How ticket-scalping bots steal all those 'Hamilton' seats you desperately wanted
LatestEver tried to see your favorite band or show but find you can’t because the prices are insane? In part, it’s because some creeps with computers stole all the best seats and are selling them back to you at eye-watering prices. That’s right: you’re at war with a bot.
The problem bots pose to people just trying to enjoy a moderately-priced night out has come more sharply into the public eye ever since bot-fueled mania pushed the price of tickets for the obscure Broadway play Hamilton into levels that required either a place on the Forbes billionaire list or the pawning of all your worldly goods just to get in.
A bill in the Senate being promoted by Hamilton creator Lin-Manuel Miranda would ramp up the penalties for those using automated computer processes (aka bots!) to buy up tickets to concerts, shows and sporting events for resale. That could help act as a deterrent, but there has been a long-running arms race between ticket sites and bots since tickets first started being sold on the Internet, and a new law might just raise the stakes.
But how exactly do bots manage to trick ticket-sellers? And what are ticket companies and other concerned citizens doing to fight back? Let’s go through it step by step.
First off, where do these bots come from? Many are used by ticket brokers that, at least in Hamilton‘s case, can sometimes make thousands more than the value of a ticket. Out of six ticket brokers that recently settled with the New York State attorney general for breaking the state’s resale laws, five were found to be using bots. Those are just the ones that the state was able to prosecute. Many of the bots originate outside the U.S., which makes identifying the operators tricky.
Once a bot is up and running, it operates a lot like an autonomous web browser. Think of it as a self-driving version of Firefox or Chrome. Both a person using a computer and a bot get sent the same file with the same code when visiting a ticket website, but whereas an internet browser interprets that file and displays the webpage, a bot just looks at the raw code. If you want to see a website the way a bot would see it, you can do this in most browsers by right-clicking on a web page and selecting “view source.” For example, the Fusion home page looks something like this.
The bot has to be able to read through that word salad, understand it, and find the code for the buttons a human would click on to add tickets to a cart and then check out. Buttons on webpages are just links to URLs that sometimes send information as well, so the bot just replicates that behavior to get through the ticket-buying process.
On a website with no anti-bot protections, that’s about all that happens. Using its operator’s credit or debit card, the bot buys tickets, then buys tickets again, then buys tickets again. From the ticket-seller’s perspective, it’s just another user with a web browser, albeit an enthusiastic one.
But there are safeguards that the bigger ticket sites use to detect and stop bots.
They can be as simple as reducing the number of tickets any single customer can buy so it becomes harder for a bot to raid all the seats at a show or concert. Bot programmers take that into account by varying their IP address and using multiple credit/debit cards to create the illusion that a single bot is actually multiple customers.
The more complicated protection ticket-sellers use is a CAPTCHA, which is the super-simple acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart.” If that sounds confusing, all you need to remember is “test to tell computers and humans apart.” You may have seen these on websites that involve sensitive information or purchases. Oftentimes they will display words in a strange font and ask you to retype them, or they’ll ask you to write out the answer to a simple math problem.
Bots are best at reading text, so having an image file with weirdly-written words as a CAPTCHA makes it harder for a simple bot to understand what it’s supposed to do. And while a bot can solve “4 + 4” in nanoseconds, knowing it needs to write out “eight” as an answer is harder.
Or at least it used to be. Programmers have gotten more skilled at slipping past CAPTCHAs. Sometimes that’s as simple as enlisting a network of humans to manually type in CAPTCHA answers. CAPTCHA farms in countries like India have existed for years and pay workers extremely low rates to be a bot’s CAPTCHA-breaker. And image recognition technology has come a long way in recent years and bots are getting better at understanding those sorts of CAPTCHAs on their own.
You may have seen a new sort of CAPTCHA in the last year or so where a website gives you a group of images and asked you to select all the ones that fit a common theme. The most common one of these is Google’s own reCAPTCHA.
In order for a bot to defeat this CAPTCHA, it needs to understand that the form is asking you for a pie, what several different types of pies look like from a variety of angles and be able to identify them from nine different photos, to say nothing of the intricacies of the quiche-pie debate.
It’s not impossible though. Using humans and CAPTCHA farms to solve the problem still works and there are other, more technical, ways around it as well as well.
This is why bots have been a problem since tickets were first online and will remain a problem into the future. It seems as though the more protections that come out to stop the bots, the faster programmers come up with new iterations that adapt to those protections.
Maybe with the resources of federal law enforcement, bot operators will run out of room to operate. Kind of like the 2003 CAN-SPAM Act signed by President Bush ended unsolicited advertisement on the Internet forever, right? Maybe I’m wrong, but I don’t think ticket bots are going anywhere anytime soon. And that means that you are still not getting into Hamilton.