You don't defend at the web, you defend in the courtroom and bank.
I assume it's too expensive or the ticket sellers don't actually care, they just want to think they care.
The alternative is selling the tickets to scalpers which doesn't seem ethically better or better at community building as compared to directly selling it to fans.
Even if you assign tickets to IDs scalpers will sell access to bots instead to capture the delta between market price and the price the ticket is being sold for.
Make the scalping bastards choke on it, and break FOMO all at once.
Or do what airlines do and you need to declare who is using the ticket. Maybe allow exchange for up to 50% of a party.
Then the scalpers can't win but there is still a DOS problem to solve.
Maybe a card auth -> reserve seats -> complete txn flow would help there. The card auth rate limits the amount of unbooked but temporary reserved tickets.
discussed in TFA
> Or do what airlines do and you need to declare who is using the ticket
ditto
I’m not convinced cards are a significant barrier. People already get tons of credit cards for the signup bonuses and perks, and you can get prepaid cards pretty easily. Temporary card numbers are a thing too. There are logistical challenges in getting a lot of cards in the buying pool but I don’t think they’re insurmountable.
This problem mostly exists in the Swift concerts that sell out in four minutes before the internet explodes with people complaining the website never loaded for them. I'm sure "might harm sales" really won't be a problem for those concerts.
If you wanna be even more strict: You could allow up to X companions, but they must not have signed up with their own account (so they don’t have an advantage for doing so). And they must provide their ID before the event as well and arrive as a single party.
First of all, this remains a hassle in most countries, since handling a national identity number (if such a number exists at all) is restricted by law. Even in some countries that do not legally restrict collection or storage of identity numbers (AFAIK the US does not restrict private sector usage of SSNs), there is rarely wide acceptance of providing your identity number for any purpose other than official government services and financial institutions. This means that in most cases, the event organizer has to resort to more traditional methods of KYC: Requesting some personal details (e.g. full name and birth date) and requiring to present an identity document that carries the details above. Verifying the identity document adds slows down entrance lines and increases the cost.
The other issue with this method is privacy. You're still not breaking the suggested BAP (Bots-resistance/Accessibility/Privacy) theorem suggested by the article. Additional personal information has to be collected and stored until the time of the event.
But I believe there is a way out of this. You can still create a limited resource that is more restricted than phone numbers or credit card numbers, and can be optionally verified at the venue cheaply. The only problem is that would require cooperation from the government (and a great deal of effort if you want to make it perfect). The government needs to already have an online digital KYC method that is bound to your digital ID or an online government account. Then the government can use that method to provide an anonymous federated login that provides a unique ID that cannot be traced back to any national identity number. This is essentially how Sign in with Apple works with "Hide My Email" selected: No personally identifying claims are included in the Open ID Connect ID Token and "sub" is unique (per Apple user + 3rd party service combination), but not traceable back to the the original Apple identity. Unique identities can also become ad-hoc per-event (instead of per ticket provider), which makes them completely private (ticket providers cannot track users across multiple events).
At described above, this service still only provides a limited resource akin to phone numbers. For events where the profit margin from ticket scalping exceeds $100, you could still get some scalpers who'd convince collaborators to identify in with their government account and buy tickets for the scalper for $20 per ticket. If you can get 5 tickets per ID, that's $100 of easy money for 5 minutes of work. You can add simple and fast verification at the venue by requiring the users to generate a QR code that is tied to their unique ID at the venue in order to enter. The QR code cannot be generated in advance and is based on a challenge QR that is presented at the venue. This requires collaborators would have to physically come to the venue or be available at the time the scalper's agents come to redeem the paper tickets at the venue. With a QR code generation and check directly at the gate, scalping is completely impossible (at the cost of longer lines and less entrance flexibility). With printed tickets the scalper needs to send agents to physically collect the tickets and communicate with the collaborators (who need to be available at the day of the event to generate the QR codes remotely) — which greatly inflates the cost of scalping.
