Hey Travis,

I'm pretty excited about this one because it combines many of our reporting interests: Ticket scalping, hacking/reverse engineering, underground worlds, and court documents. We were also able to help solve a mystery plaguing various artists' fanbases, who were confused about why they have been getting tickets hosted on services they'd never heard of.

-Jason

A lawsuit filed in California by concert giant AXS has revealed a legal and technological battle between ticket scalpers and platforms like Ticketmaster and AXS, in which scalpers have figured out how to extract “untransferable” tickets from their accounts by generating entry barcodes on parallel infrastructure that the scalpers control and which can then be sold and transferred to customers.

By reverse-engineering how Ticketmaster and AXS actually make their electronic tickets, scalpers have essentially figured out how to regenerate specific, genuine tickets that they have legally purchased from scratch onto infrastructure that they control. In doing so, they are removing the anti-scalping restrictions put on the tickets by Ticketmaster and AXS. 

In the lawsuit, AXS said brokers are delivering “counterfeit” tickets to “unsuspecting consumers,” and that they are “created, in whole or in part by one or more of the Defendants illicitly accessing and then mimicking, emulating, or copying tickets from the AXS Platform.” The lawsuit accuses these services of hacking and states that AXS does not know how they are doing it. But the tickets themselves are often not counterfeit at all, and in the vast majority of cases, they scan as genuine.

Two security researchers we spoke to reverse engineered how Ticketmaster generates ticket barcodes and showed how scalpers can generate genuine tickets for concerts themselves. The system that works for Ticketmaster is also likely to work for AXS tickets, which use similar “rotating barcodes” that change every few seconds. After one of the researchers published their findings in February, they were approached by brokers and were asked to build ticket transfer services for them. 

They are then hosting these tickets on their own websites or apps, and are sharing links to these tickets with their customers over secondary market services like StubHub, SeatGeek, and VividSeats. 

There is almost no online information about these services for brokers, which go by names like Secure.Tickets, Amosa App, Virtual Barcode Distribution, and Verified-Ticket.com. Typing in the URLs for these services usually leads to what looks like a broken website. According to one ticket broker source who spoke to us under the condition of anonymity to talk about secrets of the industry, some of these services are offered as part of larger ticket management software packages and some are standalone services sold to brokers by word-of-mouth. 

If you look closely, the barcode changes every few seconds

The only information about these types of tickets online is from confused fans, who are wondering whether the tickets they bought to Fred Again, Blink-182, Phish, The Killers, other popular bands, and sports games have been delivered through a service they’ve never heard of are genuine. In the vast majority of cases, they are. What is happening then is that fans are buying tickets from brokers that they are worried are fake and which they can’t find any information about, but actually end up working in the end.

“The tickets were legit,” one Blink-182 fan reported back on Reddit after worrying they had been scammed. “Secure.tickets is a real thing.”

“Can they tell if our tickets aren’t from Ticketmaster if it’s the ones from secure.tickets?” a fan on the Fred Again Discord wrote. “Seatgeek secure.tickets warriors we ride at dusk,” they added before the show. A few hours later: “MADE IT IN SEATGEEK SECURE.TICKETS!”

Screenshots from the AXS lawsuit of AXS tickets on third-party infrastructure

404 Media previously reported some of the ways that scalpers have managed to transfer “untransferable” tickets by allowing customers to login to throwaway Ticketmaster accounts that contain the tickets or by transferring tickets using Apple Wallet or Android Wallet. Services like Secure.Tickets offer an easier way for brokers and fans to do this, without having to meet up in front of the concert or share passwords.

This technology has also given more control to Ticketmaster and AXS over how and when these tickets can be sold on the secondary market and then transferred to another person. For many events, this is a straightforward process in which someone can log into their Ticketmaster or AXS account, enter the email address of the person they’ve sold the tickets to (or a friend who they want to give the tickets to), and transfer the tickets to their account with no limitation. 

But for more popular events that are commonly bought by scalpers, Ticketmaster and AXS have started restricting transfer. This means you cannot move them from one Ticketmaster or AXS account to another. (Both AXS and Ticketmaster have been experimenting with allowing people to resell their tickets, but only on Ticketmaster or only on AXS and not on StubHub, SeatGeek, VividSeats, or other third-party resale platforms).   

The proliferation of these types of tickets highlights the fact that serious ticket brokers have found ways to circumvent anti-scalping restrictions created by Ticketmaster and AXS that are often insisted upon by artists. These restrictions help cement the vertical integration of Ticketmaster and, to a lesser extent, AXS, which are increasingly trying to funnel brokers and fans to resale services on their own sites, to further monopolize not just the primary ticket sale market, but the secondary resale one too.

The ability to generate tickets from the metadata created by Ticketmaster is particularly notable because a hacking crew dumped what it claims are thousands of barcodes for Taylor Swift’s Eras Tour. Ticketmaster has claimed that its rotating barcode technology, called SafeTix “keeps tickets safe and unassailable.” The way that the system works requires brokers to generate tickets shortly before an event starts; with Eras Tour dates still months away, they are likely not at risk of being stolen.

404 Media became aware of this broker infrastructure after a reader told us that fans of the DJ Fred Again were very concerned that they had been scammed after buying resale tickets to his tour, which were supposed to be “untransferable” and which had come from a link to the website “secure.tickets.” A member of the Fred Again Discord had uncovered a lawsuit filed in May by AXS against Secure.Tickets and several other scalper transfer services, which accused them of copyright infringement for recreating the AXS logo on the recreated tickets and also accused them of making “counterfeits.” 

“At least two of the Defendants have also represented to customers that they are using AXS’s proprietary technology to sell, resell, deliver, or transfer tickets, when they are in fact circumventing AXS’s technology,” the lawsuit claims. “Defendants operate in the shadows of the internet. In some instances, Defendant have gone to great lengths to conceal their identities.”

