Did you struggle to secure Coldplay concert tickets? Blame it on ticket scalping

• Advanced bots fuel ticket scalping, leading to sell-outs and customer dissatisfaction.
• Bots cause rapid sell-outs and high prices; legal measures fall short, making comprehensive bot management crucial.

Ticket scalping is a significant global problem, not limited to Asia. Data curated for Imperva’s annual 2023 Bad Bot Report from its global network of security POPs (Points Of Presence) reveals that 83.4% of all traffic to entertainment websites worldwide in 2022 came from automation (both good and bad).

Worryingly, nearly one-third of all automation that hits entertainment sites is classified as advanced bad bots – a highly sophisticated type of bots that mimics human interactive behavior and utilizes the latest techniques to evade detection.

Scalpers use these highly sophisticated bots to take advantage of popular events, concerts, sports matches, and other live entertainment opportunities to purchase tickets in bulk and then resell them at inflated prices. This practice can negatively impact both legitimate ticket buyers and the live entertainment industries in areas such as loss of revenue for businesses, customer dissatisfaction and damaged reputation.

Tech Wire Asia recently interviewed Reinhart Hansen, Director of Technology, Office of the CTO, Imperva, to discuss the state of ticket scalping in Asia and how it affects digital ticketing platforms. According to him, digital platforms setup for selling major event tickets were supposed to make it easier and more convenient for end consumers and fans to purchase tickets to their favorite events. Although true, it also made it equally easy for digital-age scalpers to buy large volumes of tickets.

Advanced bad bots: The silent culprits behind online scalping

“Today, online scalpers heavily rely on advanced bots to execute their nefarious activities,” said Hansen. “From concert and sports tickets to highly coveted sneaker releases and limited quantity collector’s items. Scalping has evolved and advanced over time, targeting not only traditional items like event tickets, sneakers, and limited-edition products but also expanding to new markets during the COVID-19 pandemic.”

Scalpers, using sophisticated bots that mimic human interactive behavior with a ticketing platform or website, rapidly purchase large quantities of tickets as soon as they become available. Hansen believes this practice gives scalpers a competitive edge over regular consumers and causes events to sell out quickly.

Hansen emphasized that without adequate safeguards, scalpers can take advantage of system vulnerabilities and weaknesses in application business logic to buy tickets in bulk.

Ticket scalping not only negatively impacts the platform, leaving it at risk of cyberattacks, but also hurts businesses. “At face value you would think ticket organizers should be happy because after all they are selling out all the tickets for an event they are promoting. However, for businesses, scalping leads to longer-term lost revenue. Genuine customers who are unable to purchase items at their original price, or at all, feel cheated,” said Hansen.

This, in turn, damages the brand reputation and customer loyalty, and contributes to a negative perception of the industry. Customers with negative experiences with online ticket purchasing and ticket scalping are less likely to attend future events, reducing repeat business and long-term loyalty.

The Coldplay concert catastrophe: A wake-up call for ASEAN region

When talking about ticket scalping, we can’t not mention a concert that got many people in the ASEAN region raving about – the Coldplay concert. Everyone was excited and ready to queue up to get a chance to purchase their tickets, but of course, “everyone” includes scalpers as well. Scalping leads to inflated ticket prices and restricted access to desired events for consumers, causing frustration and eroding trust in the market.

“In relation to the Coldplay concert ticket sales in Singapore, four concerts (200,000 tickets) were sold out in less than 24hrs. An additional two concerts (100,000 tickets) were sold out in under 3 hours. No one likes waiting in queues to buy anything. Queuing for ticket sales, online or in person, would seem like a fair way to sell high-demand tickets to fans. In these scenarios no one likes queue hoppers,” Hansen explained.

However, Hansen added that digital queue hopping is one of the largest ways online scalpers can gain an unfair advantage. Using sophisticated bots to exploit weaknesses in online ticketing and queueing systems, they quickly get ahead of everyday fans.

This leaves everyday ticket buyers and genuine fans disappointed and in a dilemma with limited options. They are often forced to buy tickets from scalpers at inflated prices.

The sad thing is that scalpers will never go away. According to Hansen, scalping is a profitable business that has existed since the 1800s. As more online scalpers transition to using automated tools, the scope of the problem is growing. Scalping bots are cheap, easy to run and customize, and provide a high return on investment for scalpers.

In the early days of online ticket scalping, automation was used to simply navigate through a ticketing system interface faster than any human could in an interactive manner. These simple bots have evolved in recent years to understand how to bypass ticketing system business logic and queueing systems.

As an example, it may take a normal user several screens of interaction to select seats, provide payment details and check-out of a ticketing system. Sophisticated bots used by scalpers can often bypass the ticket selection and payment steps, going straight to the ‘checkout and pay screen’ by exploiting the underlying APIs of the ticketing system. This enables faster ticket purchases than any human could make.

In most markets today, over 40% of all online ticket booking is now done by automated software to be resold later, despite laws being passed specifically to tackle the situation. Ticket import generates US$15 billion per year in global revenues.

