�1

Beating bad bots & restoring fairness to ticketing

Bad bots make the internet a fundamentally unfair place. Nowhere is this more clear than during ticketing onsales. Online ticketing organizations have found themselves on the front lines of the battle against bad bots.

Consider that one bot operator alone scooped up 1,012 tickets to a concert in 1 minute. Frustrated fans are forced to resale sites where margins can exceed 1,000% of face value. Some performers have gone to extreme lengths to remove bad bots from their onsales, including taking ticketing totally offline.

At Distil Networks and Queue-it, we think there’s a better way to bring fairness to ticketing. It is possible to keep ticketing in the 21st century while ensuring tickets get in the hands of true fans.

Stakeholders from politicians to musicians to fan alliances are clamoring for fairness in online ticketing. Organizations that don’t forcefully battle bots do so at their own peril.

We believe that ticketing organizations can and should be the leading defense in the fight against malicious bots.

In this guide, we’ll:

• Distinguish between good and bad bots • Expose the worst of the next-generation bots • Reveal how bad bots target online ticketing • Cover the legislative landscape around ticketing bots • Share best practices on how to beat bad bots

�2

\

Are all bots bad? Distinguishing between good bots and bad bots

Good bots Bots are constantly at work behind the scenes making our digital lives run smoothly. They populate our news feeds, tell us the weather, provide stock quotes, and help us comparison shop.

Many bots are beneficial to a well-running website. Crawler bots index sites for Google and other search engines, determining search rankings. Fetcher bots create previews of site content for mobile devices and social media platforms. And site monitoring bots alert administrators when a website isn’t running as it should.

Bad bots Unfortunately, for every “good” bot, there is a “bad” one lurking around the corner, ready to do damage. Bad actors use these online bots to disrupt, manipulate, steal, and impersonate.

Bad bots are a problem faced by every business with an online presence. Every website, mobile app, and the APIs that power them, are attacked by bots around the clock. While some bots are welcomed by businesses, the nefarious bots which are unwanted and are dangerous to the success of the organization, account for 21.8% of all web traffic.

How do bad bots disrupt ticketing?

Ticketing companies are in a constant war against bots. There are consistent business problems created that are caused by the continual barrage of bots. These include unauthorized scraping, seat spinning, scalping, inventory checking, fan account takeover, ticket theft, and fraud. Each of these problems alone is enough to have a significant impact on the customer experience of real fans and ultimately the reputation of the ticketing platform. But collectively, these bot activities can add up to

�3

According to the annual Bad Bot Report released by Distil Networks, only 57.8% of web traffic is actual humans—the rest are bots.

a significant headache for the business and especially the IT team, and left unaddressed may lead to poor website performance and even downtime. At the heart of the bot problem is the ticketing website and mobile app. This is the online home for all event information which is presented for customers to make purchase decisions, including seat availability at different pricing tiers, payment processes, and different methods of delivery for purchased tickets.

For simplicity, ticketing websites can be thought of as having three distinct areas:

Specific event information Including venue, pricing, date & time, and payment process.

Seat map Showing availability of inventory. Customer account pages Accessed using credentials and stores purchased tickets, loyalty points, and personally identifiable information.

Regardless of the specific technical structure of the website, consistent problems plague all ticketing platforms in the shape of bots. In general, they are launched from five main groups of bot operators:

1. Bot Operators: Brokers 2. Bot Operators: Individual Scalpers 3. Bot Operators: Hospitality Agencies 4. Bot Operators: Corporations 5. Bot Operators: Criminals

�4

How do bad bots impact your ticketing business?

Online ticketing organizations have to deal with many stakeholders, from fans to venues, promoters to politicians. All are united in the push to banish bots from the ticketing ecosystem.

Artists in particular have taken an increasingly active role in how ticketing is run for their shows. Artists above all stand to lose face if the ticket-buying process seems unfairly rigged. Many are fed up. Some performers are going to extreme lengths to stop bots. The band Nine Inch Nails, for example, abandoned all online ticket sales in favor of in-person lines. Online ticketing companies were simply left out in the cold.

“The promise of a world made better by computers and online connectivity has failed us in many ways, particularly when it comes to ticketing. Everything about the process sucks and everyone loses except the reseller.” Trent Reznor, lead musician of Nine Inch Nails

�5

Artists wield a lot of power. They have the power to say “this event has no value without me” if their specifications aren’t met. It’s no wonder, then, that bot mitigation is steadily being stipulated in requirements for ticketing contracts.

