[HN Gopher] CAPTCHAs are over (in ticketing)
___________________________________________________________________
CAPTCHAs are over (in ticketing)
Author : pabs3
Score : 92 points
Date : 2025-05-25 00:37 UTC (22 hours ago)
(HTM) web link (behind.pretix.eu)
(TXT) w3m dump (behind.pretix.eu)
| rendx wrote:
| One option that I not see discussed in the blog post: Collecting
| user signals locally and using those access patterns (mouse
| movement, clicks, IP/site browsing history) to discriminate
| between "standard" site usage and bots; so like a "reCaptcha
| lite", not trained across many sites but trained specifically on
| the target.
|
| For a ticket platform like pretix that can be run self-hosted
| alongside the main site, this should give you enough signals to
| discriminate between normal users and bots, unless they are
| specifically targeting that site, or am I mistaken? Even just
| pure web server access logs may be sufficient on smaller sites so
| this might work even without JS?
| jsnell wrote:
| This seems pretty well covered by the post?
|
| Doing any kind of access pattern analysis leaves you with the
| problem of handling false positives, and your proposal doesn't
| help with the accessibility problems.
|
| IP addresses aren't a panacea here -- this is a high margin
| business where the attackers can switch to high cost / high
| quality proxies.
|
| > unless they are specifically targeting that site
|
| In this case the attackers would very specifically be targeting
| specific sites (ones selling tickets to events with more demand
| than supply).
| djoldman wrote:
| Unfortunately, the solution to something like this is more
| intense KYC and lawsuits.
|
| You don't defend at the web, you defend in the courtroom and
| bank.
|
| I assume it's too expensive or the ticket sellers don't actually
| care, they just want to think they care.
| devwastaken wrote:
| you defend at the ID system. anonymous cert chain ID fixes
| this. the u.s is defined by its fraudulent business and
| therefore no one in power wants it.
| charcircuit wrote:
| >Most organizers, including for-profit organizations, do not want
| to choose this option due to ethical concerns or concerns about
| community building.
|
| The alternative is selling the tickets to scalpers which doesn't
| seem ethically better or better at community building as compared
| to directly selling it to fans.
|
| Even if you assign tickets to IDs scalpers will sell access to
| bots instead to capture the delta between market price and the
| price the ticket is being sold for.
| DrillShopper wrote:
| Sell the tickets with a decreasing price - early tickets are
| very expensive, late tickets are not, and hold back between 10%
| and 20% until day of sale at the lowest price.
|
| Make the scalping bastards choke on it, and break FOMO all at
| once.
| debugnik wrote:
| But once tickets run out, the scalpers' price is the only
| price, and bots are better positioned to hold and time the
| market.
| nssnsjsjsjs wrote:
| What about limiting the number of tickets per card?
|
| Or do what airlines do and you need to declare who is using the
| ticket. Maybe allow exchange for up to 50% of a party.
|
| Then the scalpers can't win but there is still a DOS problem to
| solve.
|
| Maybe a card auth -> reserve seats -> complete txn flow would
| help there. The card auth rate limits the amount of unbooked but
| temporary reserved tickets.
| evertedsphere wrote:
| > What about limiting the number of tickets per card?
|
| discussed in TFA
|
| > Or do what airlines do and you need to declare who is using
| the ticket
|
| ditto
| smelendez wrote:
| Locking tickets to customers is hard, especially for venues
| with seats. The venue and artist want people in those seats --
| it looks better and they spend money on concessions, merch, and
| often parking. You can resell at the door, maybe, but then
| you're turning away paying customers who get stuck in traffic
| and show up late.
|
| I'm not convinced cards are a significant barrier. People
| already get tons of credit cards for the signup bonuses and
| perks, and you can get prepaid cards pretty easily. Temporary
| card numbers are a thing too. There are logistical challenges
| in getting a lot of cards in the buying pool but I don't think
| they're insurmountable.
| technion wrote:
| Concerts that are struggling with numbers shouldn't have a
| scalper problem though. If you want more people through the
| door, there are presumably base price tickets still for sale.
|
| This problem mostly exists in the Swift concerts that sell
| out in four minutes before the internet explodes with people
| complaining the website never loaded for them. I'm sure
| "might harm sales" really won't be a problem for those
| concerts.
| landl0rd wrote:
| I'd rather see bot resistance (important for everyone) and
| privacy (important for everyone) take precedence over
| accessibility (important for a small minority) and have laws
| change to reflect that.
| singpolyma3 wrote:
| I disagree that bot resistance is important to anyone, or even
| a reasonable goal for anyone at all. Bots are just users
| mikepurvis wrote:
| Bots are not just users in the battle against spam.
| singpolyma3 wrote:
| Then you want antispam not antibot
| rnmg wrote:
| Bots are users, but they aren't human users. I think it's
| fair to say that most web sites/apps value human users over
| bots (maybe that's wrong though?). But I think an argument
| can definitely be made the bot resistance is
| valuable/important to most people on the web.
| landl0rd wrote:
| Objectively a lack of bot-resistance can make the service
| unusable for everyone. Good examples include twitter, where
| interesting stuff gets flooded by spam DMs and indian payout
| farmers, and the mentioned ticketing example, where
| objectively a lack of resistance leads to rent-seeking
| middlemen scalping tickets.
|
| Similarly a lack of privacy hurts everyone.
|
| The question is basically "would you rather have an equally-
| shitty service for everyone in the name of egalitarianism or
| a good service for most?" This seems a really easy choice for
| me because I don't see egalitarianism/accessibility as a
| moral imperative.