Even when you get governments to cooperate with this approach, there are still some holes with this approach. The first issue is that eKYC needs to become popular enough to avoid a large loss in sales. The second issue is raising awareness with regards to privacy-preserving eKYC vs. regular eKYC. This two services look very similar (you log-in with your government account or ID to prove your identity), but the scope of the information shared couldn't be more different. Normalizing eKYC carries the risk of people becoming careless about divulging private information. Luckily, this could easily be solved by governments restricting private sector parties to which full eKYC is provided based on their callback domain names and registered credentials (like OAuth client ID and client secret).
The last problem is the probably the most complex one to tackle: how would you accommodate tourists? After all a lot of the venues sell a large share (or even the majority) of their tickets to tourists. I can think of two possible answers.
The first approach is to fall back to a manual passport-based KYC process for tourists. Tourist ticket buyers would have to enter their name and passport number in advance and the passports would be verified in person at the venue. This can be slightly sped up with automatic passport scanners if the venue has a high volume of visitors that warrants the costs. This approach seems to be where China is going: the resident ID card is used for entrance to many places and even for buying railway tickets, but tourists just use their passports. This works well when the percentage of tourists is low, but at a venue which expects a high number of tourists you'll run into all the issues I've described above.
The other option is probably more of a pipe dream, but it would be nice if countries could issue a temporary (and restricted) eKYC account to visitors when they complete their ETA. Even countries without ETA can still offer a pre-registration system just for obtaining an eKYC account in advance. This eKYC account can be used to purchase tickets in the destination country in advance, but it would only be activated for generating gate QR codes when physically entering the country with the matching passport. The main limitation of this approach is that you must first obtain an ETA before purchasing tickets, but you'd usually already have concrete travel plans by the time you're purchasing the tickets.
Just saying ...
If the profit per successful abuse event is $200, the author's suggestion of limits on credit card numbers or phone numbers won't work either. Those are only effective against scaled abuse up to something like $1 / event. Bank accounts would almost certainly be more robust, but that seems quite hard to implement outside of a handful of countries where the online auth ecosystem is built around banks.
With generic abuse background, but not knowing anything about the ticketing abuse ecosystem, is doing the sales on a first-come-first-serve basis an absolute necessity from a business perspective? There would be a lot more tools available if the problem was reframed from "decide instantly whether to sell this buyer a ticket" to "decide which 10k of these 100k intents of purchase received during the first 24h to sell the tickets to". And by more tools, I mean offline analysis and clustering, not just a lottery.
(You'd still want to combine that with strongly personalized tickets though. It'd be how you address for bots-as-a-service, not how you address buying tickets to resell.)
> Of course it also harms real buyers who want to go to a concert with a +1 but do not yet know who they will bring.
So, for example, everyone pays $0.01 on their credit card, or does a holding charge on their credit card, or registers their identity. All in a 5 minute (or 1 day!) window. And then after the window, tickets are randomly distributed amongst every card which so registered.
You could check multiple things - phone and card and Government ID if necessary (lowering the privacy).
This also feels fairer and less stressful - instead of a lottery based on your internet access, or ability to run lots of browsers at once.
This feels harder for scalpers to do to me, as they need more fake identities, but I'd be curious about the actual ratios when trying it. What goes wrong?
Another one I predict is that you can't buy digitally. For examples, the Lewes fireworks display you have to buy tickets in person in a bookshop in Lewes. Doesn't help if you make a digital ticketing system though!
And if your ID doesn't match the ticket, you don't get in.
It's successful in keeping tickets in the hands of families and fans instead of resale.
Why?
I also imagine that as an event promoter, being able to say some variation of "Another sold out show", or "Tickets sold out within seconds" creates pressure for buying early for all future events.
It also takes active planned work to implement these solutions. And if they have a monopoly, they have no incentive to do that work.
Removes all the uncertainty and risk and puts it on the scalpers.
which is just such a lack of imagination for what we are capable of, both in terms of progress and irrationality.
Does the number of keys need to scale? If $1 buys a key for life, and signing can be easily automated why would it stop bots?
