Skip to content(if available)orjump to list(if available)

CAPTCHAs are over (in ticketing)

CAPTCHAs are over (in ticketing)

49 comments

·May 25, 2025
Visit

frabcus

The option that strikes me as missing, is making users pay a cost before they are randomly entered in a lottery for the ticket.

So, for example, everyone pays $0.01 on their credit card, or does a holding charge on their credit card, or registers their identity. All in a 5 minute (or 1 day!) window. And then after the window, tickets are randomly distributed amongst every card which so registered.

You could check multiple things - phone and card and Government ID if necessary (lowering the privacy).

This also feels fairer and less stressful - instead of a lottery based on your internet access, or ability to run lots of browsers at once.

This feels harder for scalpers to do to me, as they need more fake identities, but I'd be curious about the actual ratios when trying it. What goes wrong?

Another one I predict is that you can't buy digitally. For examples, the Lewes fireworks display you have to buy tickets in person in a bookshop in Lewes. Doesn't help if you make a digital ticketing system though!

Loughla

The Savannah Bananas do that. You have to enter a lottery to buy tickets.

And if your ID doesn't match the ticket, you don't get in.

It's successful in keeping tickets in the hands of families and fans instead of resale.

londons_explore

I suspect the key thing is that the industry really wants scalpers, but must appear to act against them.

londons_explore

Actual cash income the moment the tickets go on sale.

Removes all the uncertainty and risk and puts it on the scalpers.

clipsy

> I suspect the key thing is that the industry really wants scalpers

Why?

chamakits

Well at least one possible reason is that for live events, the company that has an effective monopoly is Live Nation. And they also own at least one of the platforms where scalpers sell their tickets; Ticketmaster.

I also imagine that as an event promoter, being able to say some variation of "Another sold out show", or "Tickets sold out within seconds" creates pressure for buying early for all future events.

It also takes active planned work to implement these solutions. And if they have a monopoly, they have no incentive to do that work.

sanity

A few months back I built a cryptographic alternative to CAPTCHAs called Ghost Keys[1] that uses a small donation as proof-of-humanity. For donating you get an anonymous keypair that works across services without repeated CAPTCHAs. The economic friction doesn't scale for bot operators, and donations fund our non-profit[2].

[1] https://freenet.org/ghostkey/

[2] https://freenet.org/

DoctorOW

> The economic friction doesn't scale for bot operators

Does the number of keys need to scale? If $1 buys a key for life, and signing can be easily automated why would it stop bots?

sanity

Keys embed approximate timestamps, so services can set age limits. The system was designed for Freenet integration where reputation can be attached to keys - repeat abuse would degrade a key's public reputation over time.

jsnell

> So what’s left?

If the profit per successful abuse event is $200, the author's suggestion of limits on credit card numbers or phone numbers won't work either. Those are only effective against scaled abuse up to something like $1 / event. Bank accounts would almost certainly be more robust, but that seems quite hard to implement outside of a handful of countries where the online auth ecosystem is built around banks.

With generic abuse background, but not knowing anything about the ticketing abuse ecosystem, is doing the sales on a first-come-first-serve basis an absolute necessity from a business perspective? There would be a lot more tools available if the problem was reframed from "decide instantly whether to sell this buyer a ticket" to "decide which 10k of these 100k intents of purchase received during the first 24h to sell the tickets to". And by more tools, I mean offline analysis and clustering, not just a lottery.

(You'd still want to combine that with strongly personalized tickets though. It'd be how you address for bots-as-a-service, not how you address buying tickets to resell.)

thatguy0900

I could see an issue with that since most people are going to be going to events in a group, and won't want to go unless everyone gets their ticket. If I wanted to go with three people, do you lottery us as a group or individually? If I want to go with 5 people and there's a lottery, the best thing to do would be have multiple people buy 5 tickets each, multiply that by every group and you have a lot of people buying tickets who don't actully want them and people who only put one order in get shafted

latentsea

A lot of concerts in Japan work on a lottery. When you enter the lottery you can select for how many tickets up to a set maximum. If you get selected, you're obligated to pay and can't cancel. So... I imagine if you want to go as a group, one person puts in for the lottery and either everyone gets to go or no one does.

muti

Require the intent to include ticket holder names/id and check it on entry to the venue, multiple intents for the same group can be deduplicated

hackingonempty

The reality now is the ticket sellers and bands are the main scalpers and everyone else are now secondary scalpers.

Now that tickets are all electronic and the ticket sellers operate secondary markets there is no "face value" anymore and pricing is dynamic. Not all tickets are released at once and many are offered at "platinum" prices at first.