| Matheus28 wrote:
| How about: each user creates an account with their legal ID.
| Obviously unique so they can't create multiple using the same ID.
| Before the sale, everyone signs up. Once the sale is started,
| tickets are distributed using a lottery system for the users who
| signed up (so refreshing like mad doesn't give any advantage).
| Can only buy up to 2 tickets per person (their own and an
| anonymous companion). ID must be shown and would be verified at
| entrance.
|
| If you wanna be even more strict: You could allow up to X
| companions, but they must not have signed up with their own
| account (so they don't have an advantage for doing so). And they
| must provide their ID before the event as well and arrive as a
| single party.
| arccy wrote:
| I think you just described something similar to the Japanese
| system
| AlienRobot wrote:
| I'm asked for ID on MercadoLivre and PayPal already, but I
| think it's for tax purposes. Never tried to create two accounts
| with the same tax ID.
| unscaled wrote:
| This addresses some of the hassle around buying multiple
| tickets, but does not address the inherent privacy issues. But
| there are still some problems.
|
| First of all, this remains a hassle in most countries, since
| handling a national identity number (if such a number exists at
| all) is restricted by law. Even in some countries that do not
| legally restrict collection or storage of identity numbers
| (AFAIK the US does not restrict private sector usage of SSNs),
| there is rarely wide acceptance of providing your identity
| number for any purpose other than official government services
| and financial institutions. This means that in most cases, the
| event organizer has to resort to more traditional methods of
| KYC: Requesting some personal details (e.g. full name and birth
| date) and requiring to present an identity document that
| carries the details above. Verifying the identity document adds
| slows down entrance lines and increases the cost.
|
| The other issue with this method is privacy. You're still not
| breaking the suggested BAP (Bots-
| resistance/Accessibility/Privacy) theorem suggested by the
| article. Additional personal information has to be collected
| and stored until the time of the event.
|
| But I believe there is a way out of this. You can still create
| a limited resource that is more restricted than phone numbers
| or credit card numbers, and can be optionally verified at the
| venue cheaply. The only problem is that would require
| cooperation from the government (and a great deal of effort if
| you want to make it perfect). The government needs to already
| have an online digital KYC method that is bound to your digital
| ID or an online government account. Then the government can use
| that method to provide an anonymous federated login that
| provides a unique ID that cannot be traced back to any national
| identity number. This is essentially how Sign in with Apple
| works with "Hide My Email" selected: No personally identifying
| claims are included in the Open ID Connect ID Token and "sub"
| is unique (per Apple user + 3rd party service combination), but
| not traceable back to the the original Apple identity. Unique
| identities can also become ad-hoc per-event (instead of per
| ticket provider), which makes them completely private (ticket
| providers cannot track users across multiple events).
|
| At described above, this service still only provides a limited
| resource akin to phone numbers. For events where the profit
| margin from ticket scalping exceeds $100, you could still get
| some scalpers who'd convince collaborators to identify in with
| their government account and buy tickets for the scalper for
| $20 per ticket. If you can get 5 tickets per ID, that's $100 of
| easy money for 5 minutes of work. You can add simple and fast
| verification at the venue by requiring the users to generate a
| QR code that is tied to their unique ID at the venue in order
| to enter. The QR code cannot be generated in advance and is
| based on a challenge QR that is presented at the venue. This
| requires collaborators would have to physically come to the
| venue or be available at the time the scalper's agents come to
| redeem the paper tickets at the venue. With a QR code
| generation and check directly at the gate, scalping is
| completely impossible (at the cost of longer lines and less
| entrance flexibility). With printed tickets the scalper needs
| to send agents to physically collect the tickets and
| communicate with the collaborators (who need to be available at
| the day of the event to generate the QR codes remotely) --
| which greatly inflates the cost of scalping.
|
| Even when you get governments to cooperate with this approach,
| there are still some holes with this approach. The first issue
| is that eKYC needs to become popular enough to avoid a large
| loss in sales. The second issue is raising awareness with
| regards to privacy-preserving eKYC vs. regular eKYC. This two
| services look very similar (you log-in with your government
| account or ID to prove your identity), but the scope of the
| information shared couldn't be more different. Normalizing eKYC
| carries the risk of people becoming careless about divulging
| private information. Luckily, this could easily be solved by
| governments restricting private sector parties to which full
| eKYC is provided based on their callback domain names and
| registered credentials (like OAuth client ID and client
| secret).
|
| The last problem is the probably the most complex one to
| tackle: how would you accommodate tourists? After all a lot of
| the venues sell a large share (or even the majority) of their
| tickets to tourists. I can think of two possible answers.
|
| The first approach is to fall back to a manual passport-based
| KYC process for tourists. Tourist ticket buyers would have to
| enter their name and passport number in advance and the
| passports would be verified in person at the venue. This can be
| slightly sped up with automatic passport scanners if the venue
| has a high volume of visitors that warrants the costs. This
| approach seems to be where China is going: the resident ID card
| is used for entrance to many places and even for buying railway
| tickets, but tourists just use their passports. This works well
| when the percentage of tourists is low, but at a venue which
| expects a high number of tourists you'll run into all the
| issues I've described above.
|
| The other option is probably more of a pipe dream, but it would
| be nice if countries could issue a temporary (and restricted)
| eKYC account to visitors when they complete their ETA. Even
| countries without ETA can still offer a pre-registration system
| just for obtaining an eKYC account in advance. This eKYC
| account can be used to purchase tickets in the destination
| country in advance, but it would only be activated for
| generating gate QR codes when physically entering the country
| with the matching passport. The main limitation of this
| approach is that you must first obtain an ETA before purchasing
| tickets, but you'd usually already have concrete travel plans
| by the time you're purchasing the tickets.
