Battling bots in the ticketing industry: how best to stymie the scalpers

Battling bots in the ticketing industry: how best to stymie the scalpers

By Antoine Vastel, Head of Research at global cybersecurity company DataDome

Nowadays, almost all businesses have an online platform. Within the ecommerce industry, online sites are constructed to provide a seamless shopping experience, providing easy access to hot items. Within the ticketing sector, offering a user-friendly experience for ticket purchases is key, particularly for in-demand shows. Yet, these sites often lack effective protection against malicious lurking bots, which alarmingly now make up 30% of all internet traffic. The troves of customer data and potential to capitalise on flash sales and ticket launches are tempting targets for fraudulent online attacks.

Enter the scalper bot: harnessed by malicious actors to target ticket or product releases and snatch them up faster than humans, selling them on at highly inflated prices. This summer, scalpers stormed the presale queue of Taylor’s 2024 Era’s tour with almost 40,000 fans facing crashing ticket sites and inflated resale prices. This scalper success is particularly alarming given bots succeeded despite the ‘Verified Fan’ presale, established to protect against bots following the previous Ticketmaster fiasco for Taylor’s US tour back in November 2022.

The success rate of these scalper attacks – alongside the financial gain of scalping – will motivate increasing numbers of bad bot attacks over the next few years.This is alarming; recent Datadome research found that 66% of UK websites tested were unprotected against simple bot attacks, highlighting companies’ widespread vulnerability. This poor protection, combined with the growing level of bot sophistication highlights the urgent need for companies to invest more into defences against bot attacks, to avoid the financial and reputation impact of a successful attack.

Bot attack sophistication: scraping paves the way for scalping

Bot attacks are increasingly sophisticated, with bot programmers quick to adopt new technologies like AI and ML to enhance their attacks. Furthermore, these bots come in many forms, and businesses should fear more than just the scalper bots trawling their website. Paving the way for scalper bots are scraper bots, used by cybercriminals to extract data from a website, mobile app or API. They’re dangerous because they can collect information which acts as a gateway to more malicious activities.

Think of scraper bots like burglars assessing their opportunities: they’re peeking into windows, evaluating whether there are any goods worth stealing. Once they’ve confirmed the value of the goods, they can formulate a plan for entry and escape. On a ticketing site, scraper bots can be used to collect information, monitoring when in-demand tickets go on sale. This enables scalper bots to position themselves at the front of the queue and snatch-up tickets in large batches immediately when they go live, leaving customers frustrated and empty-handed.

Complex bot attacks target more than the ticketing industry. Retailers’ inability to defend against bots led to the huge shortage of PS5 consoles in 2020, where the majority of consoles were snapped up by scalper bots, and sold on for hugely inflated prices. Similarly, in 2021 & 2022, bots played a role in the GPU shortage.

Such attacks are widespread, and incredibly damaging for organisations. They disrupt the customer experience, and risk enormous reputational damage for the business. The emergence of scraping as a gateway threat highlights the increasingly sophisticated nature of bot attacks, thus the growing importance for companies to develop strong cybersecurity strategies to protect themselves.

Strong defence deters attacks

To sufficiently protect against bot attacks, online ticketing sites need more than just a presale or verified fan system. They must improve their online security and become vigilant to scraping and scalping attacks, and opt for a robust cyber strategy with real-time bot detection and prevention software.

Across all industries, robust cybersecurity strategies should include multiple anti-scalping measures. Implementing behavioural analysis, for example, enables sites to identify genuine human vs bot interactions. This is possible given bot behaviour differs to that of humans; bots typically race to target tickets or in-demand items, as opposed to the slower scrolling typical of human customers. Once bot behaviour is detected, additional bot detection and deflection methods can be activated.

Sites can also deploy browser or device fingerprinting, whereby websites collect information about a user’s browser or device type and version. This helps to identify bots, given that they use automated browsers or HTTP clients which differ when compared to humans’ non-automated browser activity. Identifying bots through their browser and device parameters increases chances of detection – and they can then be blocked.

Security interferes with the seamless customer experience

In some instances, security measures in place can disrupt user experience. For example, common CAPTCHAs are used to create challenges difficult enough to stop bots. However, CAPTCHAS also challenge real people, with frustrating test failures slowing down their browsing activity.

To reduce such friction, businesses can reduce the number of CAPTCHAs deployed by ensuring this defensive tactic is always a last resort. Instead, deploying purpose-built detection and mitigation software can reduce successful bot attacks and improve customer experience.

Bot attacks continue to disrupt the online world, leaving customers disappointed when desired items or tickets are scalped out of their hands and distressed when services are slowed by bot activity. Being outplayed by a bot and faced with crashing web pages is frustrating. One such experience damages reputation, but if businesses continue to poorly protect themselves more and more customers will be driven away.

Given that bots are more sophisticated than ever, protecting online sites is an imperative. Improving cybersecurity strategies to match the pace of bot evolution will enable continual protection, ensuring companies beat the bots and avoid the reputational and financial damage such attacks threaten.