Scalpers Earned $25M Gaming Online Ticket Sellers

SeattleGameboy writes "An indictment has been issued for online ticket brokers known as 'Wiseguy Tickets and Seats of San Francisco.' From 2002 to 2009, they used bots, server farms, and CAPTCHA hacking to buy vast number of premium tickets (Springsteen, Miley Cyrus, NFL, MLB playoffs, etc.) and made $25 million in profits. 'They wrote a script that impersonated users trying to access Facebook, and downloaded hundreds of thousands of possible CAPTCHA challenges from reCAPTCHA. They identified the file ID of each CAPTCHA challenge and created a database of CAPTCHA "answers" to correspond to each ID. The bot would then identify the file ID of a challenge at Ticketmaster and feed back the corresponding answer. The bot also mimicked human behavior by occasionally making mistakes in typing the answer, the authorities said.' I guess you can break any system like CAPTCHA if you want it badly enough."

Anti scalpers scheme that works...

[BartholomewBernsteyn]

In his Glitter and Doom tour, Tom Waits pioneered an effective anti scalpers scheme.

Tickets for Waits' summer shows were limited to two per person but, in an effort to beat ticket touts, a valid I.D. (passport or driving licence) matching the name on the ticket was required to gain entry. Any concert-goer who did not have a valid I.D. or was found to be in possession of a ticket that had been resold – electronic scanners were employed – was not allowed in and did not get a refund.

From http://en.wikipedia.org/wiki/Glitter_and_Doom_Tour#Tickets

why browser knows captcha id

[tokul]

why user agent knows all info required to identify captcha and why this identification info is unique. Somebody designed weak captcha system and it was broken. End of story.

Dutch Auction

[Dr_Barnowl]

How about a dutch auction?

Start the price offensively high, and drop it as the concert date approaches. The organiser gets paid the price the market will bear, the scalpers are out of the loop - because by definition, anyone willing to pay a stupid price for a guaranteed ticket will already have paid it.

You still get the same effective problem - that rich fans are prioritised over poor fans, but more money goes to the artist and the organiser, so they could throw a few benefit concerts or something to sweeten the deal.

Re:Dutch Auction

[twisteddk]

I like the idea, but for all practical intents it's almost impossible to do.
Because you'd then have to auction off each seat in an order determined by order of importance, which would be logistically a nightmare with up to 100.000 seats available for an event.

For instance: I can afford to pay $500 for two tickets to a concert, but I want the best possible. If I wait for the best tickets to drop in price, they may sell out before they reach the pricelevel I'm willing to pay, so I need to buy the second best tickets, but these sold out at $100 even earlier. So the company sells a pair of tickets at $100 that it could have gotten $500 for. so they have to sell each seat (or section) before they sell the next to get the best price. Thus the guys dealing in the "resellers" market still get to earn a living, because this is impractical to do.

Rather each buyer could enter a maximum value they'd be willing to pay, and then those with the highest bids would get the best tickets and so on downwards. But again, this would mean people will bid lower than what they really wanted to pay, because the percieved value of the ticket drops with its desirability (like locatin, seating, visibility etc.) and with no guarantee of a desired location, you'd bid only what you percieve the worst tickets to be worth. And thus a new black market will appear.

I dont see a better way (and equally simple for both costumers and sellers alike) to do it than with the current fixed pricing schemes.

Re:Dutch Auction

[oever]

The 'clock' in a dutch auction takes about 30 seconds to go to zero. That means that a sequential auction for 100.000 tickets would take about a month. That should give all people interested ample opportunity to attempt to buy a ticket at the desired price.

However, just like the stock exchange, the day price of a ticket would depend on psychological factors. That means that the price would fluctuate and the a price that is perceived high one day is percieved low another day. This creates opportunity for ticket trading.

A better system for the artists would be to do parallel ebay-style bidding. You start by bidding $10 and if there are less people bidding more than $10 than there are tickets, you get a ticket. At a specified time the bidding is frozen and you either have a ticket or not.

For the concert-goers, this system has the disadvantage that they are not sure of a ticket until the bidding expires.

Re:Dutch Auction

[jonadab]

> If I wait for the best tickets to drop in price,
> they may sell out before they reach the pricelevel
> I'm willing to pay, so I need to buy the second best
> tickets, but these sold out at $100 even earlier.

