What do Colorado Rockies fans, music lovers, and parents with young daughters caught up in the Hannah Montana craze have in common? They've all recently endured the frustration of being unable to buy event tickets through online ticketing systems, an experience often accompanied by smashed keyboards and the shouting of expletives.
Organizations that choose to sell tickets online often do so in the interest of fair access, but industry experts say online ticketing systems have weaknesses that are easy to manipulate. By using bots, or software that automates the process of buying tickets online, brokers can buy up mass quantities of tickets and re-list them on auction sites for prices well in excess of face value.
A relatively recent wrinkle is the ability for bots to get around captchas, which commonly take the form of squiggly text strings that Websites use in online ticketing forms to prevent abuse of the system.
John Harig, director of ticketing for the Cincinnati Arts Association, has seen firsthand the effectiveness of this tactic, which enables site visitors to open multiple connections and not only buy more tickets, but also keep other users from accessing the system.
"I've had shows where nearly all our inventory has been grabbed by a handful of visitors. They don't necessarily buy the tickets, but what they're doing is preventing other people from buying them," said Harig.
In the absence of laws to curb this practice, the people who develop bots for circumventing online ticketing systems have free reign, although that may soon change.
TicketMaster, which estimates that bots are responsible for about 80 percent of requests to online ticket systems, earlier this month obtained a preliminary federal court injunction against RMG Technologies, a Pittsburgh, Pa.-based solution provider, for selling software that allows ticket brokers to skirt the protection mechanisms for its online ticketing systems.
RMG, whose Website lists a wide variety of software development, IT consulting, and Web development services, also operates ticketbrokertools.com. Company officials couldn't be reached for comment.
Mark Loveless, senior security researcher at Vernier Networks, Mountain View, Calif., says the rise of online ticketing bots is similar to an arms race. "You've got this software that needs to be faster, because the ticket scalper competition's software is getting faster, and as a result you need to get a fatter pipe, or run the bots on more PCs," said Loveless, also known as 'Simple Nomad'.
The scourge of ticketing bots can be counteracted somewhat by monitoring the origin of traffic to ticketing systems, says Greg Hanchin, principal at Dirsec, a Centennial, Colo.-based security integrator. "If I get a flood of more than a thousand requests a minute from one IP address or range of addresses, I can shut them down for a period of time," he said.
But a more effective way of dealing with the traffic flood that bots create is to implement a "grid-like" architecture that allows additional server capacity to be plugged in to prevent online ticketing systems from being crippled when traffic spikes, said Hanchin.
The cat-and-mouse game between online ticketing companies and ticket brokers is likely to intensify as more participants join the fray, predicts Hanchin.
"Ticket brokers aren't the only ones involved -- anyone with a bit of scripting knowledge and a high speed connection can work the system to their advantage," he said.