| gerdesj wrote:
| When I was a lad we bought tickets at a booth.
|
| Just saying ...
| jsnell wrote:
| > So what's left?
|
| If the profit per successful abuse event is $200, the author's
| suggestion of limits on credit card numbers or phone numbers
| won't work either. Those are only effective against scaled abuse
| up to something like $1 / event. Bank accounts would almost
| certainly be more robust, but that seems quite hard to implement
| outside of a handful of countries where the online auth ecosystem
| is built around banks.
|
| With generic abuse background, but not knowing anything about the
| ticketing abuse ecosystem, is doing the sales on a first-come-
| first-serve basis an absolute necessity from a business
| perspective? There would be a lot more tools available if the
| problem was reframed from "decide instantly whether to sell this
| buyer a ticket" to "decide which 10k of these 100k intents of
| purchase received during the first 24h to sell the tickets to".
| And by more tools, I mean offline analysis and clustering, not
| just a lottery.
|
| (You'd still want to combine that with strongly personalized
| tickets though. It'd be how you address for bots-as-a-service,
| not how you address buying tickets to resell.)
| thatguy0900 wrote:
| I could see an issue with that since most people are going to
| be going to events in a group, and won't want to go unless
| everyone gets their ticket. If I wanted to go with three
| people, do you lottery us as a group or individually? If I want
| to go with 5 people and there's a lottery, the best thing to do
| would be have multiple people buy 5 tickets each, multiply that
| by every group and you have a lot of people buying tickets who
| don't actully want them and people who only put one order in
| get shafted
| muti wrote:
| Require the intent to include ticket holder names/id and
| check it on entry to the venue, multiple intents for the same
| group can be deduplicated
| calcifer wrote:
| The article addresses that:
|
| > Of course it also harms real buyers who want to go to a
| concert with a +1 but do not yet know who they will bring.
| latentsea wrote:
| A lot of concerts in Japan work on a lottery. When you enter
| the lottery you can select for how many tickets up to a set
| maximum. If you get selected, you're obligated to pay and
| can't cancel. So... I imagine if you want to go as a group,
| one person puts in for the lottery and either everyone gets
| to go or no one does.
| zaik wrote:
| Sell at the economic equilibrium price (determined by auction)
| and whoever actually enters the venue receives the difference
| between the auction price and the desired price by the organizer
| in cash or maybe in form of a coupon for their next concert.
| Horffupolde wrote:
| That results in unbounded offers.
| zaik wrote:
| Sounds like an interesting situation! But I do see the flaw
| in my proposal now. It will select for the top-n richest
| customers, which kind of undermines the point of selling at a
| fixed price.
| mountainriver wrote:
| We just need better human verification, that's all, and the web
| depends on it
| frabcus wrote:
| The option that strikes me as missing, is making users pay a cost
| before they are randomly entered in a lottery for the ticket.
|
| So, for example, everyone pays $0.01 on their credit card, or
| does a holding charge on their credit card, or registers their
| identity. All in a 5 minute (or 1 day!) window. And then after
| the window, tickets are randomly distributed amongst every card
| which so registered.
|
| You could check multiple things - phone and card and Government
| ID if necessary (lowering the privacy).
|
| This also feels fairer and less stressful - instead of a lottery
| based on your internet access, or ability to run lots of browsers
| at once.
|
| This feels harder for scalpers to do to me, as they need more
| fake identities, but I'd be curious about the actual ratios when
| trying it. What goes wrong?
|
| Another one I predict is that you can't buy digitally. For
| examples, the Lewes fireworks display you have to buy tickets in
| person in a bookshop in Lewes. Doesn't help if you make a digital
| ticketing system though!
| Loughla wrote:
| The Savannah Bananas do that. You have to enter a lottery to
| buy tickets.
|
| And if your ID doesn't match the ticket, you don't get in.
|
| It's successful in keeping tickets in the hands of families and
| fans instead of resale.
| lurk2 wrote:
| Pearl Jam does something similar with annual membership in
| their fan club. Each concert has some designated seats set
| aside for members of the club, with the best seats going to
| the members with the longest consecutive subscriptions.
| Allowing the membership to lapse resets your priority level
| if you subscribe again.
| londons_explore wrote:
| I suspect the key thing is that the industry really _wants_
| scalpers, but must appear to act against them.
| clipsy wrote:
| > I suspect the key thing is that the industry really wants
| scalpers
|
| Why?
| chamakits wrote:
| Well at least one possible reason is that for live events,
| the company that has an effective monopoly is Live Nation.
| And they also own at least one of the platforms where
| scalpers sell their tickets; Ticketmaster.
|
| I also imagine that as an event promoter, being able to say
| some variation of "Another sold out show", or "Tickets sold
| out within seconds" creates pressure for buying early for
| all future events.
|
| It also takes active planned work to implement these
| solutions. And if they have a monopoly, they have no
| incentive to do that work.
| teeray wrote:
| Because Live Nation's fees are based on ticket price. That
| incentivizes them to drive prices and transaction volume as
| high as possible.
| mystified5016 wrote:
| It's more profitable and predictable for scalpers to
| immediately buy all tickets. The ticket seller doesn't care
| if the tickets are sold to fans that will attend, just that
| they're sold quickly and reliably and non-refundably. It's
| even better if tickets are sold to scalpers because some of
| those tickets might never be resold, which means the venue
| gets the ticket sale but pays none of the cost a real guest
| would incur.
