slider

Hackers Reverse Engineer Ticketmaster Bypassing Anti-Scalping Measures on “Non-Transferable” Tickets

A lawsuit in California filed by concert giant AXS has brought to light a significant issue plaguing the ticketing industry: the battle between ticket scalpers and platforms like Ticketmaster and AXS. Scalpers have managed to reverse-engineer the methods these companies use to generate “non-transferable” tickets, creating and selling them through their own systems.


Reverse-Engineering Ticketmaster and AXS Systems

Scalpers have figured out how to regenerate legitimate tickets from the ground up by understanding the underlying code used by Ticketmaster and AXS. This allows them to bypass anti-scalping measures put in place by these platforms. In the lawsuit, AXS claims that brokers are providing “counterfeit” tickets to consumers, alleging that these tickets are produced by illicitly accessing and mimicking the AXS platform. Despite these accusations, the tickets often scan as genuine at events.

Two security researchers have demonstrated how Ticketmaster’s ticket barcodes can be reverse-engineered, allowing scalpers to generate authentic tickets for concerts. The same method likely applies to AXS tickets, which use similar “rotating barcodes” that change every few seconds. One researcher, after publishing their findings, received offers from brokers to create ticket transfer services for them.


How Scalpers Bypass Anti-Scalping Measures

Some brokers have already established their own websites or apps to generate genuine tickets and share them with customers through secondary market services like StubHub, SeatGeek, and VividSeats. These services, often named Secure.Tickets, Amosa App, Virtual Barcode Distribution, and Verified-Ticket.com, are not widely known and typically appear as broken websites when accessed directly. According to an anonymous ticket broker, some of these services are part of larger ticket management software packages, while others are standalone services sold through word-of-mouth.

The only online information about these services comes from confused fans who question the legitimacy of their tickets for popular concerts and sports events. Despite initial concerns, most tickets bought through these services work as expected. For instance, a Blink-182 fan on Reddit confirmed that tickets from Secure.Tickets were genuine after worrying they had been scammed.

These ticket generation services offer an easier way for brokers and fans to transfer tickets without needing to meet in person or share account passwords. This technology has given Ticketmaster and AXS more control over how and when tickets can be sold and transferred on the secondary market. However, for highly sought-after events, these companies have started restricting ticket transfers to prevent scalping. This restriction means tickets cannot be moved from one account to another, forcing sales to occur only on Ticketmaster or AXS platforms.


Legal Actions and Accusations

Scalpers’ ability to generate tickets from metadata created by Ticketmaster is particularly concerning. A hacking group recently claimed to have dumped thousands of barcodes for Taylor Swift’s Eras Tour. Ticketmaster’s SafeTix technology, which uses rotating barcodes, is supposed to protect tickets, but this system’s vulnerabilities have been exposed.

404 Media discovered this broker infrastructure after fans of DJ Fred Again expressed concerns about resale tickets bought from Secure.Tickets. A lawsuit filed by AXS against Secure.Tickets and other scalper services accused them of copyright infringement and creating “counterfeit” tickets. The lawsuit alleges that these services misrepresent themselves as using AXS’s proprietary technology while actually circumventing it.

Security researchers Conduition and David Pokora have both confirmed that the process to generate these tickets is not highly sophisticated and can be replicated by financially motivated individuals. Conduition’s blog post detailed how Ticketmaster’s SafeTix technology works and how it can be bypassed. They built a proof-of-concept app called “TicketGimp” to demonstrate this capability.


Industry Response and Future Challenges

Despite multiple requests for comment, Ticketmaster and AXS did not respond to inquiries about these security issues. The companies have not publicly addressed the vulnerabilities exposed by these researchers. Instead, they continue to play a legal game of whack-a-mole with scalpers rather than addressing the root cause with better technology.

The situation reveals a larger problem in the ticketing industry: the need for more secure and open ecosystems that support third-party ticket resale and delivery platforms. Until such systems are in place, scalpers will continue to exploit vulnerabilities, and ticket buyers will remain at risk of purchasing dubious tickets.


How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Questions or concerns? Feel free to reach out to us any time –

https://www.netizen.net/contact


Copyright © Netizen Corporation. All Rights Reserved.