Artists are eager to be seen as taking a stand against ticketing bots and promoting fairness.

Venues often experience the worst of the scrutiny. And the bot problem and solution may be up to your tech partner. That’s where you have to be vocal about the partner you pick and make sure they’re out in front of the bots, and capable of handling the threats bots represent.

Simply put, the strength of your bot protection could make or break the deal for your next major event.

What legislative actions have been taken, and how have they fared?

The BOTS Act of 2016

Online ticketing bots have been around for at least 20 years. But it’s only in the last 5 years that governments have begun targeting bots with legislation.

In 2016, the U.S. Congress passed the BOTS Act. It made it illegal to buy tickets to events by evading security measures and breaking purchasing rules set up by the ticket issuer. It also banned the resale of such illegally-bought tickets.

Until this point, though, the BOTS Act’s bark has been worse than its bite.

�6

The Federal Trade Commission—the agency tasked with enforcing the law—couldn’t comment on any instances of enforcement since the BOTS Act’s passage. And even when the law was passed, the Congressional Budget Office judged it unlikely that any enforcement would take place.

Scalping under scrutiny

The BOTS Act does signal, however, that unfair ticket scalping is under scrutiny. The public is incensed about the issue, and lawmakers around the globe have taken note. Governments in the U.K.; Ontario Province, Canada; and New South Wales, Australia all passed legislation in 2017 banning ticketing bots. The E.U. followed suit in 2019. And there is some reason to believe public outcry will lead to action against bot operators. In 2017, for example, the State Attorney General of New York announced a $4.19 million settlement with six companies that used bots to buy tickets.

But, so long as there exists a resale market where markups of over 1,000% are possible, rent-seeking bad actors will fill the void to take advantage.

Indeed, the U.S. ticket resale market alone has ballooned to $5 billion. The financial incentive is simply too strong and the threat of legal action too weak to stop malicious bot operators.

What’s more, in such a rapidly-evolving space, legislation becomes outdated as soon as it’s passed. The BOTS Act, for example, doesn’t appear to apply to people who purchase tickets where they’ve only used bots to reserve the tickets. The newest iteration of bots will continue to outpace and outmaneuver the legal roadblocks.

�7

“CBO estimates that [revenues from civil penalties] would be insignificant because of the small number of cases that the agency would probably pursue.” (Source)

The BOTS Act, for example, doesn’t appear to apply to people who purchase tickets where they’ve only used bots to reserve the tickets.

It’s clear that the ticketing industry cannot rely on legislation to solve the ticketing bot problem. Ticketing companies are responsible for providing sufficient preventative measures to block the bots. And companies that aren’t perceived as doing enough to battle bots are playing with fire. Public outrage can quickly turn on such organizations, and potential legal actions can follow in its footsteps.

Ticketing organizations are best positioned to adapt to the constantly evolving bot threat. The onus remains on venues, ticketing organizations, and online platforms to defend against malicious bots during online ticket sales.

How to beat bad bots?

Practical tips - Distil Networks

1. BLOCK OR CAPTCHA OUTDATED USER AGENTS/BROWSERS We recommend you block or CAPTCHA the following browser versions:

2. BLOCK KNOWN HOSTING PROVIDERS AND PROXY SERVICES Block these data centers:

�8

3. BLOCK ALL ACCESS POINTS Be sure to protect exposed APIs and mobile apps—not just your website—and share blocking information between systems wherever possible. Protecting your website does little good if backdoor paths remain open.

4. CAREFULLY EVALUATE TRAFFIC SOURCES Monitor traffic sources carefully. Do any have high bounce rates? Do you see lower conversion rates from certain traffic sources? They can be signs of bot traffic.

5. INVESTIGATE TRAFFIC SPIKES Traffic spikes appear to be a great win for your business. But can you find a clear, specific source for the spike? One that is unexplained can be a sign of bad bot activity.

6. MONITOR FOR FAILED LOGIN ATTEMPTS Define your failed login attempt baseline, then monitor for anomalies or spikes. Set up alerts so you’re automatically notified if any occur. Advanced “low and slow” attacks don’t trigger user or session-level alerts, so be sure to set global thresholds. 7. PAY CLOSE ATTENTION TO PUBLIC DATA BREACHES Newly stolen credentials are more likely to still be active. When large breaches occur anywhere, expect bad bots to run those credentials against your site with increased frequency.