|
| What matters is selling the ticket, getting a guest in the
| door is just expense.
| sokoloff wrote:
| Surely selling concessions, parking, and merch is a
| significant source of income for _someone_ associated
| with the concert, game, or other event.
| WesolyKubeczek wrote:
| Not the ticketing company's problem.
| const_cast wrote:
| We should make it their problem, by artists not selling
| tickets on those websites but instead using their own
| resources. Essentially vertical integration, so then you
| _have to_ care about the end-product and user experience.
| And, cherry on top, you might be able to charge more
| aggressive prices if you 're not paying the profit of the
| middle-man.
| edoceo wrote:
| Can't do that, contracts between venues and ticket vendor
| preclude non-blessed ticket sales. TicketMaster and
| LiveNation have boxed this out
| edoceo wrote:
| The way rents/expenses are, an $8 pint at your local has
| better margin than a $18 pint at the venue.
| londons_explore wrote:
| Actual cash income the moment the tickets go on sale.
|
| Removes all the uncertainty and risk and puts it on the
| scalpers.
| lurk2 wrote:
| This was my theory but there is a problem with it: Unless
| there is a constant churn of scalpers failing to turn a
| profit, the scalpers are presumably selling off their
| tickets at a profit. This means the market demand from
| individual purchasers exists, and the ticket sellers are
| just leaving money on the table by not raising their
| prices.
| structural wrote:
| 1. The initial price of the ticket serves as
| advertisement to get more people interested in the event
| than if it was advertised at the scalped price. Some
| fraction of the people will end up paying the higher
| price anyways, even if it was more than they intended to
| spend. The chance of "getting lucky" and getting a ticket
| at the low initial price is a powerful draw, especially
| if each buyer gets lucky a few times.
|
| 2. Are you sure the scalpers and the agency selling the
| original tickets are independent? Even if they are on
| paper, in many locations there is evidence of a local
| cartel.
|
| 3. The initial sales provide revenue up front to pay for
| the costs of the event, vendors, etc. This reduces the
| amount of cash reserves the seller needs, sometimes very
| dramatically.
|
| 4. Many scalped sales (used to be, not as much anymore)
| were cash transactions. This used to be used as a pretty
| significant tax dodge: Sell tickets for $50 face value to
| your affiliated scalper, pay tax on this sale, scalper
| sells tickets for $200 and does not pay tax on this
| secondary sale, or underreports the number of secondary
| tickets sold. Lots of shenanigans here to make your
| profitable scalping business look like it's making a
| small loss on paper.
|
| 5. Especially in the context of a local or regional
| cartel, each ticket sale represents the opportunity to
| move capital between entities. Physical tickets can be an
| effective vehicle for small-medium scale money
| laundering: Dirty money/entity buys the tickets, clean
| entity resells them.
|
| Basically as soon as you drop the assumption that the
| ticket sellers and scalpers aren't related in some way,
| there are a lot more profitable reasons for the ticket
| sellers to "leave money on the table".
| drob518 wrote:
| Bidding for tickets would cut out the scalpers and
| maximize revenue for the performers (and ticket
| agencies). So, if you want to go, pick your ticket class
| (rough area) and specify how much you're willing to pay.
| The ticket seller orders bids by value, taking the top
| ones first, and then allocates tickets. Anything unsold
| is offered as usual on a specified day. People that
| really want to go get to go and the performers benefit
| rather than the scalpers.
| lurk2 wrote:
| My understanding is that performers have shied away from
| this model because it results in less affluent fans being
| excluded. Lotteries are generally preferred. You could
| theoretically eliminate lottery scalping by making the
| tickets non-transferable, but I'm not sure how feasible
| that would be.
| nothrabannosir wrote:
| It's a hedge. Performers are not in the business of
| optimizing ROI, they're in the business of performing.
| Scalpers provide a service: guaranteed income for a fee.
| There are many analogous examples in other markets where
| both parties happily take their respective sides of this
| deal, even though _technically_ one of them is leaving
| money on the table.
|
| Then there is the slightly more insidious incentive:
| selling out quickly is in and of itself valuable for a
| performer: it makes them look popular and exclusive. That
| alone might just make it worth it altogether.
| drob518 wrote:
| Neither the performers (raises prices for fans artificially)
| or ticket agencies (leaves money on the table) want scalpers.
| abtinf wrote:
| To fight economics is to wage war on reality itself.
| itsanaccount wrote:
| i love the number of people who are wholly bought into this
| idea that capitalisms tokens warp reality itself. its the end
| of history too aint it?
|
| which is just such a lack of imagination for what we are
| capable of, both in terms of progress and irrationality.
| sanity wrote:
| A few months back I built a cryptographic alternative to CAPTCHAs
| called Ghost Keys[1] that uses a small donation as proof-of-
| humanity. For donating you get an anonymous keypair that works
| across services without repeated CAPTCHAs. The economic friction
| doesn't scale for bot operators, and donations fund our non-
| profit[2].
|
| [1] https://freenet.org/ghostkey/
|
| [2] https://freenet.org/
| DoctorOW wrote:
| > The economic friction doesn't scale for bot operators
|
| Does the number of keys need to scale? If $1 buys a key for
| life, and signing can be easily automated why would it stop
| bots?
| sanity wrote:
| Keys embed approximate timestamps, so services can set age
| limits. The system was designed for Freenet integration where
| reputation can be attached to keys - repeat abuse would
| degrade a key's public reputation over time.
