If you're hoping to score tickets to some of the country's biggest summer concerts when they go on sale within the next few weeks, you could find yourself up against computer hackers who can order up hundreds and even thousands of tickets in the time it would take you to punch in a single order.
Scalpers looking to jump the online queue can program a computer to circumvent Ticketmaster's website security and automatically order tickets at speeds far beyond ones the ordinary buyer could hope to match.
But even if the hackers don't get there before you, regular ticket buyers could flood the online ordering site in such numbers that all the tickets could be sold out in minutes, or even in less than a minute depending on how tickets are being released.
"Maybe it takes you a minute and a half to click through to buy a ticket, in that minute and a half the hacker could have made 100,000 ticket requests," said Ryan Purita, a forensic examiner and security specialist with Vancouver- based Sherlock Forensics. "You cannot beat a hacker script.
"Nobody can type that fast and that's where the advantage comes from."
Despite the ticket giant's success in getting an injunction against a U.S. company, RMG Technologies, that was selling software to automate ticket purchases through the Ticketmaster site, Purita said the practice is still wide open to any hacker who wants to follow instructions freely available online.
"You get rid of one company, so what?" he said. "It doesn't mean the scripts don't exist.
"It doesn't mean anyone with a few hours to burn won't be able to do it.
While Ticketmaster says it is in a constant "cat and mouse" game trying to keep one step ahead of hackers, chief technology officer Brian Pike said ticket buyers for in-demand concerts are more likely to find themselves competing against other fans than against a bot (a robot computer) operated by a hacker.
"I would like to think there are no bots there, but I know a few get through, " he said. "If Coldplay is coming to Vancouver and there are 5,000 or 10,000 people hopping on the website to get tickets, they are outweighing anything the bot might try to do."
The effect might be the same for would-be concertgoers who could find all the tickets sold within minutes - if not seconds - of the online sales opening.
"When it is put on sale, we could be servicing 1,000 consumers from the very beginning and if 1,000 people get two or three tickets each, that could be thousands of seats handed out in the first few seconds or half-a-minute," Pike said.
"You want a ticket for the show, you are at the website within five minutes of it opening, and you'd expect to get a ticket," he said. "But (hackers) have found a way to blow through it and get as many tickets as they want, and there are none left for anyone else."
The first step for hackers wanting to bypass the limitations on ticket sales is defeating the "captcha," which stands for "completely automated public Turing test to tell computers and humans apart." That's the little box on websites where you have to type in a phrase that supposedly can be recognized only by humans and so is meant to block computer-generated responses.
However, captchas can be defeated, and Purita said that allows hackers to automate ticket purchases, masquerading as many buyers with different credit card numbers and mailing addresses.
One computer can deliver multiple requests, each one ordering the maximum number of tickets available for individuals. The hackers also easily block or spoof the IP (Internet protocol) address of the computer making the requests.
Purita said hackers are adept at disguising their identity and other distinguishing information such as postal addresses.
"They use different addresses, different credit cards and different identities, but it is one person manipulating it."
Pike said while he doesn't want to tip off hackers to all the measures the company takes to try to thwart their methods, the company has taken both legal measures and other strategies that have slowed the hackers down.
"We increase their costs and decrease their ability to get any real edge against anybody else," he said. "It is definitely a cat-and-mouse game. There's a lot of money in tickets, so we do attract some ingenious people."
Pike said the captcha is the first line of defence, and if that succeeds, hackers are reduced to hiring people in developing countries to type in the captcha. Or they can hire people in a phone room here to make the calls, which raises their cost of doing business.
"If they are hiring 20 people, they will be able to get 20 people's worth, but shouldn't be able to get 1,000 people's worth."
