Ticketmaster SafeTix Reverse-Engineered

Ticketmaster is having a rough time lately. Recently, a hacker named [Conduition] managed to reverse-engineer their new “safe” electronic ticket system. Of course, they also had the recent breach where more than half a billion accounts had personal and financial data leaked without any indication of whether or not the data was fully encrypted. But we’re going to focus on the former, as it’s more technically interesting.

Ticketmaster’s stated goals for the new SafeTix system — which requires the use of a smartphone app — was to reduce fraud and ticket scalping. Essentially, you purchase a ticket using their app, and some data is downloaded to your phone which generates a rotating barcode every 15 seconds. When [Conduition] arrived at the venue, cell and WiFi service was totally swamped by everyone trying to load their barcode tickets. After many worried minutes (and presumably a few choice words) [Conduition] managed to get a cell signal long enough to update the barcode, and was able to enter, albeit with a large contingent of similarly annoyed fans trying to enter with their legally purchased tickets.

The real kicker here is that since the barcode rotates every 15 seconds, printing it out simply isn’t an option. This alienates anyone who doesn’t have a smartphone, which includes individuals who may not be able to physically operate one. So the problem isn’t simply that users were being forced to install yet another application on their device, but that the system reduces accessibility to entertainment. [Conduition] was dismayed and frustrated with this, and so the reverse-engineering effort began.

Decoding the barcode was actually quite simple. It is a standard PDF417 barcode, which contains a long Base64 string, two six-digit numbers, and a Unix timestamp all concatenated together with colons. The only parts of the string that seemed to change over time were the two six-digit numbers. Hmm, can we think of a common technology which generates six-digit numbers that update seemingly randomly on a fixed cycle? Of course — it’s just a Time-based one-time password (TOTP), the technology behind 2FA authenticator apps!

So where were the secret keys coming from? TOTP only requires two things: a static secret string, and the current time. [Conduition] checked the communication with the Ticketmaster servers and found a particularly interesting request that returned JSON-formatted data, inside which were of course the two secret keys. One seems to be unique per customer, and the other per ticket.

The important data captured from the web traffic

The Ticketmaster API documentation only briefly mentions this feature, but they do state that customers must refresh their ticket barcodes within 20 hours before an event starts. These two pieces of information were enough to allow [Conduition] to whip up a simple app that accepts the secret keys and the ticket ID and pops out the rotating barcodes. This would allow you to sell your tickets in the 20 hours prior to an event, or even just give them away to friends without having to give their personal data to Ticketmaster and allow you to take back control of your tickets.

Thanks to [Chrischi] for the tip!

48 thoughts on “Ticketmaster SafeTix Reverse-Engineered

    1. I don’t live in USA but I can’t think of a single piece of media (movie, concert, drama, etc) that I felt like watching and wanted to buy tickets for.

      Maybe online streaming has spoiled me but it seems like everything is just…bland and not worth expending too much effort for. It funny because its not like I watch much Netflix or other streaming services either, I just can’t get excited at the thought of watching anything.

      1. A witless, clueless, brain dead population exists.

        So as a Roman poet once said – “give them bread and circuses”……

        (and no William Shatner is not involved).

      2. GWAR was the best show I’ve ever seen.
        Oderous brought it (RIP). The whole band!

        Honestly thought I was gonna die in the crush (for a second).
        We escape-crowdsurfed all the girls and small dudes to safety!
        Two big guys form wedge and make hand stirrups. They don’t teach that at school, should. I digress.

        Were musically tight, like ‘The Fabulous Thunderbirds’!
        Amazing for a bunch of junkies.

        Ur right though.
        New music mostly sucks.
        But old music mostly sucked.

        As to the USA dig.
        One title refutes.
        ‘Eurovision Song Contest’
        That’s how many decades of awful cringe?

        Checks…’shinsukke’…definitely European.

    2. Ticketmaster isn’t scalping. It’s the people buying tickets from them for resale.

      Secondly, scalpers only exist because there’s a price differential between what the performer is charging and what people will pay. Scalpers work in that gap. So instead of the performer venue getting the money, because they set prices so low it encourages scalpers to grab what they left on the table.

