Schneier on Security
A blog covering security and security technology.
« Battlefield RFID Listening Rocks |
| Deep Throat Tradecraft »
June 2, 2005
Stupid People Purchase Fake Concert Tickets
From the Boston Herald
Instead of rocking with Bono and The Edge, hundreds of U2 fans were forced to "walk away, walk away" from the sold-out FleetCenter show Tuesday night when their scalped tickets proved bogus.
Some heartbroken fans broke down in tears as they were turned away clutching worthless pieces of paper they shelled out as much as $2,000 for.
You might think this was some fancy counterfeiting scheme, but no.
It took Whelan and his staff a while to figure out what was going on, but a pattern soon emerged. The counterfeit tickets mostly were computer printouts bought online from cyberscalpers.
Online tickets are a great convenience. They contain a unique barcode. You can print as many as you like, but the barcode scanners at the concert door will only accept each barcode once.
Only an idiot would buy a printout from a scalper, because there's no way to verify that he will only sell it once. This is probably obvious to anyone reading this, but it tuns out that it's not obvious to everyone.
"On an average concert night we have zero, zilch, zip problems with counterfeit tickets," Delaney said. "Apparently, U2 has whipped this city into such a frenzy that people are willing to take a risk."
I find this fascinating. Online verification of authorization tokens is supposed to make counterfeiting more difficult, because it assumes the physical token can be copied. But it won't work if people believe that the physical token is unique.
Note: Another write-up of the same story is here.
Posted on June 2, 2005 at 2:10 PM
• 23 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"But it won't work if people believe that the physical token is unique."
On the contrary, it seems to have worked almost perfectly. They didn't let more people into the venue than they intended. They sent a message to customers about how much they can trust scalpers. It seems to have protected exactly the interests it was supposed to.
Which is to say, not neccessarily the consumer.
I think the only potential problem for ticket sellers is if a scalper is somehow reselling a ticket that belongs to a legitimate ticket holder. In that case, the first one who shows up gets in.
I hope some of these people who paid $2000 for bogus tickets have a way to track down their scalper again.
At Sabre, back in March of 2000, we worked with a company called Encryptix (they're no longer around). They had a 2 dimensional bar code technology we thought would work great for value documents in the travel industry (airline tickets). In addition to the 2 dimensional bar code, they also buried security key pixels that could not be duplicated by a copier. It worked, unfortunately, we could not find a single airline that would pilot a project.
"The counterfeit tickets mostly were computer printouts bought online from cyberscalpers."
Pretty stupid reporting from the Herald, too. From my read of the story, the only "cyber" that was involved was the purchase of the original ticket online. Somebody simply bought an online ticket, then somebdy (else?) printed off a few dozen copies and hawked them on the corner, the old fashioned way. Low tech, and if my guess is correct, pretty low chance of getting away with it.
"Low tech, and if my guess is correct, pretty low chance of getting away with it."
My guess is that scalpers have gotten away with it. One hopes that this publicity will make it less likely for them to get away with it a second time.
The lesson to learn here kids is that if you do buy a "cyber-scalped" ticket to show up FIRST before the authentic ticket gets scanned. However if they have assigned seating you may have to prove that your ticket is indeed authentic and be able to dispute it intelligently. If you really needed to generate your own ticket get a sense of the barcode schema and shift the numbers up or down... but you still should get there before the real deals get scanned. With all that... Being stupid isn't a crime, but it should be.
I was at a concert recently (with my ticket that I printed off on the computer) and I noticed a scalper holding a bunch of tickets. Some of them were the old fashioned kind and some were printouts. I have seen people trade up their tickets with scalpers before and this made me wonder if the scalpers every got scammed? You take a copy of your friend's printout and then get a trade up from a scalper. The scalper is left with a bogus ticket (because your friend has already gone inside and had his ticket scanned) and if your trade up fee was reasonable, you get a cheap ticket to the concert.
Interesting system, but it does have the annoying consequence that one can no longer sell extra tickets. No seller of tickets will be trusted, not just the scalpers with their markups.
I suppose there is some room for trusting if you enter the concert at the same time as your purchaser/seller. Well, purchaser first.
"I find this fascinating. Online verification of authorization tokens is supposed to make counterfeiting more difficult, because it assumes the physical token can be copied. But it won't work if people believe that the physical token is unique."
It never works at all if people don't know -where- on the web to check the token. Its all too easy for a scalper to set up a -fake- website with a dummy script that always confirms the token, and put -his- "verify this ticket online" URL on the printout.
