Scalpers Have Reverse-Engineered Ticketmaster’s ‘Non-Transferable’ Tickets

A new media report from 404 Media details how scalpers have reverse-engineered Ticketmaster's 'non-transferable' tickets—what is going on with live ticketing?

A new report from 404 Media details how scalpers have reverse-engineered Ticketmaster’s ‘non-transferable’ tickets, highlighting a major issue in the live ticketing industry.

A lawsuit filed by AXS in a California court has brought this matter to light, revealing the techniques used by scalpers to circumvent anti-scalping measures. According to 404 Media, scalpers have cracked the code behind these tickets, enabling them to generate entry barcodes on parallel infrastructure under their control. These tickets can then be sold and transferred to unsuspecting customers who believe they are purchasing legitimate resold tickets.

"Scalpers have essentially figured out how to regenerate specific, genuine tickets that they have legally purchased from scratch onto infrastructure that they control," 404 Media reports. "In doing so, they are removing the anti-scalping restrictions put on the tickets by Ticketmaster and AXS."

The lawsuit, reviewed by the media outlet, alleges that scalpers are delivering counterfeit tickets to these customers, "created, in whole or in part by one or more of the defendants illicitly accessing and then mimicking, emulating, or copying tickets from the AXS Platform." The lawsuit accuses these scalper services of hacking but states that AXS does not know how they are doing it.

In the vast majority of cases, these tickets scan as genuine at the venue’s gates, allowing a counterfeit ticket inside. 404 Media spoke with two security researchers who reverse-engineered the Ticketmaster barcode generation process, showcasing how these scalpers are able to rip-off genuine tickets.

Both Ticketmaster and AXS use a system of rotating barcodes to keep the ticket fresh and unable to be transferred. You can't take a screenshot of this ticket and enter the venue, as the barcode changes every few seconds.

One of the security researchers published his findings on his blog in February and was later approached by ticket scalpers who asked him to build a ticket transfer system. Scalpers host these tickets on their own websites and apps, sharing links to them with their unknowing customers and avoiding popular secondary marketplaces.

The case highlights that scalpers have found a way to circumvent the anti-scalping mechanisms that ticketing giants like Ticketmaster and AXS are employing. Non-transferable tickets usually cannot be transferred from one Ticketmaster account to another; this process bypasses that step entirely.

The lawsuit was discovered by fans of DJ Fred Again who were concerned that their ticket purchases were not legitimate. The lawsuit is filed by AXS against an entity calling itself 'secure.tickets,' but also includes several other supposed ticket scalper brokers.

"At least two of the defendants have also represented to customers that they are using AXS's proprietary technology to sell, resell, deliver, or transfer tickets, when they are in fact circumventing AXS technology," the lawsuit reads. "Defendants operate in the shadows of the internet. In some instances, defendants have gone to great lengths to conceal their identities."

How Did Scalpers Reverse Engineer SafeTix?

The security researcher's blog post about the process reveals that the process of generating the tickets works essentially like two-factor authentication. Ticketmaster shares a secret, unique token with the ticket purchaser. This token can be used to generate a new ticket every fifteen seconds based on the time of day. Extracting this unique token from the Ticketmaster app or desktop website means it can be exported to a third-party platform and treated like a genuine ticket.

"[The] token string is the ticket, as far as the venue staff at the gates are concerned," the researcher writes. "[The token can be used to] generate valid PDF417 barcodes, indistinguishable from the official Ticketmaster app. Short of checking photo IDs at the entry gate, the venue staff can't tell whether the person at the gate is the same person who the ticket is registered to on Ticketmaster."

Checking references to secure.tickets on websites like reddit reveals a bevvy of fans who are concerned about the tickets.

「我的兩張門票上都有藍色的移動條碼，但我讀到，從技術上講我並不擁有它們，賣家可能會轉售相同的連結？這個節目需要飛機、火車和汽車，所以我無法出現帶著假票到場館，」一篇詢問該服務的帖子中寫道。評論中的人們確認他們從該服務購買了門票，並且門票是「合法的」——這意味著他們在登機口工作。另一位寫道：「這些門票是合法的。Secure.Tickets 是真實存在的。」

在Reddit 上詢問Blink-182 門票的粉絲詢問了購買過程的粗略性質，稱他們是在StubHub 上購買的。 「我剛買了一些門票就上了這艘船。我收到了來自Secure Tickets 的電子郵件，其中包含我的門票的Secure Tickets（不是Ticketmaster）鏈接。門票上有一個帶有來回移動的藍線的條碼。

The above is the detailed content of Scalpers Have Reverse-Engineered Ticketmaster’s ‘Non-Transferable’ Tickets. For more information, please follow other related articles on the PHP Chinese website!