BWW Interview: Security Expert Omri Iluz's Guide To Bots: What They Are And How They Get The Tickets You Want
With its Tony Award for Best Musical, Pulitzer Prize For Drama, Grammy Award for its original cast recording and countless other accolades, Lin-Manuel Miranda's HAMILTON is not only the most significant theatre piece currently running on Broadway, but it has arguably achieved more mainstream popularity and attention than any other American stage production.
Additionally, an important off-shoot of HAMILTON's popularity is the increased attention being paid to the unscrupulous methods used by scalpers to hoard tickets for hit Broadway shows and other popular events, and the response of producers to raise premium ticket prices to a point where buying in bulk is an unattractive prospect for third-party purchasers.
More and more Broadway fans are hearing the word "bots" bandied about as reason for both a scarcity of tickets and skyrocketing prices. As reported by BroadwayWorld, Miranda's June 7th New York Times op-ed piece urged New York State lawmakers to take further steps to combat the use of bots and today BroadwayWorld reported on the New York State Assembly's new measure to control ticket-purchasing by scalpers.
As co-founder and CEO of PerimeterX, Omri Iluz has made a career out of combating ticket bots. His company provides scalable, behavior-based threat protection technology for the web, cloud and mobile. With fifteen years of experience in product development, web security, sales and business development, Iluz offers an explanation of how bots work in layperson's terms.
"A bot is a computer program that performs some defined task, typically repetitive. In this case a bot is a computer program that continuously tracks an online ticketing service and based on preset criteria, strives to purchase limited availability or highly desired tickets in order to resell them at a higher value."
"This is a task that is ideal for a machine, as unlike humans, it can constantly check a site, and grab an available ticket within milliseconds. Extremely popular shows and sold out shows are the main targets for such attacks. Shows and tickets are typically released at some given time, and being first and quick to purchase is key to securing the desirable tickets. A scalping bot will be programmed to constantly monitor the ticketing site for an available ticket or a newly released show, and quickly go through the checkout process by selecting tickets and completing the checkout process to secure the tickets."
Iluz adds that bots have been around for almost as long as tickets have been available online, with developers continually upgrading them to become harder to detect.
Stopping bots, Iluz explains, is a matter of sellers being able to differentiate between the behavioral characteristics of a human being trying to buy a ticket and the behavior of a non-human program.
"For example," he says, "look at the movement of a mobile phone. Real phones are never completely static or completely random. If a phone seems to not move at all, or move at predictable or random patterns, it is most likely not being used by a human."
Iluz explains that legacy technology is primarily used to detect bots, relying mainly on two signals:
- Volume of activities per location or internet address: The number of page refreshes, number of orders and number of credit cards used are just a few of the metrics that are being followed.
- Masked or hidden originating source: Trivial cases to block are anonymizing services like TOR but unfortunately corporate virtual private networks (VPNs) can also be detected as hidden source of traffic.
Bot detection techniques are tracking the true behavior of a user rather than simple rate-limiting of IP addresses, in order to properly detect bots, and avoid blocking real users due to mis-detection. Though lawmakers can take measures to criminalize the methods scalpers use to unfairly obtain tickets, it's a continual competition between those who are improving the deceptive qualities of bots and those who are improving the ways to detect them.