| Retr0id wrote:
| In the event ticket situation, how does this change the
| economics compared to just adding $1 to the ticket price? (or
| whatever your minimum donation threshold is)
| hackingonempty wrote:
| The reality now is the ticket sellers and bands are the main
| scalpers and everyone else are now secondary scalpers.
|
| Now that tickets are all electronic and the ticket sellers
| operate secondary markets there is no "face value" anymore and
| pricing is dynamic. Not all tickets are released at once and many
| are offered at "platinum" prices at first.
|
| All through the 60's, 70's, 80's, 90's and 00's concert tickets
| were around $40-$50 in 2025 dollars, now that is just the service
| charge. Just go on eBay and look at some ticket stubs then put
| the price / date into the CPI calculator.
|
| It turns out that the bands couldn't beat the scalpers so they
| became the scalpers, charging outrageous prices with the
| assistance of the ticketing companies.
|
| So stopping bots isn't as important as it was when CAPTCHAs were
| effective, since there is a lot less money on the table for
| professional scalpers to capture.
| Spivak wrote:
| Concert tickets are still that low, you just can't go to
| stadium shows for supermassive artists at that price. A
| saturday night at a popular EDM venue with a 2k capacity
| headlining an artist with ~500k monthly listeners on Spotify
| will run you about $25 for the floor or $50 for VIP. A "sticky
| floor" bar venue ticket with a capacity of maybe 300 for an
| alt-z band with somewhere in the realm of 250k-3M monthly
| listeners on Spotify will run you about the same.
|
| Being up at the rails at a Girl in Red concert set me back $60
| at a 5k person venue. If you want to see supermassive artists
| for that kind of unit price you have to "buy bulk" and go to
| festivals.
| harrall wrote:
| Most of my concert tickets are still priced around $40
| inclusive, after taxes and fees, and from the likes of
| LiveNation, Etix, DICE, AXS, and so on.
|
| All my friends that complain about the rising cost of concerts
| tickets don't realize that they just see the same old bands
| year over year. These scrappy up and coming bands that they saw
| as a kid aren't scrappy anymore. That's why blink-182 can
| charge $700 for the pleasure and still sell out -- because most
| of their fans are in their late 20s or 30s, have disposable
| income, and number in the millions.
|
| Go to a $20 show for a band today and who knows, maybe they
| will charge you $700 in 20 years. Plus you can tell everyone
| that you saw them before it was cool. /s
| mc32 wrote:
| In some cases, but in most cases even well known bands that
| had been around had tickets that highschoolers could afford.
| Only a handful of bands were like triple the average and
| would have been the likes of Rolling Stones Springsteen and
| such, but aside from them, no, most well known bands were not
| selling tickets at ludicrous prices.
| harrall wrote:
| I might have given blink-182 as an extreme example but $80
| for tickets is still selling for a lot more than the $7
| cash at the door that I paid when I saw them in a tiny
| skate shop 10 years ago.
|
| Many bands don't make it all of course, but I can still pay
| $7 cash for shows today at that shop and some of them are
| going to be able to charge $80 in a few years.
| healthydyd wrote:
| Just sell paper tickets at specific type of shops: convenience
| stores and such. Use an ID.
| AlienRobot wrote:
| In my opinion the web is in dire need of a system of proof of
| humanity. This, together with a mixed system, could solve this
| sort of problem.
|
| For example, there could be an API for e-mail providers to tell
| services that an address belongs to a human. The provider would
| need to implement methods to verify the user's humanity, so you
| wouldn't need to give every online service your personal info,
| only your humanity provider that vouches for you. Something like
| SSL certificate hierarchies could be used to ensure that smaller
| providers aren't vouching for bots, i.e. you have a root CA that
| signs their certificates, and if it's found that they don't
| actually do what they are supposed to do, the certificate isn't
| renewed. This added with some actual costs to get those
| certificates would give them an incentive not to lie.
|
| I know some people complain about this not being "private," but
| let's be real. If you purchase anything from any online website,
| they have your home address, your phone number, your real name as
| printed on your credit card, and there is a non-zero chance that
| some moron stored your credit card number in plain text in a
| MySQL database. It's always going to be safer to trust PayPal
| than some random website with this information. Why not do the
| same with human identity?
|
| Finally, if you can't sign up with any humanity provider for some
| reason, just make the process extremely annoying and limited. For
| example, if you have 100 tickets to sell, reserve 90 for people
| that can prove they are human and leave only 10 for potential
| bots, then implement a lengthy process for those users so that's
| not worth it for the bots. If 90% of the tickets are already
| purchased by people, it will be less profitable for scrapers
| already.
| nikolayasdf123 wrote:
| how about on-device biometrics?
|
| most of traffic is from mobile devices anyways. they have
| biometrics (e.g. Apple FaceID, fingerprint). they also have
| DeviceCheck (Apple Hardware + Apple servers) integrity checks of
| device/binary that is making requests. it is also free and
| private.
|
| why using this technology is not part of conversation? seems like
| utmost strongest guarantees and perfect fit?
| moneywaters wrote:
| Yeah that's good solution
| politelemon wrote:
| It is not "free" as you must buy such a device, nor is it most
| of traffic, and its privacy is questionable. A solution to the
| problem area here needs to cater to people outside the HN echo
| chamber.
| nikolayasdf123 wrote:
| As a developer or website or app, I don't need to buy a
| device. User has to buy it, as it is theirs device. And
| chances are, they are on the iphone or other apple device
| already. And if not, they are on Android, which has
| comparable biometrics options.
|
| Are you claiming that owners of websites have to purchase
| laptops for their website visitors?
