“Bots” first entered popular consciousness last year with the passing of the BOTS Act, and the proliferation of messaging bots. However, those of us in the ticketing industry have been dealing with bots for years. Rami Essaid, CEO of Distil Networks, and Niels Sodemann, CEO of Queue-it presented the evolution of good and bad bots, their impact on the ticketing ecosystem, current and pending legislation, and innovative onsale bot mitigation strategies.

2. ▪ Introduction
▪ Bots 101
▪ BOTS Act and what it covers (and doesn’t cover)
▪ How bots can impact your major onsales and associated
mitigation strategies
▪ StubHub case study
▪ Q&A

3. Rami Essaid
CEO & Co-founder,
Distil Networks
Niels Sodemann
CEO & Co-founder,
Queue-it
Distil Networks is the only proactive
and precise bot mitigation solution for
web applications, mobile, and APIs.
▪ Founded in 2011
▪ 180 employees
▪ 5 offices
▪ $65 million in funding
The use of Queue-it has ensured online
fairness during high-demand online events
for more than 1.5 billion consumers
worldwide.
▪ Founded in 2010
▪ 63 employees
▪ 2016 TTA winner of Supplier of the Year
DenmarkSilicon Valley

4. Awards and Analyst Recognition
The only anti-bot solution to be included
in Gartner’s Online Fraud Detection
Market Guide 2-years running
“Distil’s ability to analyze behavior provides
the best chance of detecting and blocking
bot-driven attacks.”
“Clear innovation compared to
similar services.”
2017 WINNER: Best Fraud Prevention
Solution

5. Telling the story together

6. Bots 101

7. Good bots
▪ Search engine crawling
▪ Power APIs
▪ Check system connectivity & status
A ‘bot’ is an automated program that runs on the internet
Bad bots
▪ Steal content
▪ Scan for vulnerabilities
▪ Perform fraud etc.
Traffic Distribution by Type, 2016

8. What concerns you most about the impact of bots on your
organization’s website(s)?
▪ Website Security
▪ Transaction Fraud
▪ Lost Revenue to Scalpers
▪ Poor Customer Experience
Survey

9. How are you addressing your bot concerns?
▪ Addressing now
▪ Plan to address this year
▪ Plan to address next year
▪ No plans to address
▪ Don’t know
Survey

10. The BOTS Act explained

11. ▪ Prohibits the circumvention of a
security measure used to enforce ticket
purchasing limits for an event with an
attendance capacity > 200 pers.
▪ Prohibits the sale of an event ticket
obtained through such a circumvention
violation if the seller participated in, had
the ability to control, or should have
known about it
BOTS Act key prohibitions

12. ▪ Scalping
▪ Sniping
▪ Spinning
20% of traffic bad bots
OWASP Automated Threats relevant to BOTS Act

13. Ticketing Bots Sophistication

14. Other legislation

15. ▪ Must Have Protections
Prohibits the circumvention of a security
measure used to enforce ticket purchasing
limits for an event with an attendance
capacity > 200 pers.
Who does it impact? Primary Ticketing.
▪ Federal Trade Commission Audits:
Treats violations as unfair or deceptive acts
under the FTC Act. The bill provides authority
to the FTC and states to enforce against such
violations

16. ▪ Must Have Protections
Prohibits the circumvention of a security
measure used to enforce ticket
purchasing limits for an event with an
attendance capacity > 200 pers.
Who does it impact? Secondary Ticketing.
▪ FTC Audits
Treats violations as unfair or deceptive
acts under the FTC Act, provides
authority to the FTC and states to
enforce against such violations
Prohibits the sale of an event ticket
obtained through such a circumvention
violation if the seller participated in,
had the ability to control, or should
have known about it

17. Can you enforce?
Who does this impact? Venues.
Can you comply? Can you cooperate?

18. If you aren’t bypassing security measures on a website in order to get
tickets, you aren’t breaking the law.
▪ Doesn’t eliminate the ability to buy & resell tickets obtained legally
▪ Doesn’t address historical relationships between sellers and reseller
▪ Doesn’t make the 40% of tickets not on public sale magically
reappear
What the BOTS Act does not address

19. ▪ Bots: scapegoat for a bigger problem in ticketing
▪ Humans + scripts: Cubefarm of people operating
bots with industry experts managing them
▪ 7 years + $25M later, FBI cracks down in 2010
▪ Ken Lowson now a wiseguy turned good
…and then there’s Wiseguys
Source: https://motherboard.vice.com/en_us/article/the-
man-who-broke-ticketmaster