8. EVALUATE A BOT MITIGATION SOLUTION The bot problem is an arms race. Bad actors are working hard every day to attack websites across the globe. The tools used constantly evolve, traffic patterns and sources shift, and advanced bots can even mimic human behavior. Hackers using bots to target your site are distributed around the world, and their incentives are high. In early bot attack days you could protect your site with a few tweaks; this report shows that those days are long gone. Today it’s almost impossible to keep up with all of the threats on your own. Your defenses need to evolve as fast as the threats, and to do that you need dedicated support from a team of experts.

Bot mitigation plans

Bot operators use sophisticated methods of attack. Defenses need to be just as sophisticated. What this means in practice is a combination of tools tailored to bots’ diverse attack vectors.

�9

Account creation and takeover

Bots run credential cracking and credential stuffing attacks to identify which pairs of usernames and passwords gain access to any accounts.

Credential cracking attempts, where the bot is programmed to try “common” passwords with stolen email addresses in what is known as a ‘dictionary attack’, are typically low and slow and occur consistently around the clock.

Credential stuffing is when a criminal runs a list of stolen paired credentials against sites around the world hoping to gain access, and is volumetric in nature. These attacks are spikey and last for a short period, but if they are large enough can cause slowdowns or downtime due of the demands placed on the backend database during repeated authentication attempts.

The typical range of volumetric account takeover attacks is 2-3 per month as reported in research from Distil’s Research Lab, The Anatomy of Account Takeover Attacks. Because the vast majority of stolen credentials fail during a credential stuffing attack, it is sensible to conclude that any sudden spike of traffic to the login page combined with a higher than normal failed login rate is an indicator of account takeover attempts by bots.

Speed and volume during onsales

During the onsale itself, bot attacks have two facets: speed and volume.

�10

Distil Networks Queue-it Distil Networks

Scripted bots use their speed advantage to blow by human users. A bot can easily reach the checkout page in the time that it could take a fan to type his or her email address.

Bot operators use this lightning speed across several browsers to circumvent per-customer ticket limits. A single bot can open 100 windows and simultaneously proceed to the checkout page in all of them, coming away with a huge volume of tickets.

By combining superhuman speed with sheer volume, bot operators effortlessly reserve hundreds of tickets as soon as the onsale starts.

A ticket bot reserving and purchasing multiple sets of tickets.

A virtual waiting room like Queue-it serves to neutralize these two advantages.

Bots that arrive before the onsale starts are placed in a pre-queue together with legitimate users. When the event launches, everyone in the pre-queue is randomized. This eliminates any advantage in arriving early or hitting the web page milliseconds after the start of the sale.

Queue-it can also identify when multiple requests come from the same device, as each user is assigned a queue ID. Over 50% of blocked bots are attempting to simulate real users on a massive scale from one IP address.

Ticketing organizations can pair Google’s CAPTCHA technology with the virtual waiting room. And they can also require visitors to enter known data, such as a membership number, to enter the virtual waiting room. Combining known data like this makes impersonating real users exceptionally complex and is a powerful way of combating bots.

�11

Credit card fraud and exceeding purchase limits

Credit card fraud is a constant problem for any ecommerce business and ticketing platforms are no different. Card-not-present transactions are necessary but lead to an increase in options for criminals attempting to commit fraud using stolen or incomplete credit card details. Bots are used to run carding and card cracking scams. Any increase in customer complaints about account lockouts or increase in credit card fraud is a good indicator of the presence of malicious bots. Reducing the total volume of bot traffic on the website or mobile app typically lowers the amount of attempted automated fraud during transactions.

Banish the bots and bring back fairness

Ticketing was the first industry to suffer the plague of bots. And given the fortunes that successful bot operators can make, ticketing bots aren’t going away anytime soon.

Politicians are bowing to pressure from public outcry and have passed anti-bot legislation. But such legislation is rarely enforced and rapidly outdated. As a venue, organization, or ticketing software platform, you can’t rely on legal enforcement to solve the problem. And with public outcry over ticketing bots at a boiling point, organizations that don’t take the problem seriously do so at their own peril.

Next-generation bots are more sophisticated and innovative than ever. Scalpers will continue to shift tactics to stay one step ahead of bot legislation and bot prevention tactics.

Following the practical tips outlined in this guide will help bolster bot defenses. But to truly keep the bots at bay, you need a best-in-breed, combined bot mitigation solution. One that is tailored to the unique angles of attack during each stage of the ticket-buying process gives the best chance of achieving successful, bot-free onsales.

�12

�13

Download Distil Networks Research Lab

Get an Expert Queue-it Product Demo