The basic concept of ticket scalping has been around for a long, long time. Let’s say there’s a highly anticipated boxing match or rock concert. A ticket scalper is someone who acquires large numbers of highly sought-after tickets, and then sells them on at inflated prices for big profits. A similar thing happens in the world of digital ticket selling — although it’s now possible to do things on a much larger scale than the classic real world ticket scalper selling a few tickets outside the doors of an event.
Using automated bots to buy finite, in-demand products in vast quantities and then resell them online for a profit, digital scalpers deprive legitimate buyers of their opportunity to buy products in a fair marketplace. Even customers who are ready and waiting, credit card in hand, at the start of a sale often find themselves outgunned by automated bots. In 2020, ticket scalping is reportedly worth $15 billion per year. Concert tickets are frequently cited as one of the primary targets of ticket scalpers, but they are by no means the only ones. Popular items ranging from new gadgets to fashionable, limited edition clothes can be snapped up by automated bots. Within minutes, these items then pop up on websites like eBay, often at multiple times what they cost to originally purchase that same day.
Skirting the edges of legality
Laws such as the United States’ 2016 Better Online Ticket Sales Act (the appropriately acronymed BOTS act) mean that the Federal Trade Commission can fine those individuals who break the law in this way. In some places, such as New York, ticket reselling is legal (although it was once criminalized), but using bots to buy tickets is illegal on the basis that it provides an unfair advantage over ordinary fans. Even so, digital ticket scalping remains a massive problem. More than 40% of online ticket booking is reportedly carried out today using automated software with the goal of later reselling the tickets to a third party. Many of these bad actors operate in “tax haven” markets where there is little regulatory oversight.
A scalper bot attack isn’t as noticeably harmful as, say, a DDoS (distributed denial of service) or ransomware attack. It’s not intended to bring down the server of a target or to hold them up for money by encrypting their files until they pay a ransom. But scalpers hurt retailers and customers alike by negatively changing the dynamics of the free market. Customers lose out on opportunities to buy and sellers lose out on those same customers, while having their overall user experience negatively impacted.
How do scalper bots work?
Scalper bots monitor certain websites, whether online retailers or social media feeds, in order to keep tabs on events. They also create fake accounts that can be used to buy items, getting around existing anti-scalper measures that seek to stop people from buying dozens of tickets from one profile. Such bots typically use residential proxy networks to mask their tracks. This makes it appear as though every purchase request being made is being done so through a different IP (internet protocol) address. An IP address is a unique number that is linked to the online activity carried out from a certain physical address. It makes it possible to see where online activity is coming from, similar to the return address you might put on a letter you mail out. However, bots find ways to get around this — and can therefore make it appear like different purchase requests are coming from different legitimate physical addresses. To maintain this illusion, they will use a variety of credit cards, billing profiles, names, and address formats. The purpose is to convince whatever anti-scalping measures are in place that the requests are coming from a real source rather than a bot-driven cheat.
Some of the more sophisticated scalper bots will use even more advanced techniques to ensure that they land the tickets or product they are hoping to acquire. They may, for instance, shave valuable milliseconds off a purchase by distributing servers, locating them closer to retailer or event websites, so as to minimize latency. Milliseconds might not sound a lot (and, in a sense, it really isn’t), but it can make all the difference when it comes to getting to the front of a queue for a hotly contested purchase.
Protect yourself
With all of this high tech trickery being used, it’s easy to think that there’s no way to adequately defend against bot scalpers. Fortunately, there are tools at the disposal of companies wanting to defend against this kind of attack. For starters, it’s a good idea to introduce features like powerful CAPTCHA protection (those squiggly letter typing tests used to theoretically sort bots from humans). Companies can also block proxies and providers that are commonly utilized by scalpers. These include the likes of OVH, OVH Hosting, Choopa, SAS, and Digital Hosting. Rate limits for APIs, mobile apps, and websites may also help to crack down on abuse.
There are additional techniques companies might want to call in expert help to assist with. Device fingerprinting, in which commonalities between device parameters and browsers are observed, can help to do what IP addresses have failed to do: spot when the same agent is trying to connect over and over. Similarly, behavioral analysis will spot certain types of behavior — ranging from mouse movements to website engagement — and use this to identify suspected bots. A good cybersecurity company should be able to help you with this, blocking vulnerabilities and making sure that only good actors (read: legitimate users) get through.
The result is that everyone gets a fair shake at buying what you’re selling. And isn’t that ultimately the goal of any good retailer?