All through the 60's, 70's, 80's, 90's and 00's concert tickets were around $40-$50 in 2025 dollars, now that is just the service charge. Just go on eBay and look at some ticket stubs then put the price / date into the CPI calculator.

It turns out that the bands couldn't beat the scalpers so they became the scalpers, charging outrageous prices with the assistance of the ticketing companies.

So stopping bots isn't as important as it was when CAPTCHAs were effective, since there is a lot less money on the table for professional scalpers to capture.

teeray

> The naive economic solution to the problem would be raising ticket prices step by step until it is no longer attractive for scalpers to resell your ticket

You can also just do like The Cure did and destroy the secondary market entirely: you can sell tickets through the platform and only for what you paid for them.

markasoftware

how does this prevent the scalper communicating with the buyer to demand an out-of-band payment?

wetpaws

[dead]

raincole

The naïve economic solution is auctioning off all the tickets.

modeless

I am unsympathetic when people insist on selling things for the wrong price and then come up with these elaborate schemes for fixing the problems they themselves caused.

If they would simply sell tickets for the prices people are willing to pay in the first place then they wouldn't need to invade privacy or any of this stuff. I've heard the arguments they use to justify why they don't and they're all hogwash.

Matheus28

How about: each user creates an account with their legal ID. Obviously unique so they can’t create multiple using the same ID. Before the sale, everyone signs up. Once the sale is started, tickets are distributed using a lottery system for the users who signed up (so refreshing like mad doesn’t give any advantage). Can only buy up to 2 tickets per person (their own and an anonymous companion). ID must be shown and would be verified at entrance.

If you wanna be even more strict: You could allow up to X companions, but they must not have signed up with their own account (so they don’t have an advantage for doing so). And they must provide their ID before the event as well and arrive as a single party.

arccy

I think you just described something similar to the Japanese system

AlienRobot

I'm asked for ID on MercadoLivre and PayPal already, but I think it's for tax purposes. Never tried to create two accounts with the same tax ID.

unscaled

This addresses some of the hassle around buying multiple tickets, but does not address the inherent privacy issues. But there are still some problems.

First of all, this remains a hassle in most countries, since handling a national identity number (if such a number exists at all) is restricted by law. Even in some countries that do not legally restrict collection or storage of identity numbers (AFAIK the US does not restrict private sector usage of SSNs), there is rarely wide acceptance of providing your identity number for any purpose other than official government services and financial institutions. This means that in most cases, the event organizer has to resort to more traditional methods of KYC: Requesting some personal details (e.g. full name and birth date) and requiring to present an identity document that carries the details above. Verifying the identity document adds slows down entrance lines and increases the cost.

The other issue with this method is privacy. You're still not breaking the suggested BAP (Bots-resistance/Accessibility/Privacy) theorem suggested by the article. Additional personal information has to be collected and stored until the time of the event.

But I believe there is a way out of this. You can still create a limited resource that is more restricted than phone numbers or credit card numbers, and can be optionally verified at the venue cheaply. The only problem is that would require cooperation from the government (and a great deal of effort if you want to make it perfect). The government needs to already have an online digital KYC method that is bound to your digital ID or an online government account. Then the government can use that method to provide an anonymous federated login that provides a unique ID that cannot be traced back to any national identity number. This is essentially how Sign in with Apple works with "Hide My Email" selected: No personally identifying claims are included in the Open ID Connect ID Token and "sub" is unique (per Apple user + 3rd party service combination), but not traceable back to the the original Apple identity. Unique identities can also become ad-hoc per-event (instead of per ticket provider), which makes them completely private (ticket providers cannot track users across multiple events).

At described above, this service still only provides a limited resource akin to phone numbers. For events where the profit margin from ticket scalping exceeds $100, you could still get some scalpers who'd convince collaborators to identify in with their government account and buy tickets for the scalper for $20 per ticket. If you can get 5 tickets per ID, that's $100 of easy money for 5 minutes of work. You can add simple and fast verification at the venue by requiring the users to generate a QR code that is tied to their unique ID at the venue in order to enter. The QR code cannot be generated in advance and is based on a challenge QR that is presented at the venue. This requires collaborators would have to physically come to the venue or be available at the time the scalper's agents come to redeem the paper tickets at the venue. With a QR code generation and check directly at the gate, scalping is completely impossible (at the cost of longer lines and less entrance flexibility). With printed tickets the scalper needs to send agents to physically collect the tickets and communicate with the collaborators (who need to be available at the day of the event to generate the QR codes remotely) — which greatly inflates the cost of scalping.