Three-stage attack on entertainment websites

Hansen listed out the three stages in that scalpers use ticket bots to attack websites:

1. Monitoring target websites and creating accounts: Also known as drop checking or spinning, scalpers use bots to constantly probe retailer websites, event sites and even Twitter and other social media feeds, to identify interesting new launches. In parallel, scalpers use bots to create fake accounts automatically.
2. Add to cart: The scalper bots need to be the first to add the desired item to the shopping cart. To make multiple purchases without being detected and blocked, scalper bots must bypass safety controls like inventory limitations, Captchas, and more. They generally rely on residential proxy networks, so each request comes from a different, legitimate IP address. Advanced operators shave additional milliseconds from the acquisition process, by distributing servers, placing them nearer to retailer or event websites to minimize latency.
3. Automated checkout: Finally, scalper bots automate the actual purchase. They log in to create new accounts, input all the required information to use a guest account, and input payment via a rotating list of credit cards. To avoid detection, they use different billing profiles for each purchase, and blend credentials, names, and address formats.

Not to mention that nearly one-third of all automation that hits entertainment sites is classified as advanced bad bots, and this has several effects:

1. Increased web traffic: Ticket scalpers often use automated bots to purchase many tickets as soon as they become available rapidly. This sudden surge in traffic can overload ticketing websites and associated backend databases leading to performance issues, such as slow loading times or website crashes.
2. Denial of service attacks (DoS): In some cases, malicious actors may deploy bots as part of a distributed denial of service (DDoS) attack on ticketing platforms. This coordinated attack floods the platform’s servers with overwhelming traffic, rendering it unavailable to legitimate users.
3. Bot-generated requests: Bots used for scalping can generate many HTTP requests to ticketing websites. These requests may include automated searches, adding items to the cart, and checking out, which can strain the server infrastructure and impact the overall responsiveness of the website.

To effectively combat scalping, Hansen highlighted that businesses need to adopt a comprehensive bot management and application security strategy. This includes implementing an advanced bot management solution that can accurately identify and block malicious bots while allowing legitimate traffic to pass through.

“One such element is using device fingerprinting technology,” he said. “When bots are attempting scalping activities they need to operate at scale and cannot change their device every time. To avoid detection, they often identify as multiple different web browser types, clear their cache, use incognito browser mode, as well as use virtual machines or emulators.”

Device fingerprinting can help identify these devices by evaluating parameters that remain the same between ticket-purchasing sessions. This indicates that the same machine/device repeatedly connects, suggesting bot-based automation.

Another strategy that Hansen highlighted is browser validation. Malicious bots often pretend to be running a specific browser, and then cycle through user-agent identifiers to avoid detection. Browser validation confirms that every user’s browser is what it claims to be. For example, this can be done by checking that the browser has the anticipated JavaScript agent, is making calls in expected ways, and exhibits behavior patterns expected from human users.

Legal measures against ticket scalping in Asia: Are they enough?

Knowing all of this, the question being raised is what are the legal aspects of ticket scalping, particularly in Asia? What laws are in place to regulate this practice, and are they effective?

Hansen answered this by referring to many different laws from all around Asia. To combat ticket scalping, he said several countries have pursued legal measures. For example, Japan’s anti-scalping law, which took effect in June 2019, prohibits reselling tickets at prices higher than their retail value for commercial purposes. Violators face up to one year in prison and/or a maximum fine of 1 million yen (US$7,200).

He also mentioned Australia has a ‘major events’ law. “When the government labels an event as a ‘major event’ special legislation prevents the resale of tickets at greater than 10% over the promoter’s price. Enforcement with fines of up to US$50,000 and potential jail time is issued to anyone caught scalping tickets outside these rules,” he explained.

In Beijing, on the other hand, local authorities have formed a workgroup to tackle scalping through eight measures, including managing ticket origins, implementing a real-name system for sales, and limiting the number of tickets each consumer can purchase for a single performance.

However, automated ticket purchase remains rampant in many markets despite laws and other legal action.

Key to winning the war against ticket scalping

In certain cultures, the perception of scarcity and value might affect the prevalence of ticket scalping, as there may be a strong belief that highly sought-after events or limited-capacity shows have more value. Ticket scalpers may exploit this perception of scarcity to charge higher prices, and some fans may be willing to pay a premium to secure tickets for these exclusive events.

In addition, cultures that prioritize collectivism may view ticket scalping as detrimental to the community. Scalpers profiting from ticket sales at the expense of genuine fans might be perceived as selfish and socially irresponsible. Conversely, individualistic cultures may emphasize personal gains more, making some individuals more accepting of scalping practices.

Hence why businesses should proactively collaborate with industry peers and government agencies, exchanging intelligence and best practices to effectively combat scalping and other automated threats, according to Hansen.

“One way of combating ticket scalping is to set ticket purchase limits per person or per household to prevent scalpers from buying large quantities of tickets,” he suggested. “Additionally, event organizers can implement personalized tickets with the ticket holders’ names, making it more challenging for scalpers to resell tickets anonymously.”

He concluded that validating a ticket purchaser’s identity using KYC (Know Your Customer) technology could drastically reduce and control the number of tickets anyone can purchase.

---

---

---

---