|
| And are you claiming that Apple has worser privacy than
| Android? or ... holdon, there is nothing else (Huawei is out
| of the question, and MSFT/Symbian does not exist anymore)
|
| this is crazy talk. what are you even saying?
| arp242 wrote:
| So how would this work in concrete terms? How will this stop
| bad-faith actors who will go out of their way to abuse/fake
| things? How does it solve the "BAP theorem"? You can't just
| sprinkle a term like "on-device biometrics" and declare that
| solves it.
| 1propionyl wrote:
| A lot of overwrought digital solutions here and not the obvious
| one:
|
| Stop selling online.
|
| Sell the tickets at a small number of locations near and
| including the venue, with cashiers empowered to deny suspicious
| transactions.
|
| Could someone put together a small army of smurfs to buy up all
| the tickets in major cities? Sure. Could someone have someone on
| the inside sell them a block of tickets against policy? Sure. We
| can handle these cases on a locale by locale basis with a
| convenience trade off that seems appropriate to the place.
|
| Don't let perfect be the enemy of the good, and even worse, don't
| let overwrought privacy-invading and non-accessible digital
| solutions (that create a playing field tilted towards bad actors
| equipped with AI tools) be the enemy of a dead simple analog
| real-world one that leverages our best reputation management
| system: ourselves.
| debugnik wrote:
| > Sell the tickets at a small number of locations near and
| including the venue
|
| People frequently travel to major cities for concerts, do you
| expect them to travel twice to purchase the tickets? Either you
| join a much wider network of sellers than that, or this would
| only satisfy people already living not too far from the venue.
| teeray wrote:
| > The naive economic solution to the problem would be raising
| ticket prices step by step until it is no longer attractive for
| scalpers to resell your ticket
|
| You can also just do like The Cure did and destroy the secondary
| market entirely: you can sell tickets through the platform and
| only for what you paid for them.
| markasoftware wrote:
| how does this prevent the scalper communicating with the buyer
| to demand an out-of-band payment?
| teeray wrote:
| If all tickets are the same price, then any buyer-seller
| combination will do. I believe the seller doesn't get to
| choose the buyer and both are anonymous. No way to coordinate
| such an out-of-band payment.
| tptacek wrote:
| They're not all the same price. They have the same list
| price, but once the show (or the desirable floor section of
| the show) sells out, the real price floats.
| raincole wrote:
| The naive economic solution is auctioning off all the tickets.
| Symbiote wrote:
| This is the law in Denmark, and I think Ireland and several
| other European countries.
|
| Tickets must not be sold for more than the original price.
| Ticketmaster etc are still happy to take part in the action:
| their resale system still charges a second set of ticket fees
| for a resale, though the sale price is limited to the purchase
| price.
| modeless wrote:
| I am unsympathetic when people insist on selling things for the
| wrong price and then come up with these elaborate schemes for
| fixing the problems they themselves caused.
|
| If they would simply sell tickets for the prices people are
| willing to pay in the first place then they wouldn't need to
| invade privacy or any of this stuff. I've heard the arguments
| they use to justify why they don't and they're all hogwash.
| layer8 wrote:
| Why do you think they don't?
| kevincox wrote:
| Because the whole business of scalpers is exploiting the
| difference between the list price and the price people are
| willing to pay. If this gap didn't exist scalping wouldn't be
| profitable.
|
| (As far as this article as discussing. They also serve some
| use for reselling tickets when you meant to go but can't but
| this doesn't have any more downsides)
| layer8 wrote:
| Yes, but what do you think is the reason why they are not
| doing what you argue they should do?
| nothrabannosir wrote:
| Because there is a perverse incentive for performers to
| lean into scalping: selling out quickly is a mark of
| success. NPR's "Planet Money" had an episode a while back
| that covered exactly this.
|
| Not all artists lean into it of course, and it's usually
| not the actual artists anyway but labels, producers, etc.
|
| In that same episode they covered how LiveNation owns
| both TicketMaster and many venues themselves, and
| leverage access to the venues for power in the ticketing
| market.
|
| It may have been this one but I'm not 100%: https://www.n
| pr.org/sections/money/2013/06/25/195641030/epis...
| izabera wrote:
| every time this comes up, the thread immediately gets 300
| comments suggesting that everyone pays whatever amount to keep
| the bots at bay
|
| twitter sells blue checks for $8/mo and it's full of bots
| charcircuit wrote:
| The problem is not that bots are buying tickets. The problem is
| that the tickets sell out too fast.
| Incipient wrote:
| This is a trivially solvable problem with essentially little
| friction for buyers.
|
| The industry doesn't WANT to solve this. I don't see why anyone
| believes or entertains the idea they are even trying.
| mqus wrote:
| The author builds a ticket system and says it's not trivially
| solveable. What's your trivial solution then?
| everfrustrated wrote:
| Sell tickets using an auction to set the price.
| yread wrote:
| There will be a concert for 750th anniversary of Amsterdam in
| June (held on the highway ring around the town which will be
| closed). Tickets were free, sold out in 5 mins, immediately
| available from scalpers for 200 euros.
|
| https://nos.nl/artikel/2568164-chaos-bij-ticketuitgifte-voor...
| amai wrote:
| What about this schema:
|
| The first ticket you buy costs the normal price. The second
| ticket costs twice the price. The third ticket is four times the
| price and so on.
|
| Scalpers who buy many tickets at once will go bankrupt before
| they can buy all the available tickets.
| jszymborski wrote:
| You can even limit max tickets sold to one person at two or
| three, but the trouble, as I understand it, is that it's hard
| to identify individuals as being... well individuals.
