Roboscalper 

The real reason you couldn't score U2 tickets? Turns out some of the buyers at Ticketmaster.com weren't human.

Page 4 of 7

But eventually, some of Mori's correspondents explained the utility of such optical character recognition to its inventor, as in the following e-mail:

Subject: Wow Great Job on your OCR program...... Could you make a program ?

Date: Tue, 01 Feb 2005 10:39:50 -0500

From: XXXXXX@aol.com

To: mori@cs.berkeley.edu

My dear friend just sent me this article and I am wondering. I own a ticket company that frequently buys tickets from Ticketmaster. There are a lot of brokers that have developed OCR programs and have automated the purchasing of tickets thru Ticketmaster and other venues directly.

Some can even have 4 process buying tickets on one computer at the same time.

Because quality tickets sell so fast we are being shut out by people who already have this soft ware or similar. I am not a programmer and I wondered how much would it cost to see if you could write something of this nature. Thank You

At first, Mori was besieged with hackers offering him up to $20,000 for his code. The numbers have since dwindled to a relative trickle, but he still gets a few every week. "I don't consider selling," he says. "Maybe it's my morals."

There are plenty of other people out there, however, who possess Mori's skills but not his ethics. They are doing business with scalpers who then use such programs to attack the Web sites of various corporations -- from ticket brokers, to e-mail providers, to financial services such as PayPal. The security firm Symantec reported last September that malevolent bots on the Net grew from 2,000 at the beginning of 2004 to more than 30,000 by June. "They basically have bots continually hitting Ticketmaster's server, asking if there are any front-row tickets available for Britney's next concert," Mori says. "They grab all the good seats and then resell them at a markup."

Jim Johnson has never interacted with Mori, but someone with similar skills contacted him in December of 2004. A doctoral student from Michigan e-mailed him an offer to sell such a program for $20,000, or for a monthly fee. Johnson says he has tested it and was satisfied, but won't pay up until the guy flies to California, installs it in person, and trains him how to use it. After all, $20,000 is a lot of capital for a small businessman to drop on a potential scammer out of the Midwest.

Still, scalping is his livelihood. Johnson never meant to make it his life's work, but he's a good organizer and planner, and scalping rewards such skills. He isn't one of those street hustlers out there in front of Warriors' games on cold nights with badly printed counterfeit tickets and no teeth, parking cars during tough times. And times are tough. U2 is the exception, not the rule.

If Johnson had used the hacker's program during the past half-hour, he might have scored rare seats worth thousands of dollars more. Could he increase his yield similarly by investing $20,000 in more traditional runners and contacts? He just isn't sure. In the meantime, he wonders, "Am I getting screwed here?"

Johnson might feel a bit more certain if he were to discuss the matter with a representative of Ticketmaster or Tickets.com, its biggest online rival. Officials with the two companies would grudgingly tell him that, yes, automated programs are trying to buy tickets on the Internet. They have been since the day tickets were first available online.

Tickets are a commodity and Tickets.com CEO Ron Bension says people will do anything to get their hands on something with this kind of markup, on the order of $15-$30 billion per year for scalpers worldwide. Bension has been dealing with bots buying up tickets on his Web site for years. In fact, his own company used bots to scour Ticketmaster's site for prices, until the industry titan sued Tickets.com in the late '90s and got it to stop.

These days, Bension says, Tickets.com receives bot attacks constantly and recently installed a character-recognition test similar to the one on the Ticketmaster Web site. Successful bot activity dropped by 90 percent, he adds, but some hackers are still getting in. "Every major broker has one, and they are innovating," he concedes.

Ticketmaster, the world's largest ticket agency and owner of one of the Internet's largest e-commerce sites, claims that it has the problem under control. Executive vice president David Goldberg says the ticketing giant is aware of bots attempting to penetrate its system, but says its character-recognition test keeps them out. If any get in, they can be detected in other ways that he prefers not to describe -- to preserve the secrecy of the methods. Goldberg adds, however, that Ticketmaster and other sites control the number of purchases that can be made per credit card or mailing address, as one method to control scalping. He says Ticketmaster also enforces ticket limits as low as two per credit card, and will reject orders from credit cards whose billing information doesn't match up with the shipping address. They also quietly sue people and refer cases to law enforcement, Goldberg says, but he declined to point to any such cases.

Although Goldberg is hesitant to reveal much about Ticketmaster's security measures, his competitor Bension spells out what any computer security expert will tell you. You can detect bots through their behavior patterns. For instance, if something is pinging a server one thousand times a second, it's not a person. Bots are persistent. Still, Bension knows Tickets.com is a step behind the scalpers. "We're in a nuclear war with these people, and we only have an edge for a moment," he says.

The world's most famous hacker, Kevin Mitnick -- who was jailed for hacking Sun Microsystems in the early '90s -- says Bension should be concerned. Bots are continually reprogrammed to look more and more human.

"What we have here is a question of verifying user authenticity, and there's no sure-fire way to do that with behavior analysis," Mitnick says. "I heard of bots playing poker with human opponents online and winning tens of thousands of dollars. The sucker never even knew. Something like ticket buying with built-in OCR wouldn't be that complicated."

Jim Johnson is behind the curve, but who locally could be ahead of it? Other scalpers are either tight-lipped or clueless. Maybe a dozen list themselves in the phone books as brokers, and the boldest advertisement belongs to San Francisco's Mr. Ticket. The agency's manager, who identified himself only as Richard, says he won't comment on or off the record about automatic scalping programs. "I'm not going to talk about that," he says after four phone calls, clearly annoyed. "That's like the colonel talking about what's in his secret recipe for fried chicken. What do I have to gain by talking about that?"

Another veteran scalper, who agreed to talk only if he were not identified by name, says scalper friends used bots against Ticketmaster until the deployment of that Web site's CAPTCHA. Since then, they have stopped, and he doubts it's worth it anyway. "Online buying is good for buying on a Tuesday for a Tuesday show that no one's going to go to," he said. "The best way to get tickets is to know a promoter, or someone else who can get you access."

Comments

Subscribe to this thread:

Add a comment

Anonymous and pseudonymous comments will be removed.

Latest in Feature

Author Archives

Most Popular Stories

Special Reports

The Beer Issue 2020

The Decade in Review

The events and trends that shaped the Teens.

Best of the East Bay

2020

© 2020 Telegraph Media    All Rights Reserved
Powered by Foundation