How Scalpers Are Hacking One Of Ticketmaster's Highly-Touted Features

Over the years, what was once pretty taboo has become incredibly common: Reselling tickets to concerts and sporting events, often above face value. Not only do the most prominent ticketing companies, Ticketmaster and AXS, have their own resale arms, but there's an entire ecosystem of third-party ticket resale platforms like StubHub, SeatGeek, and VividSeats. For a long time, individuals and professional brokers/scalpers alike both had a pretty easy time reselling their tickets, as they were either physical tickets printed by the ticketing company or venue box office, PDF downloads with the same barcodes, or other ways of distributing static barcodes. This also meant that, unless you were using the ticketing company's official resale system, defrauding someone with fake tickets was far too simple.

If you've been out to a major event more recently, though, there's a good chance that you've seen some changes. Many events have resale restricted to the ticketing company's own marketplace, sometimes even capped at face value. The way that they do this is by restricting tickets to their official mobile apps and having the barcode change every 15 seconds or so. Simply copying the barcode won't work, as it's always changing. In theory, this was a great way for Ticketmaster and AXS to regain more control of the resale market. In practice, though? The system has been reverse-engineered by companies working with ticket brokers to allow them to easily resell the theoretically protected tickets. Here's how this is happening and how the details have gone public.

The method for reselling tickets that are theoretically untransferable was first in a blog post by the anonymous security researcher known as Conduition in February 2024, with 404 Media expanding on the topic in a July 2024 report. At its heart, the way these special tickets work is pretty simple, and if you're particularly tech savvy, you might even kick yourself for not realizing it. They basically work like authenticator apps used in two-factor authentication. The ticket app and the ticketing system are synced up so that a new one-time passcode is generated every 15 seconds, with a new barcode generated from each. (The "slider" animation hovering over the barcode that Ticketmaster claims is part of its security technology is, in actuality, literally just an animation that's there to signal to event staff that it's not a static screenshot.)

Once the secure ticketing process was engineered, various companies popped up offering services to brokers that allow them to convert the "untransferable" tickets to something they can sell. These services go by names like Secure.Tickets, Virtual Barcode Distribution, Verified-Ticket.com, and Amosa App, and appear to try to minimize their internet presence, instead preferring word of mouth marketing among brokers. All of these services are able to extract a working digital ticket out of the Ticketmaster app and into their own platforms. Until 404 Media reported on this, online references to the services were limited to forum discussions from concertgoers worried about counterfeit tickets.

Conduition's initial note about the Ticketmaster hack didn't reference the company's biggest competitor, AXS, which uses similar technology for non-transferable tickets. However, based on a lawsuit filed by AXS in January 2024 and amended the following May, it looks like AXS's non-transferable tickets were reverse engineered in a similar way. According to the amended complaint, AXS is suingfour different companies offering resale tickets or reverse engineering services to ticket brokers, Internet Referral Services, Event Tickets Center, and Virtual Barcode Distribution, plus Altan Tanriverdi, the Turkish national behind a fifth service, Amosa.app.

In the amended complaint, AXS redacted some passages from public view to keep certain business details private. Regardless, AXS has elected to take a bit of a "kitchen sink" approach to the lawsuit, also going after the ticket redistributing services for not just producing what they called "counterfeit tickets," but also misappropriating the AXS logo and trademarks. 

"Counterfeit" is a misnomer here since this is theoretically about repurposing genuine tickets, but it's how AXS describes them throughout.  AXS concedes that it's "not exactly clear" how the tickets are redistributed, but its Chief Technology Officer believes the defendants "bypassed security and access control measures to decompile, reverse engineer, disassemble, or otherwise modify the AXS App or AXS SDK." As of this writing, none of the defendants have answered the suit, and none returned 404 Media's requests for comment on their July 2024 article. 

There's something important that we should make note of that colors this story a bit: For a non-trivial number of Americans reading this article, the war between the ticketing companies and the reverse engineering services is moot. That's because a total of six states have passed laws barring restrictions on the resale of live event tickets. New York, Connecticut, Illinois, Virginia, Colorado, and Utah have all passed such laws, meaning that this includes major markets with larger than normal arrays of major concert and sporting venues like New York City and Chicago.

These laws were lobbied for by the National Association of Ticket Brokers, which is exactly what it sounds like. The NATB has a website, ProtectTicketRights.com, designed to push its message to the average person, which includes their explanation of why they view the non-transferable tickets as anti-consumer.

"Some performers, promoters and venues use paperless tickets which require the credit card holder who purchased them to show the card and ID at the door of the event," they wrote. "This impedes the right of the ticket owner to employ them as desired: perhaps to sell them, or to give them away, for instance, if it proves impossible to attend the event. They claim this is to reduce fraud, when in reality it's merely a scheme to restrict your right to sell or transfer your tickets." Thanks to these lobbyists, you're free of these restrictions if you're in the aforementioned half dozen states.