to purchase the available tickets and eliminating any automation from abusing the system and ruining the ticketing buying experience for real fans.
With public outcry and artists’ frustration over ticketing bots at a boiling point, organizations that don’t take the problem seriously do so at their own peril.
But if you’re a ticketing organization and are committed to stopping ticket bots, there are tools and strategies at your disposal. Combined, you can tailor them to the unique angles of attack during each stage of the ticket-buying process to give you the best chance of achieving successful, bot-free onsales.
(This post has been updated since it was originally written in 2019).
FTC’s first BOTS Act cases: Just the ticket to help protect consumers …
By: Lesley Fair | Jan 22, 2021 12:09PM
Remember live music? Remember the thrill of enjoying a performance or sporting event with a packed house of fans? As we look forward to a return to in-person entertainment, it’s easy to forget the frustration of trying to buy tickets as soon as online sales opened only to be shut out by companies that used tricks to grab them up and sell them at much higher prices. That’s the conduct Congress intended to stop with the passage of the Better Online Ticket Sales (BOTS) Act. The FTC just settled its first cases against defendants charged with violating the statute.
The BOTS Act gave consumers a national defense against ticket bots – software that could buy up big blocks of tickets faster than mere mortals could type and click in an effort to score two on the aisle. To ensure that consumers had equitable access to tickets, Congress made it illegal to “circumvent a security measure, access control system, or other technological control or measure on an Internet website or online service that is used by the ticket issuer to enforce posted event ticket purchasing limits or to maintain the integrity of posted online ticket purchasing order rules. ” The law applies to public concerts, theater performances, sporting events, and similar entertainment at venues that seat more than 200.
The FTC cases name New York-based defendants Concert Specials and owner Steven Ebrani, Cartisim and owner Simon Ebrani, and Just in Time Tickets and owner Evan Kohanian. You’ll want to read the complaints for the specifics, but at various times since the BOTS Act has been on the books, the defendants bought tens of thousands of tickets from Ticketmaster’s websites and then resold them, raking in big profits. Despite security measures Ticketmaster implemented to limit how many tickets a person could buy and to enforce its posted online sales rules, the FTC says the defendants illegally used ticket bots to circumvent the system and covered their tracks with other illegal tactics.
For example, the complaints allege the defendants used various bots that would automatically reserve any tickets that fit their search criteria, effectively blocking anyone else from buying the tickets at least until the reservation clock expired. The bot also would bypass any of those CAPTCHAs designed to make sure the buyer is a real person. (Factoid for the day: CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart. ” OK – there are some extra Ts in there, but we won’t quibble. ) By using bots, the defendants were able to buy multiple tickets across multiple Ticketmaster accounts within seconds, effectively freezing out consumers who honored the rules.
To evade detection, the defendants allegedly used thousands of different IP addresses, as well as hundreds of fictitious names and addresses and hundreds of different credit card accounts. Put it all together and the complaint charges the defendants with violating both the BOTS Act and the FTC Act.
Among other things, the proposed orders require that when buying event tickets, the defendants must stop using bots, CAPTCHA bypass services, fictitious identities, multiple IP addresses simultaneously on a single device, and credit cards in the names of anyone other than themselves or their employees. In addition, the order against Concert Specials and owner Steven Ebrani imposes a $16 million civil penalty that will be suspended upon the payment of $1. 565 million. The order against Cartisim and Simon Ebrani imposes a $4. 4 million judgment, suspended upon the payment of $499, 147. Just in Time Tickets will pay $1. 642 million with the rest of the $11. 2 million judgment suspended. All three judgments were partially suspended based on the defendants’ ability to pay.
If you have clients in the ticket industry, hold on to these compliance stubs for future reference.
Violating the BOTS Act can earn you a one-way ticket to law enforcement. It doesn’t matter how the defendants do it. It’s the act of circumventing “a security measure, access control system, or other technological control or measure… the ticket seller has put in place” that violates the BOTS Act. That means ticket purchasers who evade ticket limits by using fictitious identities, multiple credit cards, or multiple spoofed IP addresses on the same device are in violation of the BOTS Act, even if they don’t use ticket bots. Furthermore, as these cases demonstrate, BOTS Act violations may result in corporate and individual liability.