| mschuster91 wrote:
| The solution is, as always, simple: regulation. In this case:
|
| - break up Ticketmaster, Live Nation and their European friends.
| Ban vertical integration. And for good measure (and to placate
| the public who is out for blood, and I mean that one in the
| literal sense - ask a random on the street about what they'd do
| to scalpers and TM, I'd bet good money on at least 50% going for
| one or another form of violence), place their execs behind bars
| for a decade.
|
| - mandate that a ticket holder has the right to transfer a
| personalized ticket for free (plus, in the case of actual paper
| tickets, a reasonable small service charge for postal fees)
|
| - in conjunction, ban the sale of tickets above face value,
| including any sort of deals, and place significant fines on
| violators of both ends. This completely eliminates the "second
| hand" scalper market. Of course, black markets will still crop
| up, but when both sides cannot be certain the opposing trade
| partner is a cop...
|
| Unfortunately, this would also kill a lot of income for the big
| players - chiefly, the ticket sale platforms that currently make
| an insane amount of money on bogus charges for name changes on
| tickets as well as running their own resale markets where they
| can double or triple dip on fees (depending how often that
| specific ticket gets sold back for whatever reason). And that is
| why such a movement will probably never happen during our
| lifetime.
| ahtihn wrote:
| Why should ticket sales be regulated? Why should the government
| care about what price event tickets sell for?
|
| Concerts are pure luxury. I like going to concerts, but I don't
| see a reason why the government should intervene? Scalpers
| exist because artists underprice tickets on purpose.
| nextn wrote:
| An option I'd like to see implemented is to make the customer put
| down a bond. Besides charging the customer for the ticket, also
| charge them another higher amount that gets refunded x days after
| the concert. If the customer is found to be a scalper don't
| return the bond.
|
| Scalpers can't pay high bond amounts at scale combined with the
| risk of not having the bond returned.
| xandrius wrote:
| Also filtering people who don't own much to begin with?
| VladVladikoff wrote:
| Yeah when I was a teen I might have had $40 for a show but
| not $500 for a bond.
| Retr0id wrote:
| How do you figure out whether they're a scalper or not?
| abduhl wrote:
| How do you determine scalpers? I buy 6 tickets for me and my
| friends and we all get sick. Are we scalpers? I buy 1 ticket
| and a work trip gets foisted on me the next day so I try to
| resell. Am I a scalper?
|
| Won't everyone just charge the ticket buyer the price of the
| bond? So this still only harms the fans that want to see the
| show. The scalpers just need to have more up front capital in
| your system.
| dspillett wrote:
| For popular acts, when scalpers are selling at 10x or more the
| base price, the bond would have to be pretty high to put the
| scalpers off, and that would be a problem for many genuine
| customers. Unless the bond is silly high, that being defined as
| high enough that it significantly messes with fans, it would
| still be worth it even if the scalper is noticed and the bond
| not returned.
|
| _> If the customer is found to be a scalper don 't return the
| bond._
|
| This is how most suggestions for solving the problem fall down:
| how do you, with any reliability, or at least reliably avoiding
| false positives, detect a scalper?
| koch wrote:
| What I don't quite understand is why we haven't merely come to
| the conclusion that, like everything else, the internet costs
| money. Running servers and services costs money, and by giving it
| away for "free" from the get-go encases certain types of problems
| in the platform itself. I'm not talking about paying your ISP,
| I'm talking about accessing websites.
|
| I guess what I'm getting at is that there is no cost to making a
| request over the internet. Why not? Why doesn't every http
| request have a corresponding price associated with it? You can
| access the resource if you pay. I imagine this would be a
| minuscule amount ($0.00001 or less per request). Then, instead of
| trying to solve for monetizing eyeballs or personal data, these
| problems are solved with economics.
| LegionMammal978 wrote:
| From TFA:
|
| > If a spammer needs to spend 0.0001 EUR in power to access the
| site only to gain a marginal profit of 0.00005 EUR, they are
| losing money with every site access. However, if a ticket
| scalper needs to spend 0.0001 EUR in power to buy a ticket that
| they will later sell at a 200 EUR profit, this will not stop
| them.
| tptacek wrote:
| And, long before the proof-of-work thing was popularized,
| people were already farming out high-margin captcha solves to
| cube farms full of people in Asia.
| landl0rd wrote:
| This fixes indians in boilerrooms and nigerian spam emailers
| but specifically not ticket scalpers. The profit is too large.
|
| Also because users don't actually control the number of HTTP
| requests they make. Think of sites that load individual icons
| rather than sprite sheets. Think of sites that fire off 1,000
| tracking calls per minute. So respectfully screw that.
| const_cast wrote:
| Maybe if we do this then those sites will be disincentivized
| from doing all the tracking. Because consumer's will get
| their bill, say "what the fuck", and go to a competitor.
| LadyCailin wrote:
| That didn't work at all for cookie banners. People just
| accept enshittification when it's just a minor
| inconvenience. $0.00001 http requests would solidly fall
| into that category, and then it would just be marginally
| worse across the board.
| const_cast wrote:
| Nobody is paying for a cookie banner. Also the cookie
| banners aren't even required on almost all the sites you
| see them on - they chose to put those there because
| they're lazy.
| cedws wrote:
| I don't get it - why not just tie the ticket to a name and
| address at time of purchase? Then verify that matches the person
| using government issued ID upon entry?
| abetusk wrote:
| How would you handle the following conditions?
|
| * I buy a ticket for a friend (maybe as a present) but don't
| actually want to go to the concert
|
| * I buy more than one ticket for a group of people (I'll be
| attending the concert)
|
| * I buy a ticket but have to cancel at the last minute and want
| to give it to a friend
|
| * I don't have an easily available government ID (maybe I never
| got a drivers license, maybe my drivers license expired, etc.)
