Everything you need to know about ticket bots
What are ticket bots? How do they work? Are they illegal? How do we beat them? Get these questions answered and more in this comprehensive blog post.
Bad bots make the internet a fundamentally unfair place. Nowhere is this clearer than during ticketing onsales. Online ticketing organizations have found themselves on the front lines of the battle against bad bots.
Consider that according to the New York attorney general, one bot operator alone scooped up 1,012 tickets to a concert－in 1 minute! Frustrated fans are forced to resale sites where margins can exceed 1,000% of face value. Stakeholders from politicians to musicians to fan alliances are clamoring for fairness in online ticketing. Some performers have gone to extreme lengths to remove bad bots from their onsales, including taking ticketing totally offline.
With the right combination of technology and regulation, it is possible to keep ticketing in the 21st century while ensuring tickets get in the hands of true fans. Organizations that don’t forcefully battle bots do so at their own peril.
But what are ticket bots, how do they work, and how can they be stopped? These are some of the questions we’ll answer in this blog post.
1. What are ticket bots and are they all bad?
A bot (short for “robot”) is an automated program that runs over the Internet to perform a specific task or set of tasks. Ticket bots, then, are a type of bot that carries out tasks related to ticketing, such as scraping pricing details, checking inventory for newly released seats, or purchasing tickets.
Ticket bots are a type of bot that carries out tasks related to ticketing, such as scraping pricing details, checking inventory for newly released seats, or purchasing tickets.
Not all bots are necessarily bad. Bots are constantly at work behind the scenes making our digital lives run smoothly. They populate our news feeds, tell us the weather, provide stock quotes, and help us comparison shop. According to data from Imperva, they made up 37.2% of all website traffic in 2019.
In fact, many bots are beneficial to a well-running website. Crawler bots index sites for Google and other search engines, determining search rankings. Fetcher bots create previews of site content for mobile devices and social media platforms. And site monitoring bots alert administrators when a website isn’t running as it should.
Not all ticket bots are bad, either. For example, an authorized ticket broker could use a bot to fetch updated pricing and inventory information from the primary ticket seller.
Unfortunately, for every “good” bot, there is a “bad” one lurking around the corner, ready to do damage. Bad actors use these online bots to disrupt, manipulate, steal, and impersonate. The same report from Imperva found that nearly 1 in 4 web requests (24.1%) was made by a bad bot in 2019. And bad bots are especially prevalent in ticketing, making up 39.9% of all ticketing website traffic in 2019, according to Imperva.
When people talk about ticket bots, they are normally referring to these bad ticket bots.
2. How do ticket bots work?
Ticket bots have many vectors of attack, so it’s best to think of when they are used. Think of the following timeline:
Prior to the ticket onsale
Prior to the sale of tickets online, bad bots are used to create fake accounts or take over existing legitimate ones.
For example, one ticket broker apparently used 9,047 separate accounts on Ticketmaster to make 315,528 ticket orders to “Hamilton” and other popular events over a 2 year period.
Fraudsters will abuse the account signup process by using bots to create accounts in bulk. These accounts are then misused to get around ticketing purchasing limits (most ticketing companies limit to 4 or 6 tickets per customer).
Instead of mass-creating new accounts, ticketing touts also try to get control over existing legitimate accounts. They either use bots to guess common usernames and passwords (called credential cracking) or to perform mass login attempts for stolen username/password pairs (called credential stuffing).
During the ticket onsale wait
During the onsale itself, scalpers use ticket bots’ speed and volume advantage to beat loyal fans to the tickets and scoop up as much inventory as they can.
Bot operators use this lightning speed across several browsers to circumvent per-customer ticket limits.
By combining superhuman speed with sheer volume, bot operators effortlessly reserve hundreds of tickets as soon as the onsale starts.
Scalpers use one or several of these ticket bots to reserve and purchase tickets:
Scripted expediting bots use their speed advantage to blow by human users. An expediting bot can easily reach the checkout page in the time that it could take a fan to type his or her email address. And a single bot can open 100 windows and simultaneously proceed to the checkout page in all of them, coming away with a huge volume of tickets.
With scalping, scalpers set up the bot to monitor for specific types of tickets and then use expediting to quickly reserve and purchase the tickets.
Denial of inventory / Spinning
Ever wonder how concert tickets are available on resale sites like StubHub or Viagogo even before the tickets go on sale? Next-generation denial of inventory bots are to blame.
Denial of inventory involves using bots to add tickets to the cart, making them unavailable for fans to buy. Scalpers know some fans will see the “no tickets available” messaging and will want to go to the event so badly they’ll pay whatever just to get their hands on a ticket. So, the scalpers list the tickets on the resale sites. When the fans buy at the outrageously inflated resale prices, only then will the scalpers have their bots buy the tickets, pocketing a huge profit in the process.
When the fans buy at the outrageously inflated resale prices, only then will the scalpers have their bots buy the tickets, pocketing a huge profit in the process.
