Hacking Ticketmaster
by battery (battery@chicago2600.net)
Ticketmaster, the company that charges insane fees in exchange for printing tickets and dropping them in the mail to you, recently started allowing customers to print their own tickets.
The new system is called TicketFast. It allows the customer to buy tickets for event on the Ticketmaster website, then digital images of the tickets are emailed to the customer, who prints out the tickets and goes to the event.
The first question we need to ask is simple. What is the control mechanism that Ticketmaster is using to keep me from printing the tickets more then once?
The answer is, there isn't one.
You can print as many copies of the tickets as you want. However, there is a simple barcode on the bottom of the printed page.
When you go to an event that uses TicketFast, your ticket is scanned when you enter the venue. The venues appear to be using custom monochrome Palm OS devices. They have a barcode scanner and are wirelessly connected to a ticket database. When your ticket is scanned it is marked in the database as "used." Therefore, anyone with a second copy of your ticket (and the same barcode) would be refused entry because someone had already been admitted with that unique ticket's barcode.
Now let's get into how this system can be abused.
The ticket images are sent via email as PDF files. They are very easily Photoshopped. It is only a matter of minutes to change the lettering on the tickets to change sections, rows, seats, or any other location information.
The person at the door of the venue will scan your ticket's barcode to verify that it is a valid ticket. They usually don't even look at the seat information (this does probably vary by venue). This means that in order to get into the venue, you are going to have to have a unique barcode that has not been used.
It has been my experience that many concerts charge different prices for different seats, usually based on location, distance from the stage, seats vs. lawn, etc.
This is especially common in outdoor amphitheaters where there is usually an area with seats close to the stage and open lawn areas near the rear. The tickets for the reserved seats are usually more expensive than the lawn tickets.
Many times ushers request to see your ticket before allowing you to enter a section's seats, especially ones close to the stage. This keeps the people who bought the cheaper lawn tickets out on the lawn and not in the seating area.
There are two major exploits I can see working here.
First would be the access exploit. These exploits probably work the best at events that are not sold out. Let's say a group of four people are going to a concert. You have one order a ticket close to the stage (usually at a high price) using TicketFast and the other three buy the cheapest seats available. When the tickets are emailed to you, you create four copies of the expensive ticket and use a graphic editor like Photoshop to replace the barcodes on the three copies of the expensive ticket with the barcodes from the cheap tickets. When you're done you should have four copies of the expensive ticket but each will have a unique barcode.
This allows you to get into the venue with a valid ticket according to the database, and allows you to have tickets that appear to be in the close section, effectively fooling ushers who will only visually verify your tickets when entering the seating section. It would also be wise to alter the three copies to have different seat numbers, just in case an observant usher notices that the four of you have the same exact seat number.
The biggest benefit for this exploit would be for general admission concerts that have no seats on the floor, but seats around the venue (think an indoor stadium or sports arena).
At many rock concerts I've been to that have general admission floor tickets, usually you have to get a wristband to get to the floor. When you get into the venue there is usually a table that will give a wristband to people holding "floor" tickets. As long as the venue does not scan your ticket when you get your wristband, you are set!
In fact, at a concert I went to recently, my ticket was stamped when I was given a wristband. The idea is that you cannot get a second wristband with the same ticket but you can make as many copies of your ticket as you want to get as many people on the floor as you wish.
However, if your ticket's barcode is scanned when you get your wristband, you are out of luck because your barcode will only be valid once, like it was at the door.
Maybe you would like to have several copies of your ticket with you at the event. Or maybe you would like to have tickets in several sections - so you can wander between sections. With TicketFast, this is now possible.
So what can Ticketmaster do to stop these exploits?
Here's the interesting part: It will be surprisingly difficult because most venues are independently operated. Each will have policies and rules that will vary greatly. Because of this there is no simple way to control the procedures being used at every venue.
Also, in order to stop the barcode swapping trick, patrons will have to have their tickets scanned when they enter and leave their seats. The ticket database would have to track who is in their seats and when they leave for snacks or to go to the bathroom, then reauthorize that ticket for reentry.
Logistically this would be a nightmare, not to mention quite Orwellian. The ultimate solution is for Ticketmaster to abandon the TicketNow system or completely overhaul its control devices. Until that happens it will be ripe for exploit.