‘Reverse Engineering Ticketmaster’s Rotating Barcodes’

The technology that is supposed to prevent a ticket from being transferred is largely the same in both Ticketmaster and AXS, both of which have started selling tickets as “revolving barcodes” or QR codes that change every few seconds. This is designed to prevent people from screenshotting or printing out the tickets and then double selling them, which was a very common type of scam with standard PDF tickets. 

In February, a pseudonymous security researcher named Conduition published a blog post called “Reverse Engineering Ticketmaster’s Rotating Barcodes,” in which they explained how these tickets (which are called “SafeTix”) work, and revealed that many of the supposed safety and security features of these sorts of tickets can be easily circumvented or in practice do nothing.For example, a “slider animation” that Ticketmaster says “is our ticket technology actively working to safeguard you every second” is just a CSS animation sliding over the ticket.

In the blog post, Conduition explains that, essentially, these tickets work in the same way as two-factor authentication codes in authenticator apps. These are called “Time-based One-Time Passwords,” and can be generated offline (like a 2FA code). Ticketmaster basically shares a secret, unique token with the person who bought the ticket. This token allows the Ticketmaster app to generate a “new” ticket every 15 seconds based on the time of day. Once the device has this token, it is possible to generate the tickets no matter whether it's online or not. As Conduition found, if you’ve bought a ticket, this token can be extracted from within the Ticketmaster app (or, in some cases, from Ticketmaster’s desktop website), exported to a third-party platform, and tickets can then be generated on that third-party platform. 

The technical details of this are explained at length Conduition’s blog post, but, they basically conclude that the “token string IS the ticket, as far as the venue staff at the gates are concerned” and can be used to “generate valid PDF417 barcodes, indistinguishable from the official Ticketmaster app. Short of checking photo IDs at the entry gate, the venue staff can’t tell whether the person at the gate is the same person who the ticket is registered to on Ticketmaster.” To prove this out, Conduition built a proof-of-concept app called “TicketGimp,” which builds valid ticket barcodes if given that token. 

Conduition told me in an email that since they’ve published their research, they have been contacted by broker who want to hire them.

“I have actually heard of secure.tickets and verified-ticket.com before. After publishing my article on TicketMaster, I've been cold-emailed 5-10 times with contracting offers, asking me to build similar ticket sharing systems. One person asked me to exactly duplicate the verified-ticket.com website—not just the UI layout, but pixel-for-pixel duplication, plus the cryptography needed to generate valid barcodes from a ticket secret,” Conduition said. “I suspect that these ticket sharing websites are making real attempts to allow ticket sharing (albeit against the monopolistic wishes of AXS/TM).”

In their blog post, Conduition explains how these types of tickets do not actually prevent transfer for a financially motivated person or company, but wrote that “it’s pretty clear why Ticketmaster is pushing this technology.”

“SafeTix makes it harder for people to resell tickets outside of TicketMaster’s closed, high-margin ticket-resale marketplace, where they make a boatload of money by buying low and selling high to customers with no alternative,” they wrote. “People can’t save and transfer tickets outside of Ticketmaster. This forces ticket holders to surrender their friends’ contact information to Ticketmaster, who can use this data to build social graphs, or conduct other privacy-invasive practices.”

Both Ticketmaster and AXS did not respond to multiple requests for comment for this story. Lawyers for Secure.Tickets and the other companies being sued by AXS also did not respond, though it is clear from the lawsuit that AXS does not even know the identities of all of the people operating these types of services.

“What I can say for sure is that TicketMaster and AXS have had every opportunity to support scam-free third party ticket resale and delivery platforms if they wished: By documenting their ticket QR code cryptography, and by exposing apps and APIs which would allow verification and rotation of ticket secrets,” Conduition told me in an email. “But they intentionally choose not to do so, and then they act all surprised-pikachu when 3rd party resale scams proliferate. They're opting to play legal whack-a-mole with scammers instead of fixing the problem directly with better technology, because they make more money as a resale monopoly than as an open and secure ecosystem.”

To verify Conduition’s research, David Pokora, a engineering director at the cybersecurity research firm Trail of Bits, agreed to attempt to reverse-engineer an “untransferrable” ticket that I bought for a Fred Again concert in Los Angeles. We did not actually set up a parallel ticket transfer ecosystem, but Pokora probed enough of what was going on to feel confident that Conduition’s research is correct and replicable. Pokora performed their analysis in late June, months after Conduition’s blog post. He did not find anything to suggest that Ticketmaster has significantly changed how its system works.

“Essentially you can think of this as there being base information, plus the current time stamp,” Pokora said. “And with that base information and the time, you can always generate a valid QR code.”

Both Conduition and Pokora explain that the token in question is delivered roughly 20 hours before a concert, so as long as the token being used by the third party app is accessed within 20 hours of the event, the tickets being generated are always going to be valid, and can essentially be pulled from a Ticketmaster account onto a third party platform that generates the valid barcode and can be shared with anyone. 

Neither Conduition nor Pokora specifically probed AXS’s system for generating tickets, but, based on the lawsuit and the fact that the same ticket broker services offers tickets to both Ticketmaster and AXS events, AXS’s system has also been solved by brokers.

Both Conduition and Pokora said that the attacks necessary to reproduce these tickets are not terribly technologically sophisticated and would be easy for anyone financially motivated, like a ticket broker or a service selling to ticket brokers. “I’m very, very confident that everything in Conduition’s blog post is still valid,” Pokora said. “Ticketmaster could try to make it a more obscure process, or make it harder to reverse engineer, but at the end of the day you’re just validating some information that was relayed to a buyer. What’s stopping someone from extracting that in some automated way and relaying that information to someone else?”