This is easily solved, and along with it the problem that some people might rank the seats differently than others (e.g., one guy wants to be right in front of the speakers, and somebody else would rather be near the center of the stage).

The solution is simple: all the tickets are the same price on any given day. Let's say you start selling the tickets 100 days before the event, at ludicrously obscene prices (say, a million bucks a seat). You wait, because you don't have a million bucks, and if you did you wouldn't spend it on tickets for a single concert, because you're at least partially sane. So you wait. Each day the price goes down. After a week or so, it's down to eighty grand per seat, which you still can't afford, but only four tickets have sold, to some billionaire who just had to be next to the center aisle in the front row no matter what. When the price comes down to twenty grand per seat, a couple of CEOs snap up the private VIP booth, and a lunatic-fringe extreme fan from Ann Arbor sells his truck and buys a front-row seat. But there are still seats available in the front row, and the price is coming down...

Furthermore, this system and the current system aren't necessarily mutually exclusive. They could split up the seats in a predetermined way and sell some of them at fixed prices and others in the manner described above. The proportions (how many tickets are sold each way) would be up to the organizers of the concert, I suppose (though it might also be a negotiating point when you're trying to book popular performers).

For simplicity, we'll say you divide the seats in half down the middle of the center aisle. All the seats left of center are sold for the same low price of $150/seat (or whatever) until they're gone, but the seats to the right of the center aisle are priced obscenely high at first, and then the price gradually drops until they're all sold out (probably somewhere in the $250-$500 range, though of course the exact price is going to depend on the popularity of the performers and various other factors).

Re:Dutch Auction

[BlackHawk-666]

This makes plenty of sense. In any concert there are bandings of seating with a price attached. The better the view, the more expensive the seat. This is worked out in advance by the venue based on their 'values', but really it is the view and values of the ticket holder that matter.

So, price starts at $1 million and slowly drops as the cut off date for purchasing a ticket approaches.

If the guy who spent $1 million for his seat wants to sit to the left side of the back row - who are we to tell him he can't have that seat. The price of the seat drops until you feel you can afford it and check - nope, you don't want to pay $500 for the seats left, but in two hours time it's $200 and there's still a few left you'd pay that for.

You could automate it by placing a highest bid price label onto each of the seating brackets and let a script pick you up a seat when it hits your price. If you're feeling risky, you could wait a little as seats in that area sell out - snapping a couple up at the last moment.

Concert providers should be happy, this would pretty much enable them to scam the maximum amount available for every seat in the house.

Re:Dutch Auction

[rho]

I doubt that most of the "scalped" tickets are actually sold by scalpers. Most are probably sold by friends and employees of the event and/or venue.

Think about it--before tickets go on sale, roadies and janitors get a chance to buy premium seats at face value, maybe even with an employee discount. The performers don't care, the venue doesn't have to pay employment taxes on this unofficial employee benefit, and the employee gets some extra cash.

Are you telling me...

[cvtan]

that Stubhub is owned by Ticketmaster? I can't believe this. The last two times I tried to get into concerts at the Rochester Auditorium Theater and the War Memorial (Blue Cross Arena), it was difficult. Somehow all the good seats vanished almost immediately. But no, there are seats that magically appear on Stubhub. All you have to do is pay $300 for a $75 seat. Infuriated, I refused (obviously, I've been out of the loop for a while). So for one concert I bought tickets from someone on eBay (double the face value!) and for the other I just got cheap tickets in a poor location. Apparently this kind of poor service has no effect since the venues are sold out anyway. This makes me not want to go to events like this and just buy the DVD! Maybe you have to be a teenager to put up with this BS. I still have the antiquated belief that ticket resellers should not make more money than the artists or promoters. You don't see Wallstreet brokers doing this. Oh, wait...

Re:It worked for Waits but it won't for Cyrus

Actually, the Miley Cyrus tour did implement ID-verification, and it didn't work.

Instead of requiring picture ID, the Miley Cyrus tour required the presentation of the credit card used to purchase the tickets.

(For an audience with average age well under the 18 required to have a credit card in the US, this had some negative customer service implications.)

