Four Ways Bots Attack Ticketers and Infinite Reasons to Be Protected

February 18, 2019 Katherine Oberhofer

Four Ways Bots Attack Ticketers and Infinite Reasons to Be Protected: Ensure your reputation, customers, and data are safe from bad bots

The ticketing industry is threatened by scalping, seat spinning, and web scraping to name a few. In some cases, ticketing companies use web scraping to compare prices and inventory with competitors, along with scalping tickets - buying them low and then selling them elsewhere for ridiculous prices. While these types of activities aren’t always malicious, they impact a ticketing site’s system and resources. And when malicious bots do decide to strike a company website, those resources are unavailable.

When bad bots strike, they're after the content that drives revenue for a business — seating availability, pricing, and sales.  And it’s here when the greatest risk to revenue and reputation occur.

In this blog post we take a look at some of the main ways bots penetrate ticketing sites and the impact of infrastructure and financial stress on ticketing companies. We hope you’ll walk away with some ideas on how to ensure your site remains protected and your customers continue going to their favorite events.

Scalping or Ticketing is a type of computer program that automates the process of buying a ticket - a process that can be completed in a matter of milliseconds, unlike the dozens of seconds it would take a skilled human to complete.

Ticket scalping bots use automated software to gain their position at the start of the queue and buy thousands of tickets from the moment they are released for sale. Hence why tickets appear so quickly on secondary markets or resale websites, and at a much higher price compared to the original ticket price.

  • Ticket bots not only affect ticketing companies but also politicians, fans, artists, and venues
  • Primary markets are impacted more by scalping compared to secondary markets (i.e., StubHub or VividSeats) however, the threat is still there for both markets
    • Scalping plays a huge role in actually creating the secondary markets where fans are able to purchase tickets at premium prices, adding to their frustration and damaging the reputation of the ticketing sites
    • Premiums are already added to the ticket price when posted on secondary markets, removing the opportunity for additional scalping by bots
  • Scalpers are also deployed to continuously check inventory for newly released tickets, additionally putting more strain on the website infrastructure and keeping real fans from purchasing tickets

Seat Spinning is a type of bot that is released by bot operators which checks for available tickets on a website, holds them in a cart or at checkout, but will not proceed to payment resulting in those tickets looking “sold out.”

  • Bots are deployed to look for information about pricing and inventory which puts a relatively high load on systems because bots are constantly looking for this information
    • This causes a significant problem for the IT & Engineering teams to maintain system performance and availability
    • Associated infrastructure requirements to maintain performance is a significant financial burden to ticketing companies
  • Similar to scalping, seat spinning causes fan frustration because they are unable to get access to tickets and/or they are forced to pay a premium price through the secondary markets
    • In some cases, fans are turned away thinking there are no tickets available when that’s not really the case. This leaves a sour taste in their mouth, forcing them to look for other companies and outlets to purchase tickets
  • Aside from the fans who are purchasing tickets, artists also worry about their fans and the exploitation they are exposed to. This only puts more pressure on ticketing companies to better protect customers and protect against bots
    • Brands are severely damaged by frustrated fans and artists who will eventually hit a breaking point and look to someone else to promote their tickets

Web Scraping sometimes known as data mining, is used to check the availability of new or recently released tickets, gather their details, with the end goal of purchasing once they know what they are looking for.

  • Data commonly misused in scraping incidents and specifically in the ticketing industry includes authentication credentials, payment cardholder data and other financial data, and other personal data
  • OWASP, a worldwide not-for-profit charitable organization focused on improving the security of software, says possible symptoms of scraping include unusual request activity for selected resources, duplicated content from multiple sources in search engine results, and decreased search engine ranking
  • Scraping affects both the primary and secondary ticketing markets
    • Unauthorized brokers are seeking any seats to re-sell at premium prices on their own website which heavily impacts the primary markets
    • Bad bots are used to create secondary ticketing markets for an event or show by purchasing or holding available seats, preventing fans from purchasing tickets and then looking to the secondary markets to find available
    • In some cases, ticketing platforms have an agreement with brokers who will purchase ticket in volume and resell them at premium prices on the same website

Account Takeover occurs when bots obtain access to customers accounts including tickets, personal information, and credit card or payment credentials

  • Criminals are the main culprit for account takeover attacks with their main objective to access fan accounts to steal tickets or transfer them to another account
  • Secondary ticketing markets are impacted more by account takeover attacks where bots have access to the tickets in fans accounts and in most cases, the payment information used to obtain the tickets
  • Customers and fans are often locked out of their ticketing accounts which ends up being an issue for customer service and drives fans to lose trust, once again
    • Ticketing platforms and websites are hit hard dealing with an investigation into what happened inside the account - IT & Engineering resources are redirected to deal with the time consuming and costly issue caused by bots
    • In addition, the ticketing company is on the hook for the cost of reimbursement of any theft or credit card fraud that occurred in the process

The ticketing industry is heavily impacted by bots and is in a constant war against bots. Ticketing websites and platforms are constantly bombarded with attacks, tasked with dealing with the issues caused by the attacks, and protecting their customers - all at the same time. These activities can add up to a significant headache for the business and especially the IT team.

Every facet of the ticketing industry is negatively impacted by bad bots -- from the talent and their promoters to venues, ticket sellers and especially the fans and customers who purchase tickets. It’s more important than ever to establish a strong cybersecurity strategy to mitigate bot attacks and ensure your site and the fans that power it are protected.

Be on the lookout for our new Threat Research Report: How Bots Affect Ticketing launching soon and learn about the proactive steps you can take to start addressing the problem.

 
Previous Article
How Bots Affect Ticketing
How Bots Affect Ticketing

Distil’s Research Lab released its latest threat research called “How Bots Affect Ticketing”. The report is...

Next Article
The Inside Track: Q&A with Queue-it CEO Niels Henrik Sodemann
The Inside Track: Q&A with Queue-it CEO Niels Henrik Sodemann

What every C-Suite Executive needs to know about cybersecurity. The typical CEO doesn’t have time to worry ...