Now that tickets are all electronic and the ticket sellers operate secondary markets there is no "face value" anymore and pricing is dynamic. Not all tickets are released at once and many are offered at "platinum" prices at first.
All through the 60's, 70's, 80's, 90's and 00's concert tickets were around $40-$50 in 2025 dollars, now that is just the service charge. Just go on eBay and look at some ticket stubs then put the price / date into the CPI calculator.
It turns out that the bands couldn't beat the scalpers so they became the scalpers, charging outrageous prices with the assistance of the ticketing companies.
So stopping bots isn't as important as it was when CAPTCHAs were effective, since there is a lot less money on the table for professional scalpers to capture.
For example, there could be an API for e-mail providers to tell services that an address belongs to a human. The provider would need to implement methods to verify the user's humanity, so you wouldn't need to give every online service your personal info, only your humanity provider that vouches for you. Something like SSL certificate hierarchies could be used to ensure that smaller providers aren't vouching for bots, i.e. you have a root CA that signs their certificates, and if it's found that they don't actually do what they are supposed to do, the certificate isn't renewed. This added with some actual costs to get those certificates would give them an incentive not to lie.
I know some people complain about this not being "private," but let's be real. If you purchase anything from any online website, they have your home address, your phone number, your real name as printed on your credit card, and there is a non-zero chance that some moron stored your credit card number in plain text in a MySQL database. It's always going to be safer to trust PayPal than some random website with this information. Why not do the same with human identity?
Finally, if you can't sign up with any humanity provider for some reason, just make the process extremely annoying and limited. For example, if you have 100 tickets to sell, reserve 90 for people that can prove they are human and leave only 10 for potential bots, then implement a lengthy process for those users so that's not worth it for the bots. If 90% of the tickets are already purchased by people, it will be less profitable for scrapers already.
most of traffic is from mobile devices anyways. they have biometrics (e.g. Apple FaceID, fingerprint). they also have DeviceCheck (Apple Hardware + Apple servers) integrity checks of device/binary that is making requests. it is also free and private.
why using this technology is not part of conversation? seems like utmost strongest guarantees and perfect fit?
Are you claiming that owners of websites have to purchase laptops for their website visitors?
And are you claiming that Apple has worser privacy than Android? or ... holdon, there is nothing else (Huawei is out of the question, and MSFT/Symbian does not exist anymore)
this is crazy talk. what are you even saying?
Stop selling online.
Sell the tickets at a small number of locations near and including the venue, with cashiers empowered to deny suspicious transactions.
Could someone put together a small army of smurfs to buy up all the tickets in major cities? Sure. Could someone have someone on the inside sell them a block of tickets against policy? Sure. We can handle these cases on a locale by locale basis with a convenience trade off that seems appropriate to the place.
Don't let perfect be the enemy of the good, and even worse, don't let overwrought privacy-invading and non-accessible digital solutions (that create a playing field tilted towards bad actors equipped with AI tools) be the enemy of a dead simple analog real-world one that leverages our best reputation management system: ourselves.
You can also just do like The Cure did and destroy the secondary market entirely: you can sell tickets through the platform and only for what you paid for them.
If they would simply sell tickets for the prices people are willing to pay in the first place then they wouldn't need to invade privacy or any of this stuff. I've heard the arguments they use to justify why they don't and they're all hogwash.
twitter sells blue checks for $8/mo and it's full of bots
rendx•6h ago
For a ticket platform like pretix that can be run self-hosted alongside the main site, this should give you enough signals to discriminate between normal users and bots, unless they are specifically targeting that site, or am I mistaken? Even just pure web server access logs may be sufficient on smaller sites so this might work even without JS?
jsnell•6h ago
Doing any kind of access pattern analysis leaves you with the problem of handling false positives, and your proposal doesn't help with the accessibility problems.
IP addresses aren't a panacea here -- this is a high margin business where the attackers can switch to high cost / high quality proxies.
> unless they are specifically targeting that site
In this case the attackers would very specifically be targeting specific sites (ones selling tickets to events with more demand than supply).