During the ticket onsale purchase
Scalpers nearly always use bots to exceed the ticket limit, thus breaking ticketing companies’ terms of service. While some scalpers will pay for these tickets with legitimate credit cards, the worst scalpers do this all with stolen or hacked card information, increasing their scalping profit.
Cashing out refers to the general online credit card fraud that occurs when fraudsters use stolen card info to buy the tickets. In advance or during the ticket buying itself, fraudsters use bots to verify the validity of stolen cards (known as carding) or identify missing expiry dates or security codes for the stolen cards (known as card cracking).
Fraudsters, touts, and scalpers use bots for unfair advantage and fraud in every step of the ticket scalping journey.
3. Who uses ticket bots?
When you think of the people behind ticket bots, you probably conjure up images of a hacker or criminal type, camped out in a basement. But the reality is different. For example, hospitality agencies can use ticket bots to snag premium seats to include in their package deals.
“If we talk about the ticketing in North America, there’s probably 40 organizations, at least, that are snapping tickets out of the primary market,” Queue-it Co-founder Niels Henrik Sodemann told Forbes.
There are five main types of ticket bot operators, each with their own objectives.
Who launches bots
4. Are ticket bots illegal?
Online ticketing bots have been around for at least 20 years. But it’s only in the last 5 years that governments have begun targeting bots with legislation. Depending on where you live, online ticket bots might be illegal—at least technically speaking.
In 2016, the U.S. Congress passed the Better Online Ticket Sales (BOTS) Act. It made it illegal to buy tickets to events by evading security measures and breaking purchasing rules set up by the ticket issuer. It also banned the resale of such illegally bought tickets.
In April 2019, the European Union Parliament voted to ban the use of ticket bots, either to buy tickets for resale or “to bypass any other technical means put in place by the primary seller to ensure accessibility of tickets for all individuals.” It also requires professional resellers to identify themselves on online marketplaces.
The legislation marks the first EU-wide legislation on the topic, and also leaves the door open for member states to pass additional laws regarding ticket resale (several already have such laws). The Council of the EU adopted the legislation in November 2019, so EU member states will now have two years to transform the regulations into national law.
In 2017, the U.K. passed a law that outlaws ticket bots used to exceed ticket purchase limits and requires secondary sellers to provide a unique ticket number with details of seats or standing location.
In 2017, the Australian state of New South Wales passed anti-bot legislation, which also included a resale cap at no more than 10% over the face value of the ticket. The following year, the state of South Australia ratified the Fair Trading (Ticket Scalping) Amendment Bill to crack down on ticketing bots.
Although there isn’t yet a nationwide ticket bot law in Canada, several provinces have passed or are considering legislation.
In 2017, Ontario province passed the Ticket Sales Act, which bans tickets from being resold at more than 50% above the face value and makes it illegal to knowingly resell tickets that were purchased by bots.
In 2018, Alberta province implemented their own ban, and British Columbia followed suit in 2019 with their own Ticket Sales Act, which also bans speculative ticket resale where the reseller doesn’t have the ticket in his or her possession.
5. Has legislation been effective?
Enforceability isn’t easy
Enforceability is an ever-present issue with ticketing legislation. Just because a law is on the books doesn’t mean it’s followed. Strong enforcement is necessary to curb illegal behavior.
Indeed, when the Ontario ban originally passed, attorney general Yasir Niqvi acknowledged the difficulty of enforcing the bot ban, as many bot operators are located outside of the province. He cited the 50% resale cap as an easier enforcement tool. Two years later, in 2019, Ontario’s government rolled back the 50% resale cap, saying it wasn’t enforceable.
Similarly, in the U.S. the BOTS Act’s bark has been worse than its bite. In 2018, two year's after the BOTS Act's passage, the Federal Trade Commission—the agency tasked with enforcing the law—couldn’t comment on any instances of enforcement.
Even when the law was passed, the Congressional Budget Office judged it unlikely that substantial enforcement would take place.
“CBO estimates that [revenues from civil penalties] would be insignificant because of the small number of cases that the agency would probably pursue.”
The first (and so far only) BOTS Act enforcement action took place in 2021, when 3 New York-based ticket resellers were fined $31 million for buying more than 150,000 tickets, circumnavigating Ticketmaster's purchase limits and reselling for millions of dollars.
The financial incentives are too lucrative
Using bots to scalp tickets is a perfect example of rent-seeking behavior (economist talk for leeching) that adds no benefit to society. But as long as there’s a secondary market to sell tickets at markups of over 1,000%, bad actors will fill the void to take advantage.
Indeed, the U.S. ticket resale market alone has ballooned to $5 billion. Ticketmaster reported that it blocks 5 billion bot attempts every month. The financial incentive is simply too strong and the threat of legal action too weak to stop malicious bot operators.
Legislation can’t keep up with the technology
In such a rapidly evolving space, legislation becomes outdated as soon as it’s passed. The U.S. BOTS Act, for example, doesn’t appear to apply to people who purchase tickets where they’ve only used bots to reserve the tickets (as Denial of Inventory bots do). The newest iteration of bots will continue to outpace and outmaneuver the legal roadblocks.