      1. Ticketmaster and other platforms allow and encourage scalpers with their ‘resale’ services

        Scalpers exist because ticketing platforms allow scalpers to hoover up hundreds or thousands of tickets in seconds after they go on sale and fans have no choice but to buy from them because there are no tickets left. (and yes, I know scalpers exist outside the online platforms too, but they’re incredibly successful online because online platforms don’t have effective countermeasures)

      2. Ticketmaster subsidiaries scalp ticketmaster tickets.

        Yes you heard that right.

        They have also made it easier for some companies to do so, while blocking and preventing others.

        I have no like of their business tactics.

        This articles justifications on its face are questionable though, very few people cannot operate a smartphone. Also it presumes there is absolutely no alternative; where that may or may not be the case.

        I’ve interaction with a user that was both deaf and blind; they provided feedback on the Accessability of our websites. They used iPhones and iPads to do so, along with assistive devices which connected to them.

        As indicated in the article above, ticket refreshes are only required within 20 HOURS of an event. So there was no need to do so at the event while in line. Perhaps better notification to refresh your ticket before the event would be called for; but making the expedited seem like a dire circumstance where an refreshing with a congested system at the last minute ISNT justification for hacking the system and process.

        On the other hand; love the technical details and no dis on the work itself; just the failed justification.

        1. This is someone experiencing the system fall apart in practice. The system being offered was flawed and one annoyed and motivated user thought he could do better. The simplest solution is to build well functioning practical systems.. and if you don’t do that, like it or not people will come up with their own workarounds where they can. This has already played out through several merry go rounds of pirating media. People as a large group are happy to pay for legitimate methods to access media. Spotify largely killed mp3 pirating by providing a good reasonable service. Lars and his lawsuits were about screwing the little guy into having to stick to the old crummy system rather than addressing it’s flaws. Lars’ approach solved nothing. When video streaming services sprung up, pirating went down. Currently though pirating is going back up because services are fragmented, expensive, and starting to include ads. Users are weighing up the legit system against the pros and cons of using an off book one and going with the one that comes out ahead. Make a better system, don’t blame your users if they aren’t ok with what you are offering.

        2. All people have limited space on their smart phone. ‘Very many people’ use older smart phones and have filled the easily available space on that smart phone.

          ‘It presumes there is no alternative’ .. yes it does, and that is an already mostly true presumption as Ticketmaster has continued to monopolize venues in all US markets with exclusivity agreements.

      3. The bands could F them.
        It has been done.
        Just keep adding dates until one doesn’t sellout.
        Then add one more.

        IIRC Prince and a few others have made demonstrations.

        Modern era…
        Ticketmaster is publicly traded (TMCS Nasdaq).

        Could a large group of popular bands buy out of money put options on TMCS then Simul-F them with as many added dates as the venues can hold?
        Sustain till option date? Harvest fat option market makers by _bankrupting_ TMCS.
        They could get more than market cap of TMCS.
        Especially if more then one WS bank is writing options.

        Would the SEC be party poopers?
        Surely they would try, being owned by Wall Street.

      4. You make a good case for scalping. You made me think. Scalping is a symptom, not a problem. The cause is fixed prices for a fixed supply with dynamic and unpredictable demand.
        In another comment I proposed starting to sell tickets initially at a higher price and then slowly dropping the price over time. This spreads the sale out over time. People who really want it pay more and those who want to pay less are willing to wait a little and to spend time to periodically check before if it is almost sold out. You can even create a control scheme that regulates the rate of price drop over time with respect to the number of sales.

  1. Any system which requires an app AND internet connection for no reason is stupid.
    I hope one day there will be enough alternatives to comfortably live a smartphone free life.

      1. “As they say only criminals use cash”
        “they” are wrong. I don’t trust them. Cash is a privacy friendly way to pay for things without electricity or internet access. Not just criminals use cash.
        “Stop killing trees :D”
        Cash bills are spent many many times before they are replaced by new ones. The average lifespan of a $1 bill is about 6.6 years. So I wouldn’t worry about the trees.