Even when you get governments to cooperate with this approach, there are still some holes with this approach. The first issue is that eKYC needs to become popular enough to avoid a large loss in sales. The second issue is raising awareness with regards to privacy-preserving eKYC vs. regular eKYC. This two services look very similar (you log-in with your government account or ID to prove your identity), but the scope of the information shared couldn't be more different. Normalizing eKYC carries the risk of people becoming careless about divulging private information. Luckily, this could easily be solved by governments restricting private sector parties to which full eKYC is provided based on their callback domain names and registered credentials (like OAuth client ID and client secret).

The last problem is the probably the most complex one to tackle: how would you accommodate tourists? After all a lot of the venues sell a large share (or even the majority) of their tickets to tourists. I can think of two possible answers.

The first approach is to fall back to a manual passport-based KYC process for tourists. Tourist ticket buyers would have to enter their name and passport number in advance and the passports would be verified in person at the venue. This can be slightly sped up with automatic passport scanners if the venue has a high volume of visitors that warrants the costs. This approach seems to be where China is going: the resident ID card is used for entrance to many places and even for buying railway tickets, but tourists just use their passports. This works well when the percentage of tourists is low, but at a venue which expects a high number of tourists you'll run into all the issues I've described above.

The other option is probably more of a pipe dream, but it would be nice if countries could issue a temporary (and restricted) eKYC account to visitors when they complete their ETA. Even countries without ETA can still offer a pre-registration system just for obtaining an eKYC account in advance. This eKYC account can be used to purchase tickets in the destination country in advance, but it would only be activated for generating gate QR codes when physically entering the country with the matching passport. The main limitation of this approach is that you must first obtain an ETA before purchasing tickets, but you'd usually already have concrete travel plans by the time you're purchasing the tickets.

zaik

Sell at the economic equilibrium price (determined by auction) and whoever actually enters the venue receives the difference between the auction price and the desired price by the organizer in cash or maybe in form of a coupon for their next concert.

Horffupolde

That results in unbounded offers.

zaik

Sounds like an interesting situation! But I do see the flaw in my proposal now. It will select for the top-n richest customers, which kind of undermines the point of selling at a fixed price.

djoldman

Unfortunately, the solution to something like this is more intense KYC and lawsuits.

You don't defend at the web, you defend in the courtroom and bank.

I assume it's too expensive or the ticket sellers don't actually care, they just want to think they care.

devwastaken

you defend at the ID system. anonymous cert chain ID fixes this. the u.s is defined by its fraudulent business and therefore no one in power wants it.

nikolayasdf123

how about on-device biometrics?

most of traffic is from mobile devices anyways. they have biometrics (e.g. Apple FaceID, fingerprint). they also have DeviceCheck (Apple Hardware + Apple servers) integrity checks of device/binary that is making requests. it is also free and private.

why using this technology is not part of conversation? seems like utmost strongest guarantees and perfect fit?

moneywaters

Yeah that's good solution

charcircuit

>Most organizers, including for-profit organizations, do not want to choose this option due to ethical concerns or concerns about community building.

The alternative is selling the tickets to scalpers which doesn't seem ethically better or better at community building as compared to directly selling it to fans.

Even if you assign tickets to IDs scalpers will sell access to bots instead to capture the delta between market price and the price the ticket is being sold for.

DrillShopper

Sell the tickets with a decreasing price - early tickets are very expensive, late tickets are not, and hold back between 10% and 20% until day of sale at the lowest price.

Make the scalping bastards choke on it, and break FOMO all at once.

rendx

One option that I not see discussed in the blog post: Collecting user signals locally and using those access patterns (mouse movement, clicks, IP/site browsing history) to discriminate between "standard" site usage and bots; so like a "reCaptcha lite", not trained across many sites but trained specifically on the target.

For a ticket platform like pretix that can be run self-hosted alongside the main site, this should give you enough signals to discriminate between normal users and bots, unless they are specifically targeting that site, or am I mistaken? Even just pure web server access logs may be sufficient on smaller sites so this might work even without JS?

jsnell

This seems pretty well covered by the post?

Doing any kind of access pattern analysis leaves you with the problem of handling false positives, and your proposal doesn't help with the accessibility problems.

IP addresses aren't a panacea here -- this is a high margin business where the attackers can switch to high cost / high quality proxies.

> unless they are specifically targeting that site

In this case the attackers would very specifically be targeting specific sites (ones selling tickets to events with more demand than supply).