It’s clear that the ticketing industry cannot rely on legislation to solve the ticketing bot problem. The onus remains on venues, ticketing organizations, and online platforms to defend against malicious bots during online ticket sales. And companies that aren’t perceived as doing enough to battle bots are playing with fire. Public outrage can quickly turn on such organizations, and potential legal actions can follow in its footsteps.
6. How do you beat bad ticket bots?
Ticketing was the first industry to suffer the plague of bots. And given the fortune that successful bot operators can make, ticketing bots aren’t going away anytime soon.
We’ve seen limited impact from ticket bot legislation thus far. So ticketing organizations are best positioned to adapt to the constantly evolving bot threat.
A full-fledged plan to deal with ticket bots must span several levels, from concrete technical tactics to comprehensive bot mitigation solutions to larger ticketing strategy.
Monitoring is key because behavior is what helps you tell real fans from bad bots.
For example, we know the majority of stolen credentials fail during a credential stuffing attack. So, if you have monitoring that reports a sudden spike of traffic to the login page combined with a higher than normal failed login rate, it indicates account takeover attempts by bots.
Another example is if there is a high concentration of visitors using the same IP address. At Queue-it, we’ve found over 50% of the bots blocked by our virtual waiting room’s abuse and bot protection emanate from the same IP address. The bots are trying to simulate real users on a massive scale but getting unique IP addresses is an additional step that not all bot operators take.
Bot mitigation solutions
Bots have changed the economics of the ticketing business, so ticketing organizations need to change the economics of bot attacks. That means targeting each bot attack vector and increasing the costs bot operators incur in order to overcome the protections.
On account creation, for example, bot mitigation tools validate biometric data like mouse movements, mobile swipe, and accelerometer data to distinguish bots from real users, and then feed that data into machine learning algorithms. You can also block or enforce Google’s reCAPTCHA on traffic from known bot hosting providers and outdated browsers typically used to run ticket bots.
During the onsale itself, you can target the speed and volume advantages that bots enjoy. A tool like a virtual waiting room can help neutralize both. Bots that arrive before the onsale starts are placed in a pre-queue together with legitimate users. When the event launches, everyone in the pre-queue is randomized. This eliminates any advantage in arriving early or hitting the web page milliseconds after the start of the sale.
Ticketing organizations can require visitors to enter known data, such as a membership number, to enter the virtual waiting room. Combining known data like this makes impersonating real users exceptionally expensive and complex, and is thus a powerful way of combating bots’ volume advantage.
Finally, you can implement bot mitigation tactics on the ticket payment step similar to how you would on account creation to flag brute-force attacks like carding or card cracking. Stopping fraudulent account creation also helps prevent online card fraud.
New (and old) ticketing strategies
Shifts in ticketing strategies can play an equally vital role in battling bots. We’ve already seen several examples where ticket bot regulations also include caps on ticket resale prices to remove some of scalpers’ financial incentive.
With the expanded adoption of smartphones, mobile ticketing is a promising strategy to curb scalping. The paper ticket is “this paper entity that can be spoofed and subject to fraud,” says Kristin Darrow, senior vice president at Tessitura Network. Mobile ticketing puts more control measures in place, such as tracking the transfer of tickets and limiting sales by geographic area. In 2019, Spanish festival Primavera Sound became the first major music festival to go completely mobile with their ticketing, and has features like a QR code that only appears two hours before the concert to keep tickets from being sold on secondary markets.
What’s old is also new again. Paperless ticketing—where the purchaser uses his or her credit card and a form of ID to enter the event instead of a ticket—"has been around for over 25 years,” says ticketing insider Ian English. The strategy certainly has tradeoffs, in that it is rigid and can be difficult to transfer tickets or purchase on behalf of someone else. But it has documented effectiveness in battling scalpers and reducing tickets on the secondary market. High-demand shows like Hamilton continue to experiment with the approach.
7. Restoring fairness to online ticketing
The ultimate goal is to restore fairness to online ticketing. Here’s how Edward Roberts, Director of Product Marketing at Distil Networks (now part of Imperva), describes what fairness means to the different players in the ticketing industry:
- For a fan, a fair experience is getting the same chance as any other fan to purchase available tickets at face value.
- For an artist, it is getting tickets into the hands of enthusiastic fans into their shows.
- For a ticketing company, it’s providing access to real humans to purchase the available tickets and eliminating any automation from abusing the system and ruining the ticketing buying experience for real fans.
With public outcry and artists’ frustration over ticketing bots at a boiling point, organizations that don’t take the problem seriously do so at their own peril.
But if you’re a ticketing organization and are committed to stopping ticket bots, there are tools and strategies at your disposal. Combined, you can tailor them to the unique angles of attack during each stage of the ticket-buying process to give you the best chance of achieving successful, bot-free onsales.