A lawsuit filed in California by concert giant AXS has revealed a legal and technological battle between ticket scalpers and platforms like Ticketmaster and AXS, in which scalpers have figured out how to extract “untransferable” tickets from their accounts by generating entry barcodes on parallel infrastructure that the scalpers control and which can then be sold and transferred to customers.
By reverse-engineering how Ticketmaster and AXS actually make their electronic tickets, scalpers have essentially figured out how to regenerate specific, genuine tickets that they have legally purchased from scratch onto infrastructure that they control. In doing so, they are removing the anti-scalping restrictions put on the tickets by Ticketmaster and AXS.
In the lawsuit, AXS said brokers are delivering “counterfeit” tickets to “unsuspecting consumers,” and that they are “created, in whole or in part by one or more of the Defendants illicitly accessing and then mimicking, emulating, or copying tickets from the AXS Platform.” The lawsuit accuses these services of hacking and states that AXS does not know how they are doing it. But the tickets themselves are often not counterfeit at all, and in the vast majority of cases, they scan as genuine.
Two security researchers we spoke to reverse engineered how Ticketmaster generates ticket barcodes and showed how scalpers can generate genuine tickets for concerts themselves. The system that works for Ticketmaster is also likely to work for AXS tickets, which use similar “rotating barcodes” that change every few seconds. After one of the researchers published their findings in February, they were approached by brokers and were asked to build ticket transfer services for them.
Am I understanding this right that the scalper buys a legit ticket to extract the token, then it can be used any number of times to get in a venue? I thought their system should be able to identify a token/ticket has already been scanned after it’s first used? That’s why there are no re-entry rules at most venues.
I don’t think the intent of the scalpers is to allow ticket reuse. Like you say, there are likely additional checks at the gate when a bar code is scanned. If a rotating barcode is cloned, only the first person to scan is going to get in. Everyone else who tries to use a clone of that now-used barcode is going to get denied entry because the door staff’s scanner is going to throw a “ticket already used” error of some kind. So while it’s technically possible to clone one of these rotating barcodes, just like it’s possible to have multiple authenticators producing the same OTPs, there’s no point in doing so.
What the scalpers are after is a platform that allows them to resell tickets without giving TicketMaster a cut. TicketMaster allows their rotating-bardcode tickets to be transferred to a wallet app like Google Wallet. Wallet apps like Google Wallet have features to allow you to transfer tickets to another user’s wallet, but the wallet specification also includes a flag for whether wallet-to-wallet transfers are allowed. TicketMaster sets that flag so you cannot give (or sell) your ticket to someone else using your own wallet, instead you have to go through something that TicketMaster controls. For transfers to friends and family, TicketMaster forces you to use their app. For reselling tickets, TicketMaster forces you to use their reselling site. TicketMaster’s primary motive is obvious: they want to take a cut of ticket resales, and this is how they do that.
The whole thing is a legal fight between two utterly shitty groups, TicketMaster and scalpers. Here’s hoping they somehow both lose.
The whole thing is a legal fight between two utterly shitty groups, TicketMaster and scalpers. Here’s hoping they somehow both lose.
That was my take. On the one hand, fuck TicketMaster. But on the other hand, fuck scalpers. I wish venues would only allow a max of like 20 tickets being sold to any one entity. That way Ticket Master dies and scalpers are only able to make a little bit of money.
