Here Comes Bot Season (Part II)
Concert season means a battle between butts in seats and bots in seats… continued
By Don Duncan, Security Engineer, NuData Security
In my last post, we discussed the bulk purchasing of concert seats by bots, and the legislation that is being passed by Congress to combat the issue. This week we pick up from that point.
In Nov 2016, New York passed bill S.8123/A.10713 banning the use of bots for ticket purchases.
“[New York Governor] Cuomo called the use of ticket bots “predatory,” and New York Attorney General Eric Schneiderman said he believes the law “will go a long way to finally bringing sanity — and fairness — to the ticket buying process.” – The Verge
Combined with the federal The Better Online Ticket Sales (BOTS) Act we discussed last time, the move towards legislation is a positive step. It echoes the voice of consumers and artists who have had enough. In an ironic twist, Elton John who has been against ticket purchasing bots in the past, calling them “disgraceful,” recently experienced a ticketing bot issue for a Victoria, BC concert. The tickets sold out extremely quickly, only to be resold again online for twice as much for the upcoming March 11th and 12th shows.
Other high-profile artists who’ve been vocal against bots include Adele, Miley Cyrus, Tom Petty, Louis C.K., Bruce Springsteen, Eric Church, Lin-Manuel Miranda, and Neil Diamond. These artists likely know that upset fans will hurt their brand image.
Criminalizing the use of automation software for the purchasing of tickets in bulk is a step in the right direction, and we would hope that it would end there. But it won’t. There will always be attempts to circumvent the law, and we only need to look at the massive increase in breaches and cybercrime in recent years that is now a hairsbreadth from 6 billion records lost and continues to grow. NuData found that fraudulent automation attempts on large merchants within its client base were up 400% this past holiday season. While legislation is a start, it is unlikely to be the only key to eliminating bot-buying activity.
The best bot-spray isn’t legislation. The key to preventing bad bot activity is understanding it. A bot can be a computer script that has been written to masquerade as one or many people at the same time. Security fraud prevention systems must be able to determine, for example, whether ‘Don the ticket-buyer’ is the genuine human ‘Don’ or something, or someone, pretending to be Don.
Bots and automation scripts allow brokers to purchase tickets in high volumes within a short period. Automation detection is already deployed in much large e-commerce and financial institutions. Using passive behavioral biometrics systems, these organizations can accurately identify users and tell the difference between a human and a bot.
Ticket sales are a fast-paced business with high volumes. The last thing you want to do is introduce any delay or slowness into the buying process. Or worse, leave a lifelong fan out in the cold. And while the real fans are being left high and dry, the bots are being treated like real people in the authentication process because both bots and humans receive the same security experience. Behavioral analytics has the power to stop this by detecting automation without any significant delay or friction to good users.
Combined with the legislative approach, awareness, and good dynamic multi-factor protection like passive biometrics, there is an answer to the summer bot season of 2017.
Want to read more posts like this? See our full blog here.