Choose a language:

Here’s how to provide fair ticketing online

Updated: 17 Apr 2024
ticket stubs

A new year and a new decade are upon us, which means it’s time for everyone - people and organizations alike - to make their new year’s resolutions. If you are a ticketing website and don’t already have it on your list, Source Defense advises to make sure you put “improving cybersecurity habits” at the top.

Each year, technology advances and digital solutions make our lives easier. But with these advances come new cyber threats. For businesses and website owners, this past decade has introduced amazing 3rd party tools that help make shopping experiences better for consumers, but also pose risks that cannot be ignored.

The holiday season is the ultimate shopping season. It is a time of increased cybercrime activity, and the ticketing industry is on every hacker’s target list. While this vulnerable season is over, ticketing websites are still not out of the woods and need to prepare for the many pitfalls still ahead.

Formjacking, credit card skimming and JavaScript sniffing are only a few of the exploitative data breaches common in the ticketing industry. In 2018, Black Friday and Cyber Monday in the US brought on a wave of hackers who breached valuable business data through illicit access to ticketing websites. Disguised as well-known ecommerce brands, hackers were able to launch a whopping 6,000 malicious apps under the pretext of special offers for Black Friday and Cyber Monday.

A closer look at the online ticketing industry 

Websites in all industries are vulnerable, so why put the ticketing industry in the spotlight? In short – ticketing websites are a prime target for hackers and are attacked more often than others. We will get to that in greater details later in this post. Organizations invest in solutions that will help them protect their customers and create fair and positive experiences, despite the many challenges along the way.

The fight against malicious bots 

One common issue is abuse by bad ticketing bots. According to Imperva, 39.9% of all ticketing traffic is from bad bots. Just as ticketing websites place a strong emphasis on fairness to create a great experience for their customers, these bots create an unfair environment during ticketing onsales.

One example of this is when tickets for a U2 concert went on sale in December, 2014: according to a report published by the office of the New York State Attorney General, a single broker purchased over 1,000 tickets in a single minute. The same broker, along with one other, were able to amass over fifteen thousand tickets by the end of the day to the band’s concerts across the US. This was achieved despite the vendor’s “4 ticket limit”. Fans were forced to purchase their tickets from various resale sites that sold them at up to ten times the original price. In the fight for fairness and against these bots, some performers have taken their ticketing sales offline, but this comes at a cost to the customer experience.

Want to learn more about bots & how to beat them?

Ticket and ticket holder authentication 

Once a ticket is purchased, ticket offices must be able to track certain data in order to protect and verify its integrity. This has become particularly challenging now that tickets have moved from paper to digital documents, making them easier to duplicate and edit. Tracking ticket IDs and other markers helps uncover possible events involving fraud, but it is far from being a foolproof solution.

Infiltration through 3rd party integrations 

For hackers, ticketing websites are easy targets due to the following:

  1. 3rd party tools are used heavily by online ticketing companies

In order to provide a great user experience, ticketing websites often integrate 3rd party tools instead of developing the features they need from scratch. These are great tools for customer support, chat, and more, but can also create a vulnerability.

  1. Exposure to 4th and 5th parties

Companies have many connection points – from 3rd party integrations (and their 3rd party integrations, and so on) to customers and partners. Each one helps to get an action done, amplify a service or move and/or store data across the web. The more connection points, the better customer experience and analytics capabilities, but also more entry points for hackers and bots to leverage.

  1. High volume of user transactions

Users have a fair amount of control over what goes in and out of a ticketing business, with your ticketing website acting as a conductor of sorts. It is pretty much self-service. As such, bots pretending to be users can engage in transactions, but on a far greater volume and much faster than a regular human customer would.

Bot operators can create accounts in bulk to get around ticket purchasing limits. In addition, they use lightning speed to blow by real customers and snap hundreds of tickets as soon as onsales start. In doing so, bots disrupt the onsale process– not really paying for the purchased tickets, taking away potential tickets from actual users, etc.

These attacks are killing ticketing businesses. Not only do they damage the company's reputation - they can also lead to national and international lawsuits, fines due to non-compliance with privacy regulations, downtime, and increased budgets on damage control.

RELATED: Keeping the Internet Fair: Queue-it's Commitment to Online Fairness

The #1 New Year Resolution 

Since we know new year’s resolutions are difficult to follow through, we think we should only focus on the one that’s most important to us. Be smart and serious about keeping your website safe from cyber-attacks. This means using the right tools and technologies to keep your site safe without having to compromise on providing a great user experience.

There are many things to keep in mind when choosing the right website security solution. One important technology is real-time client-side sandboxing. Sandboxing automatically regulates how each one of your 3rd party vendors that use JavaScript can access your content. Sandboxing technology provides real-time prevention around the clock and allows you to conduct business as usual while your assets and data are protected from any suspicious and malicious behavior.

You can also neutralize the speed and volume advantages that bots enjoy with a virtual waiting room. This eliminates any advantage in hitting the web page milliseconds after the start of the sale. Ticketing organizations can require visitors to enter known data, such as a membership number, to enter the virtual waiting room. This makes impersonating real users expensive and complicated, and is a powerful tool to combat bots’ volume upper hand.


Hackers are constantly on the lookout for vulnerabilities they can exploit, often opting for the easiest point of entry. Ticketing websites are particularly vulnerable and prime targets, but they’re not the only ones. Any website that uses 3rd party tools, in any industry, can be the next target and should invest in smart cybersecurity. The 3rd party tools you’re using are important for proving a great user experience – don’t stop using them. Just make sure they can’t be used as an entry point to harm your business or your customers.

If you’re ready to stop ticket bots, there are specialized tools you can use each stage of the ticket-buying process. This will give you the best chance of achieving fair, transparent bot-free onsales in the new year.


About the Author

Courtney Brady has more than 15 years of sales and marketing leadership experience in technology. As VP of Marketing at Source Defense, she is an integral leader on the management team to elevate the global brand, customer messaging and go-to-market effort. Most recently, she served as Chief of Staff of Distil Networks, the leading bot detection solution acquired by Imperva in 2019. As employee number 2 at Distil, she created and led the marketing department and was an integral transition lead during the acquisition process. Ms. Brady also held a number of senior marketing positions across different cybersecurity, healthcare, and technology start-ups.

Discover 8 concrete steps you can take to block bad actors

Queue-it bad bot guide