20. ▪ Precise log in, processing thousands of
purchases faster than any human
▪ Fooling CAPTCHA, with huge database
of combinations + operating at
lightning speed
▪ Securing best seats & selling them at a
steep markup for resale to the public
How they did it
Source: U.S. Attorney Office, The Star Ledger

21. Other ‘wiseguys’ like ShowsOnSale continue to pop up,
historically hard & expensive to prosecute

22. Why you can’t sell out in 20 minutes
Ticket onsales timeline
It’s not possible to sell out in less
than 2x basket/cart timeout time
More info: https://queue-
it.com/presentation-can-you-sell-out-in-
2-minutes-no-learn-why/

24. In other words, as a venue, organization or ticketing
software platform, it is still on you to defend against
this fraudulent activity during your major onsales

25. How bots abuse the logic of online ticket sales
Distil Networks Queue-it Distil Networks

26. Before onsale: Account Creation
Distil Networks Queue-it Distil Networks

27. Before onsale: Account Takeover
Distil Networks Queue-it Distil Networks

28. Account Takeover Attacks

29. Financial fraud
Targets are accounts at financial
or e-commerce services that store
users’ banking details. The
attackers perform unauthorized
withdrawal from bank accounts
or fraudulent transactions using
the credit/debit cards on file.
This includes virtual currency
such as bitcoin, in-game currency,
and rewards programs. This is all
worth real money.
Account Takeover Attacks: Why?
Spam
Spam can appear in any
service feature that accepts
user-generated content,
including discussion forums,
direct messages, and
reviews/ratings, degrading
platform integrity and brand
reputation.
Phishing
Attackers can assume a
compromised user’s identity
and launch phishing attacks on
others in his/her social circle to
steal their credentials,
personal information, or
sensitive data.

30. “Over 50% of web applications attacks use
stolen credentials.”
“An attack on one company is a potential
threat to all companies.”
“Mitigating these types of account takeovers is
critical to maintaining customer loyalty.”
Breaches in the News
Image: Verizon
Sources: Krebsonsecurity.com, Bankinfosecurity.com, Bloomberg.com, & Privacyandsecuritymatters.com,
Verizon Data Breach Incident Report
Hotmail - 33M Logins/Pwds - May 2016
LinkedIn - 167M Logins/Pwds - Nov 2012
VK.com - 100M Logins/Pwds - June 2016
Mail.ru - 57M Logins/Pwds- May 2016
Yahoo! - 40M Logins/Pwds - May 2015
Tumblr - 65M Logins/Pwds - June 2016

31. Account Takeover Bots Sophistication

32. Day of onsale / During onsale
Distil Networks Queue-it Distil Networks

33. Volume
Distil Networks Queue-it Distil Networks

34. Volume
▪ To achieve this, spinner bots
create many hits
▪ Queue-it can recognize this as
coming from same device and will
block
▪ 50% of blocking during a major
onsale is due to spinner bots

35. Speed
Distil Networks Queue-it Distil Networks

36. Speed
▪ Any speed scripted
bots arriving before
the event are placed
in the randomized
pre-event waiting
room before the
event launches
Pre-event queue page Live event queue page

37. During ticket purchase
Distil Networks Queue-it Distil Networks

38. Credit card fraud

39. Multiple purchases, exceeding limits
Distil Networks Queue-it Distil Networks

40. IP Address
Header & User Agent Information
Cookie Browser
200+ Attributes of data
Navigator, WebGL, Plugins, Audio, Video, etc.
Tamper proofing layer
Distil Hi-Def Fingerprint
Identification Must Go Beyond the IP Address...

41. StubHub Case Study

42. StubHub Case Study
Account Takeover and Fraud
“Distil helped us greatly reduce
transaction fraud and account
takeovers.”
Marty Boos
CIO, StubHub

43. StubHub Case Study
Ticket Scraping
“Competitive data mining for
ticket prices and inventory
information was a constant
threat.”
Marty Boos
CIO, StubHub

44. StubHub Case Study
Skewed Conversion Tracking
“The number of conversions were
greatly deflated because of bad
bot traffic. Now that we’re filtering
bad bot traffic out, we’re able to
see what the real data is and
make decisions based on real
visitors.”
Marty Boos
CIO, StubHub

45. StubHub Case Study Conclusions
In reference to the before, wait and buyer journey:
“I like this multi-layered approach”
George Loyer, Director
Technical Operations, StubHub
Distil Networks Queue-it Distil Networks

46. Q&A
Rami Essaid
CEO & Co-founder,
Distil Networks
Niels Sodemann
CEO & Co-founder,
Queue-it

47. Free trial Free trial
www.distilnetworks.com/trial www.queue-it.com/free-trial