|
| * People attending the event aren't American. They will have
| their passports from other countries. How will you verify each
| passport is valid?
|
| * The event draws of people from a majority of the 50 states in
| the USA, with each state having different government IDs
| (driver's license) with different versions of the IDs within
| each state. What are the logistics of validating the IDs
| presented?
|
| In the base case of one ticket per individual that has a valid
| government ID that has their current address printed on the ID,
| what service are you using to validate this ID and to validate
| that the presenter of the ID is associated with the ID? What is
| the cost and how many transactions can it handle per second?
| gruez wrote:
| >How would you handle the following conditions?
|
| It doesn't, but that's fine, because it's the cost of
| preventing scalpers. Everyone just accepts that you can't buy
| a flight ticket as a present, for instance.
| Symbiote wrote:
| I think I've only had this once for a concert I've attended,
| but generally:
|
| > I buy a ticket for a friend (maybe as a present) but don't
| actually want to go to the concert
|
| You'd need to transfer the ticket to them electronically,
| which is possible on all the ticket selling sites that
| support these restrictions.
|
| > I buy more than one ticket for a group of people (I'll be
| attending the concert)
|
| One person can buy up to X tickets (often 6), so they can
| attend with 5 anonymous friends.
|
| Or transfer one/more to them as above, so they don't have to
| arrive at the same time as you.
|
| > I buy a ticket but have to cancel at the last minute and
| want to give it to a friend
|
| Again, transfer through the website/app.
|
| > I don't have an easily available government ID (maybe I
| never got a drivers license, maybe my drivers license
| expired, etc.)
|
| > People attending the event aren't American. They will have
| their passports from other countries. How will you verify
| each passport is valid?
|
| > The event draws of people from a majority of the 50 states
| in the USA, with each state having different government IDs
| (driver's license) with different versions of the IDs within
| each state. What are the logistics of validating the IDs
| presented?
|
| European (as I'm here) identity cards and driving licences
| are reasonably unified in appearance. The staff will just do
| their best if Americans from 50 states turn up, and probably
| refer anything that seems suspicious to a manager for a more
| careful review.
| spoonsort wrote:
| Tunnel-visioned article, honestly. I mean, why does he gloss over
| the fact that scalpers don't care about captchas - they can just
| outsource solving them to other humans. Giving your driver's
| license or passport to some entertainment company's security-
| unaware sysadmins doesn't seem like a good idea either. Maybe
| just accept the fact that you gotta be lucky to see most famous
| band in the world in person. There are only x hundred seats for
| 10 million people...
| davidmurdoch wrote:
| Maybe read it first?
| 1oooqooq wrote:
| who cares about tickets for shows. but try to buy an airplane
| from airchina and experience first hand being a false positive
| bot.
|
| just hope there's another airline serving your destination.
| akrymski wrote:
| Could someone explain why tickets aren't sold via an auction
| mechanism? Surely that's the only fair way to distribute anything
| of limited supply
| cptroot wrote:
| The answer is mentioned in the article. Not all concerts want
| only people with means to attend. The venue might want to be
| accessible to low-income members of the community, or it might
| be a benefit concert, with free tickets and a donation drive.
| RainyDayTmrw wrote:
| That's only "fair" in a certain, academic sense, which claims
| that willingness to pay more money makes someone more
| "deserving" - completely ignoring socioeconomic status.
|
| That also offends a lot of people who oppose the above
| reasoning.
| MallocVoidstar wrote:
| > A related option is to strongly bind purchase limits to other
| resources that are not easy to acquire quickly in large amounts,
| such as allowing only X tickets per (verified) phone number
|
| Phone numbers are very easy to get in large numbers. US-based SMS
| numbers that will pass verification for buying sneakers are
| ~$0.25 each.
| sholladay wrote:
| As a human, I've had a bunch of positive experiences with
| Cloudflare Turnstile. It always seems to correctly identify me as
| a human faster than I could solve a CAPTCHA, without me having to
| do anything. I can't speak to how effective it is at catching
| bots, though. Maybe it just errs on the side of assuming human?
| kassner wrote:
| I can't claim I'm the first one to think about this, but every
| time Ticketmaster shows up on HN I keep coming back to this idea:
|
| Sell the tickets with regressive price based on time. Sales
| starts say 2 months before event, initial price is truly
| exorbitant, say one million dollars. Price decreases linearly
| down to zero (or true cost price). At any point, people can see
| current price and the seats left.
|
| Now every potential spectator is playing a game of chicken: the
| more you wait, the lower the price, but also lower are the
| chances that you'll have a ticket. That would capture precisely
| the maximum amount of dollars that each person is willing to pay
| for it.
|
| This idea sounds extremely greedy, because it is, so I can't
| fathom that no one ever pitched this in a Ticketmaster board
| meeting.
|
| My idea, however, was a bit less greedy. Once you sold the last
| ticket, that would be your actual (and fair) price-per-ticket for
| the concert, and everyone would be refunded the difference.
| You'll never know how low it will go, so you shouldn't overpay
| and hope it will lower later. I'm pretty sure Ticketmaster will
| skip this last part if they decide to implement this.
|
| There are multiple issues with my idea, it's elitist, promotes
| financial risks on cohorts poorly capable to bear them, etc etc,
| but it will definitely fix the scalpers problem. Pick your
| poison.
___________________________________________________________________
(page generated 2025-05-25 23:00 UTC)