Ever since the US giant Ticketmaster canceled ticket sales for Taylor Swift's Eras Tour due to intense bot attacks, companies have been working hard to address the issue of human customers competing with internet programs for digital goods.
During Swift's highly anticipated 2023 US stadium tour, Ticketmaster faced "extraordinarily high demands on ticketing systems and insufficient remaining ticket inventory to meet that demand."
Following 3.5 billion requests, the website repeatedly crashed, with bot attacks compromising "the predictability and reliability" of Ticketmaster’s pre-sale process.
Bots have been around for so long that it seems like major tech giants have already learned how to properly deal with them. They are used to flood websites with previously unseen amounts of traffic or snatch digital goods faster than humans to then resell those items at a higher price.
Sam Crowther, founder and CEO of anti-bot cybersecurity company Kasada, sees the bot problem as a widespread phenomenon, an incoming tsunami wave of disruption that needs to be prevented. We fired up a call to discuss the latest developments concerning bots and how companies can best position themselves to deal with such attacks.
Walks us through the latest Ticketmaster/Taylor Swift incident. What happened there?
There are many people who want Swift tickets, and they're prepared to pay a lot of money. Right. So it's in the classic same as when you may buy Adidas sneakers or whatnot. But Ticketmaster tried to put some measures in place to prevent this. They tried to make fans sign up for accounts that had email verification and gave them sort of preferential access.
However, the people building the bots knew this because there's a lot of money to be made. So the approach they took was to sign up for as many accounts as possible, millions and millions of accounts. So probably, the bot consumers actually outweighed the real ones. And as soon as the email lands in the inbox that the tickets are for sale, every single one of these bots fires up. Goes straight to the Ticketmaster website, hits “add to cart,” and tries to purchase one of these tickets. Websites usually break from that. And I think that's exactly what happened, they just did not realize with how much force all of the bots were going to arrive on top of all of the consumers, which led to a pretty horrendous fallout.
How come big corporations are still unprepared for such incidents?
One of the biggest problems is actually admitting it's a difficult problem to solve. And this is very much what we see where it may sound simple enough, right? We're familiar with things like CAPTCHA. We have some experience with anti-fraud in this world, so people sort of assume that you shove those two things together and the problem is solved. But the reality is that while an organization may take months to implement something to make a difference, a bot developer can build and release and build and release like four different versions of their bot in a single day.
And so it's a very unfair cost model, right, where you just have people who can move so quickly that organizations actually can't keep up. So even if they are aware of how big the problem is, if you have 100 people against you who are all building and releasing constantly, that's a very difficult game and a very expensive game to play.
Ticketmaster announced it is planning to roll out tickets for the upcoming Beyonce concert in three waves to avoid a similar situation. Would that help solve the bots problem?
It's unlikely. If the waves are full of bots, the bots will still get the tickets.
How do bot attacks generally work?
What almost all of these bots aim to do is mimic the same thing a human would do. Most of them use Chrome. And what the developers will typically do is go through your sign-up process and record all of those actions. Google Chrome actually has a feature where it will convert those actions straight into code for you to repeat in the browser. And they just sort of modify it slightly, change the email address. It's all done by literally just mimicking human actions, and the skill required nowadays to do this is quite low.
You have previously stated that better enforcement of the BOTS Act [introduced in the US House of Representatives in February 2015 and signed by President Barack Obama in 2016] is not a solution for online companies. What is that act, and why wouldn’t it help?
It stands for better online ticket sales. And they started it back in 2016, saying it's a step in the right direction for creating more online ticket sales. The legislation has two major parts. The act firstly outlaws the circumvention of security measures, which enforces ticket purchase limits for an event with an attendance capacity of over 200 people. And then, it prohibits the sale of an event ticket that was obtained through a violation of the first part of the act if the seller knew of the circumvention.
Well, clearly, it's had no impact. I will say, given that it's been around since 2016 like this, there are kind of two problems. Well, even in force. Let's take out how difficult enforcement is and how difficult it is to find people doing this because it's very, very easy to cover your tracks. This is kind of two other problems. One. Everyone else is doing it, so I'm less likely to get in trouble, right. In the same way, you know, driving down a highway and everyone's speeding. Cool. Everyone, everyone's doing it. The cops are going to pull one person over. The flip side is just the money they make.
The Taylor Swift form was an extreme example where they paid a few hundred bucks for tickets and were selling them for thousands of dollars. You don't need to do that too many times to actually make this worth the risk of getting in trouble. You manage to secure 30 or 40 tickets, and you've probably got half a year's salary.
How much money do cybercriminals make off of similar shows via bots, and what is their business model?
Some of the more organized groups are making hundreds of thousands of dollars in profit a year. The most extreme case we've seen, they were pushing like four or 500 grand a month across quite a few different retailers. Their business model is “where can I pay a dollar for something and sell it for ten or more?” That's literally it. And so that means that they are widespread, in that there's a lot of areas they can do this ticketing, especially when there are no physical goods involved.
Then why are these people not persecuted? Why is it so hard to capture them?
They may not even be US citizens, right? They can get access to an Internet connection in America, and that's really all that they need. Most of these folks are just so good at covering their tracks. It genuinely will be very, very difficult to go and find them, and honestly, not worth it.
According to you, only a dynamic – not static approach – would allow retailers to counter the bot threat. What would such an approach look like?
Yeah, so that sort of leads back to what I said earlier, where you have organizations that can take months to do a single thing. A single thing. I'm sure getting email verification on Ticketmaster took ages to build for that platform. Right. But you have bots who can change things every day. So what's specifically meant by that is around companies putting together their defenses, they need to consider: how easily can we change key things that bots may start exploiting that we have no idea exist to minimize the impact? And that same goes for folks that they work with.
And that's a big pitch for us, is that we know one of the best ways to disincentivize people is to be able to change what they're attacking all the time. So it becomes something they have to maintain versus something that they said and forget. And obviously, the more maintenance that goes into it, the higher the cost is. Eventually, there is a point where the resale value is no longer worth it. And so they will just go away.
This is probably going to sound very dramatic, but bots ruin everything, everything they touch. There is some way that they're going to cause damage. And I think we as people were never, ever designed to be on an Internet where we are interacting with and competing against things that are not human. And that is the opposite of what the Internet was made for and is actually meant to be. It's a bad place for companies to do business.
Obviously, it impacts them negatively, hurts their margins, their consumer experience, and it's kind of their problem. It's their responsibility to make sure that they're creating environments where bots are not ruining it for everyone. And I think the more companies that have these major sales publicly where their websites are going offline, where they're getting major consumer backlash, the more impact this will have.
More from Cybernews:
Subscribe to our newsletter