Serial violations are looked upon with disfavor. Before the enactment of the BOTS Act, the defendants all had signed Assurances of Discontinuance with the New York Attorney General relating to, among other things, their use of ticket bots. Encores are great for performers, but in this context, we call it recidivism. By the way, the FTC and the State Attorneys General share enforcement authority under the BOTS Act.
The BOTS Act covers “double features. ” The BOTS Act addresses more than just using bots to circumvent sellers’ security systems. Although not alleged in the cases the FTC just brought, the BOTS Act makes it illegal to sell tickets obtained in violation of the statute if the seller participated in the illegal purchase or knew or should have known the tickets were acquired in violation of the law.
3 Scalpers Fined for Using Bots to Scoop Up Tickets … – PCMag
PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing. Learn more.
This is the first time the FTC has enforced the BOTS Act, which cracked down on the scalping of tickets for concerts and sporting events. Using bots to scalp video game consoles or graphics cards is not currently covered.
(Credit: Ticketmaster)
The US Federal Trade Commission is cracking down on three New Yorkers for using automated bots to purchase tens of thousands of tickets online with the goal of scalping them. On Friday, the FTC announced it was collecetively fining the three defendants $3. 7 million for buying over 150, 000 tickets for music concerts and sporting events and then reselling them at higher prices. The crackdown represents the first time the FTC has enforced the BOTS Act, a US law passed in 2016 that’s designed to stop people from using automated software to help them scalp tickets online. We bet you’re hoping the FTC takes the same action against scalpers who’ve harnessed bots to buy up in-demand electronics, such as video game consoles and graphics cards. Unfortunately, the BOTS Act deals exclusively with event ticket sales—not the digital scalping of consumer goods. When it comes to ticket sales, scalping can be extremely lucrative, as the FTC’s case shows. The regulator claims the three defendants—Simon Ebraini, Evan Kohanian and Steven Ebrani—collectively made $26. 1 million in revenue from the ticket scalping, which started in 2017. The defendants pulled off the scheme by using bots on the Ticketmaster website. The programs—which went by the names Automatick, Tixman and Tixdrop—were capable of repeatedly searching web pages for available tickets and then automatically reserving them. In addition, the defendants used hundreds of credit cards belonging to fake people, and routed their internet activity to the Ticketmaster page through spoofed IP addresses. “In many instances, Defendants also did not use their address as the primary address, shipping address, or billing address for their Ticketmaster accounts. Instead, they used over 550 addresses that were either fake or unrelated to their business, ” the FTC alleged in a court complaint.
Recommended by Our Editors
The FTC originally planned on fining the defendants more than $31 million. But none of them could pay the amount. So for now, the regulator has suspended demanding the full fine. We’ve reached out to the FTC on whether it’s probing the scalping of video game systems and graphics cards, and we’ll update the story if we hear back.
Like What You’re Reading?
Sign up for Security Watch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Frequently Asked Questions about bots for buying tickets
Are ticket bots illegal?
Although not alleged in the cases the FTC just brought, the BOTS Act makes it illegal to sell tickets obtained in violation of the statute if the seller participated in the illegal purchase or knew or should have known the tickets were acquired in violation of the law.Jan 22, 2021
Does Ticketmaster allow bots?
This is the first time the FTC has enforced the BOTS Act, which cracked down on the scalping of tickets for concerts and sporting events. Using bots to scalp video game consoles or graphics cards is not currently covered.Jan 22, 2021
How do I set up ticket bot?
Specifically, the BOTS Act makes it illegal to “circumvent a security measure, access control system, or other technological control or measure on an Internet website or online service that is used by the ticket issuer to enforce posted event ticket purchasing limits or to maintain the integrity of posted online ticket …Apr 7, 2017
