Why Taylor Swift Fans Got Blocked For Being Bots

Taylor Swift’s Eras tour has literally been the hottest ticket in music over the past few months, with millions of fans scrambling for their spot in arenas and stadiums around the world.

But many “Swifties” have been left heartbroken as the demand far outstrips the number of tickets available. To make the pill even more bitter to swallow, there are plenty of tickets available to buy for the sold-out shows – but at many times their face value, on secondary markets.

This is thanks to scalper bots; automated programs that buy up tickets the second they go on sale before inflating their price and selling them on. Taylor Swift’s fans have been equally vocal in their disdain for both the scalpers and the ticketing platforms that have been exploited by them, calling into question legislative measures designed to outlaw ticket scalping practices in various countries.

Ticket touts have been profiting off the gap between supply and demand long before the internet came along, but bots have made it even more challenging for fans to get fair access to tickets.

Hear more insights on how the Australian government is tackling touts for Tayor’s tickets on the Cybersecurity Sessions podcast.

A unique problem for ticketing

Part of the problem is that demand for digital ticketing platforms is unprecedented in any other industry. Netacea bot specialist Tom Platt has firsthand experience. “I once hosted a panel with three performance architects: one from a ticketing site, one from a sports betting site and one from an online retailer. They all thought they had huge spikes in traffic, but in reality, the ticketing site dwarfed every other sector. On top of this, the margins in ticketing were lower, and the budgets were leaner!”

Demand for tickets, especially for artists like Taylor Swift, far outstrips supply. There might only be 20,000 tickets available in the venue for a particular date, but this doesn’t stop millions of people trying to access that relatively small number of tickets all at once, within minutes of the tickets going on sale. This often causes web platforms to hit their capacity limits, which results in unexpected errors or even crashes and failures that frustrate both fans and website infrastructure teams.

Matthew Gracey-McMinn, Head of Threat Research at Netacea, points out that a common suggestion – to increase the capacity of the ticketing platform to cope with this level of traffic – is at best uneconomical and at worst futile. “Say we have a stadium of 20,000 people, there's not much point having more than 20,000 people on the site at once, because I can't sell more than 20,000 tickets in total. If I start letting, say, 50,000 people on… that starts getting really, really complicated because you've got people on the site actively fighting each other, and that gives bots another advantage because they're so much faster than humans.”

Guess what? I’m not a robot

In response to this global trend of bots snatching up tickets directly from authorized merchants, causing widespread dismay and public outrage, ticketing sites are getting more aggressive in their bot mitigation methodologies.

But when blocking invalid traffic, there’s a risk of acting on “false positives” – shutting out legitimate human users wrongly identified as bot or malicious. The false positive rate depends on the accuracy of detection and the force with which subsequent mitigations are applied.

For example, a suspected bot could be “soft blocked” by being shown a CAPTCHA challenge; aspects of the user’s identity (IP address, session ID etc.) might be added to a watch list for further investigation. This adds friction to the user journey, but hopefully only to users displaying bot-like tendencies and gives human users a chance to prove they are not a bot.

At the other end of the scale, if a business is confident the user is a bot, they could “hard block” the user immediately, preventing any connections from their IP address. But if detection is not 100% accurate then inevitably some real customers will be blocked and will have to jump through hoops to reinstate access via contacting customer support, by which time the tickets will likely be sold out.

Many Taylor Swift fans found themselves falsely flagged as being a bot, indicating an aggressive hard blocking strategy as ticket sites endeavoured to keep bots at bay in response to the high percentage of bot traffic anticipated during the sale.

@AXS_UK told me i was a bot when i picked my tickets, threw me off . Hours later no tickets! pic.twitter.com/i7IFGrDpw4

— Hordon A (@hordon189) July 18, 2023

@AXS_UK This morning as we were trying for Taylor Swift tickets we were kicked off the site 5 times flagged as a bot and ended up not getting them due to this. Is there anything that we can do from here as we’re all quite upset with our experience of the sale?

— ♡ (@bbjadeeee) July 17, 2023

“It's kind of like using a mallet when really what you want is a scalpel,” says Gracey-McMinn. “Rather than the mass cutting out of everybody that behaves like a bot, they want to try and identify individual bots as they're coming in. But it is a constant battle because if you block the bots this time… they're going to retool, they're going to figure out, ‘How did you detect me? How did you block me? Let me try something else to get round your defenses.’"

To compound frustrations, many tickets immediately appeared on reseller sites at inflated prices – indicating that scalper bots still managed to get through and make purchases. One media outlet reported a £200 face value ticket being resold for close to £10,000 – 50 times the original price.

How did bots break through defenses, yet again?

How did bots beat hard block mitigation whilst many users fell afoul of it?

Bots are designed to adapt to and bypass defenses. Most are built to emulate human behavior to dupe anti-bot checks, such as how the mouse moves, how long they spend on each page, and what kind of device they (appear to) originate from.

However, even if a bot does get caught in a hard block, they can easily switch to a different connection by rotating IP addresses, datacenters and user agents. Some bot operators pay for services that have access to millions of residential IPs – connections shared and used by genuine humans as well as bots, making it less likely businesses will block them.

For those customers who were hard blocked, their own connections may have been compromised and used in this or previous bot attacks, flagging their IP as a potential bot and landing them in the “hard block” pile.

The ticketing sites instructed humans caught in the hard block to “try logging in through another device, clearing your cache, turning off VPN, or going off wi-fi to phone data” – essentially the anti-bot playbook. Ironically it’s difficult for the average human internet user to change their connection, but bots are built to do this instantly.

Pre-registration was another measure designed to limit the amount of traffic to the site during the sale, but bots are very good at automating form fills using fake identities, giving them easy access to queue codes in bulk.

Can bots be beaten at this scale?

The problem boils down to adding enough barriers to keep bots out without creating too much friction for real fans. This is challenging because, with huge markups on each ticket resold, bot developers are incentivized to create workarounds for any defenses they come up against.

As a result, defenses must be imperceptible to bot operators. Detection methods and mitigations must be instantly adaptable to keep pace with bots as they change tactics on the fly. Block lists and human emulation detection on the client side are no longer dependable, and risk frustrating real fans.

Instead, bot management solutions like Netacea analyze server-side signals to detect bot activity. Using machine learning algorithms and artificial intelligence, billions of web requests can be instantly clustered into groups based on their behaviors, intent, reputation, origin and thousands of other datapoints.

This way, real users can be distinguished from bots acting maliciously and mitigation action taken immediately. Bots have no visibility of how they were detected, so they can’t reverse engineer their way around the solution. And fans never even notice they’ve passed through bot detection on their way to buying tickets.