"My guess is that scalpers have gotten away with it. One hopes that this publicity will make it less likely for them to get away with it a second time."
You don't even really need the publicity. Just have TicketMaster or whomever write in big letters on the top of the computer printout "this piece of paper is easily copied, but the unique serial code can only be used once. Do not buy a copy of this ticket from scalpers. It will not work!"
But that would require TicketMaster to care about their customers. And so far they've only demonstrated their ability to charge exorbitant surcharges. Such as, for example, the $5 "convenience fee" for letting you print out your own damn ticket. Their arrogance is appalling.
I've had scalpers outside RFK arena try to sell me internet printout tickets to the Washington Nationals and based on their reaction when I laugh, most people are willing to buy them. Perhaps in most cases that's a reasonable reaction; on average scalpers aren't in business to cheat you and the more cases there are of people getting burned with bogus tickets the worse it is for their business.
I think the lesson here is that if you really have a burning desire to lose part of your hearing (i.e. go to a concert), try buying your ticket(s) early. And if you miss out, too bad; that's life; get over it.
Personally, I think it's funny as hell. I have no empathy for an idiot so desperate enough to see a band that they'll pay a stranger $2,000.
"But that would require TicketMaster to care about their customers."
TicketMaster care about their customers. It is just a question of who their customer is. It is not the person buying a ticket, it is the venue/performer selling the ticket. As the prevalence of scalpers indicates, there is more than sufficient demand for tickets to allow TicketMaster to milk the purchasers for extra profit for their own purse without harming the real customer.
"Being stupid isn't a crime, but it should be."
What IQ level should be the legal limit? Why just intelligence? "I'm sorry, sir, but you know it's a crime to be too weak to fight off a mugger."
Israel Torres says: "If you really needed to generate your own ticket get a sense of the barcode schema and shift the numbers up or down... "
You're assuming that the folks generating these are pretty dumb, to be using numbers from a fairly dense space. I very much doubt that more than one in a hundred, at best, numbers from the space are valid. I would also suspect that they're using a check-digit that you'd want to calculate.
movietickets.com also generates a printout with a (presumably) unique bar code, with the intent that the barcode be scanned when you enter the theater to prevent this same sort of thing from happening. But, when I used this form of ticketing to go see Star Wars 3 last week, the ticket collector just took the paper, glanced at it and put it in a pile. No scan check at all. A high-tech lock, but the door was left propped open.
"You're assuming that the folks generating these are pretty dumb"
I've learned that such an assumption is often a correct one. I've also learned that not many companies attempt to actually put the technology buy to the test until it is already disclosed that the technology they were using fails by doing something insanely obvious such as making one line in the barcode a little bit thicker than the one to its right and bingo it passes the verification system... all thanks to a 75 cent sharpie and some old school ingenuity.
In short, too many people with authority fall for the smoke and mirrors and laser show and aren't really interested in anything else before throwing USD at it. Thus, assuming a technology is airtight is certainly a mistake and by inheritance assuming their creators are any smarter than one is also a mistake.
Some of you guys might be interested by this system:
It is mostly efficient when the tickets are personal and when "online" verification is not possible.
The xerox-dropout pixels is a nice twist, but wouldn't help in this case: These scalpers bought a ticket online, and when they got to the "print this page" part, told their machine to print not one but leventy-zillion of them. Each of which is an actual first-generation copy, but only one of which (whichever one is presented first) will work.
Agreed. Anyone who pays the currently outrageous prices for even a legit ticket needs his/her head examined. Those who pay four figure prices to scalpers deserve to be parted from their money, being the fools that they are.
The news report is a non-issue from a technical perspective. Any on the street purchase of an e-ticket is done without verification of any sort. The veracity of the ticket cannot be ascertained, so there is no need for the scalper to have a "real" barcode. Quite on the contrary - the barcode SHOULD be fake; if it is real, it can be traced back to the purchaser.
On the other hand, purchasing e-tickets from scalpers is great. I've done that for a couple of years and it is perfectly safe and, usually, a lot cheaper than doing it in the streets. eBay has a smooth system where you can rely on a user's feedback rating and established identity to make it a reasonable risk. The instant payment and subsequent email of the ticket pdf file makes it possible to buy scalped tickets hours before an event. But buying a piece of paper on the street?? That has everything do to with naivite and nothing to do with technology in my opinion.
There is a second "problem" with these tickets. I've used them at a concert, and the guards by the expensive seats just look at the seat info on the printout to allow you into the expensive seat area.
I immediately realized that I could get a lawn seat, print to a file, modify the file to indicate the more expensive seat, and use that.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.