The brokers responded by getting credit card companies to issue them one-time-use credit cards. They used these cards to purchase the tickets and mailed the patrons the credit card with their tickets.

Brokers are clever process hackers and I have yet to encounter an anti-broker scheme that actually works.

Re:there's a small town in the mountains

[TheKidWho]

Perfectly, if people are willing to pay $5/bag for it. If they're not, then the guy will have 19 useless bags of flour. What will most likely happen is someone else will come in and offer cheaper flour, it's the nature of the market since such a high price will create a deadweight loss. Free market at work.

At the end of the day, isn't that what the supermarket does anyways? They buy flour for $x and then they resell it for $x+$y. What keeps them in check? Competition from other supermarkets.

"Bots" were their own, not bot farm

[michaelmalak]

Although the indictment makes heavy use of the word "bot", Wiseguys did not use viruses or trojans to create their bot farm. They paid for it themselves, with their own computers, purchasing varied IP addresses from varied ISPs across the U.S. to prevent Ticketmaster's et al IP address blocking.

In the old days, ticket wholesalers would hire hobos to stand in physical line. In the Internet era, is it now necessary for ticket wholesalers to not only put a hobo in front of a computer, but to apply for a credit card for the hobo as well? And this is because Slashdot readers now all of a sudden support click-through EULA's on websites? The crux of the indictment is that Wiseguys defeated Ticketmaster's et al human identification by defeating Captchas and using purchased varied IP addresses.

The ticket windows (Ticketmaster et al) are trying to engage in price control, which never works. Ticket windows had limited success in outlawing ticket brokers. Now in the Internet era it seems ticket windows have discovered a legal avenue to harass the ticket brokers by calling automated Captcha completion "hacking".

Wiseguys never engaged in malware or theft. They merely sought to purchase what the ticket windows had for sale in response to the market distortions -- in the form of price controls -- the ticket windows had set up.

WHo is at fault....both of course.

[hesaigo999ca]

If you leave the door open, then you are stupid for letting in the flies, if you leave the screendoor closed but the main door open, you are stupid in thinking it will be enough to stop a robber, and if you only use a metal plated door, you are stupid in thinking it will stop the terminator. CAPTCHAs have never really worked, even to the new image and text combo ones, i saw that came close once, but it was based on a few QA style system, so not 1 or 2 but 3 or 4 questions about the person just like when you call a phone bank service.

Anyways, the best way to really get security is with the secureid system, i have used and see its enormous advantage, the ID switches every so often, so even if you know the main password, you need the id to add the last part to concatenate to the rest. However, how many people log unto a website are able to have a system like that that can be verified other then companies giving their employees these. In this situation, I would say, make ticket sales phone based only. If this is something that is time sensitive and that in order to avoid one guy getting all the tickets based on a software that runs, then make it phone based only.

If you have a website ECommerce site, and it is used to sell products, the person logging to buy up all your products only makes you more money, but tickets is not in the same league as let's say buying a laptop or iphone off the internet. People are not too lazy that calling by phone will get them a secured ticket, but then again it would fall on ticketmaster to handle to cost of the phone lines...
which is something they want to avoid, unless they invest almost the same amount in R&D for a better system then what they got...either way, I guess I wont be going to see Metallica anytime soon.

Re:Why is it illegal?

[somersault]

Well, if the supermarket doesn't just buy up "a whole bunch of coffee" but is basically waiting at the pier when the ship loaded with coffee arrives and buys all of it although they only needed 0.1% of it for themselves then it is dishonest and they're clearly trying to exploit others.

What are you talking about? Their job is to sell stuff. If they can sell 100% of it, then they need 100% of it.

Also, this is a classic case of where "voting with your money" just doesn't work because the profit margins and the demand are both so high that even if you could get say, 80% of the prospective customers to agree not to buy from scalpers you'd still be looking at them selling a boatload of tickets

That is people voting with their money. If they are stupid enough to value the tickets to a live concert so highly, then that in fact shows the "real" value of the tickets to the fans.

Re:Why is it illegal?

[EastCoastSurfer]

You missed the point. The scalper did you a service by even giving you the chance to see the concert. If there were no scalpers and every ticket sold was legit then there would be no tickets on ebay and your action of missing the ticket sale means you have zero options to attend.

Would you prefer that the concert simply have been priced at the scalpers prices from the get go? At least that way there might be some tickets left when you finally got around to checking the box office.

Re:there's a small town in the mountains

[Aquitaine]

>> understand the illegality yet?

No.

>> , and so some people like you can't appreciate their evil up front.

Good thing we have you around to protect us from ourselves!

This is mickey mouse Econ 101 stuff. The only way your scenario ends in 'people starve' is if there is only one supplier of flour (i.e. flour is controlled by a monopoly). Even libertarians (many of us, anyway) agree that monopolies have to be treated a little differently, at least in cases where the nebulous 'public good' is involved -- typically infrastructure or telecom where you have private companies gaining access to both public and private land and need some oversight.

This is certainly not the case with your flour example, though let's give you a pass on the analogy since someone else can make more-or-less identical flour, which is tough to do with a Springsteen concert.

There are a variety of methods for ticket sellers to combat scalping, and a variety of reasons (which vary by state and country) which often restrict a vendor from selling the same product at two different prices based on the buyer. For example, ticketmaster can charge me $100 for an orchestra seat and $60 for a balcony seat, but (AFIAK) they can't charge me $100 for an orchestra seat but then make my buddy pay $140 for another orchestra seat at the same time; they can raise all their prices or have 'early bird discounts' but those things affect all transactions. They can only sub-divide on a limited scale, e.g. 'American express discount' or other things which apply to fairly large groups but not individuals. So you have a certain degree of rigidity that is being forced on the market, since there are clearly some people who would pay $200 for an orchestra seat, but pricing all their orchestra seats at $200 would never fly -- so they sell them to scalpers who can turn around and sell them at whatever price they want through a variety of outlets. Those prices can change every day (we'd never put up with Ticketmaster doing that) because there are effectively multiple small markets as opposed to a single larger one.

As for whether or not all this should be legal, the practical reality is that it's very tough to eradicate when you have a static, tiered market that actually wants to behave like a funnel. You'd pretty much have to mandate that tickets be linked to the actual person attending at the time of purchase, which means no resales, no gifts, no last-minute 'oh crap i can't go who wants to buy my ticket?' A simple, free-market solution would be to give somebody a 'lock-in' ticket price in which they could voluntarily tie the ticket to themselves (non-transferable) and get a lower price - that would cut into the scalping market quite a lot. I'd guess that it isn't legal to do as the ability to re-sell something that you've bought is usually quite well protected, but that's a question for the law and not a free market criticism.

Re:Why is it illegal?

[twidarkling]

You missed the point. The scalper did you a service by even giving you the chance to see the concert. If there were no scalpers and every ticket sold was legit then there would be no tickets on ebay and your action of missing the ticket sale means you have zero options to attend.

Logical fallacy present. You're assuming tickets would have sold at the same rate whether scalpers were present or not. This is pretty laughable (appeal to ridicule *points and laughs* ). If there wasn't monetary interests being indulged, you'd have much slower movement of tickets by people with legitimate interests involved. This is patently obvious simply because there's fewer people involved. Scalpers create *artificial* demand. They are the antithesis of free market. After all, they don't care if they sell ALL their tickets, just that they make a profit, so the more they buy, the higher they can set *their* per ticket price, and the fewer overall they'd have to sell. Scalpers don't provide a service, they break the system.

Re:What a lot of work.

[Ambiguous+Puzuma]

What I want to know is, why was a few hundred thousand reCAPTCHA challenges enough to have a reasonable chance of getting a duplicate? Shouldn't the number of possible challenges be several orders of magnitude higher to discourage this kind of attack?

Re:What a lot of work.

[Scratch-O-Matic]

The problem is that the CAPTCHA approach is flawed. Any similar type of challenge-response system can be abused for illegal activity.

I met a guy who was a pilot in Vietnam. They had (and still have) a system where everyone carries a card with a grid of numbers and letters on it, and you can authenticate someone over the radio by picking a couple spots on the grid and they respond with, for example, the character adjacent to them. Well, he forgot his card one day and was queried by a controlling agency using the authentication card. He told them to stand by, switched frequencies, and issued the same challenge to another agency. They responded, and he switched back and passed it along to successfully authenticate himself.