          1. I’m sure someone will correct me if I’m wrong, but I think US currency is made of cotton fibers? On the other hand, tickets are made of trees.

            Given the price of tickets these days, it’s a lot safer to have virtual tickets (and virtual currency)…

          2. us currency is actually made from cotton fiber. traditional wood based paper is not as durable. im not sure if plastic currencies are any more environmentally friendly. but it does make sense in countries that dont have any kind of cotton or paper industry.

      2. Who on Earth says that? Every small business I’ve ever been to prefers cash because they don’t lose a percentage to the credit card companies.

        US dollars are cotton and linen, not from trees. Your country may vary.

        1. They haven’t worked out there costs to handle cash then. It’s not cost free.

          I’m the vast majority of cases it’s because they do not pay their full taxes, they use the cash to obscure the exact amount owed in taxes and let the cost of handling cash hide in that slop.

          Handling cash is actually more expensive than most companies realize.

          1. American Express will skim smaller merchants (“service establishments”) at up to 12%. Source: I used to work there.

            Square and their ilk are fine if you’re running small volumes; they’ll hit you for about 3%.

          2. banking industry does use more energy that bitcoin, but thats not per capita. im not sure its worth attacking people who use paper money when there are lower hanging fruit, like pennies. most people consider them a trash item and it costs 3x their worth to make them. their only real use is maybe in teaching children the value of saving money (but face it no cashier likes to count to 500 because a child saved up for a bag of chips).

            if capitalism is to be beholden by something let it be the laws of physics. concepts of entropy should be observed wrt things like copyright, because expecting infinite income from something made by long dead creators is anti-physics. also poverty (and homelessness) gets decriminalized and even encouraged based on how few resources they consume when given efficient accomidation.

          3. Only if you report the cash income to the tax man.

            It’s double plus good!
            Less income, costs stay.

            I’ve been known to haggle based on cash and my guess as to their marginal tax rate.
            Right out loud.
            ‘I need 10% discount for cash…’

            Like a resident of an unnamed EU nation (tax rates affect math).

          4. It is cost free relative to other forms of payment. That you have to pay someone to count your fat stacks of cash is not really a problem. Every form of payment takes as much verification and accounting effort as you want to devote to it and pay for.

        2. 😂 have you ever seen how banks charge businesses for services?

          Cards take a fee. But cash (and cheques) costs a large fee to deposit, plus the time to go to a bank to deposit it.

          BACS however is free, and our preferred way to take payment.

          If a business prefers cash, that usually means they’re keeping it off books and cheating their tax return. But at least their employees can cheat their boss by pocketing some of it.

          1. Given your spelling of “cheques” I think it’s safe to say you’re not in the US… :-)

            Both of my business accounts allow free cash deposits, as long as it’s only twice a day at most. But they don’t care if it’s a million dollar deposit. And if I could sell a million dollars worth of hay twice a day…

            I’ve run into several small businesses that will take either cash or a cashier’s check from the bank, they don’t care which one, but won’t take a credit card. It’s because they don’t want to get charged the percentage, not because they’re hiding the income.

            Most furniture stores will not take credit cards because if the customer changes their mind, tries to return the purchase, fails, and hence disputes the charge… the store is now faced with no revenue, paying the wholesale cost of the piece, and hoping they can sell the now-used one.

          2. You won’t get a decent cash-tax-cheat discount out of employees.

            Got to haggle with the boss.
            Shouldn’t even have to mention tax rates.
            After the first time. But not even then, if the boss isn’t dumb.

            If the cash register isn’t running a tape, then you are talking to the boss or his/her family.
            It’s a tell, that unfortunately the tax man has figured out.

            Nobody, with decent ethics, trusts anyone outside a very small group.
            It’s bad for people to be trusted.
            They will learn to be dishonest.
            Just like you and I did.

    1. You can now IMO, absolutely some inconviences as folks are expected to have one but no serious ones I’m aware of. The hard part isn’t so much living without a smartphone its being more disconnected when we have all been conditioning ourselves for decades to just look up anything we need to know on the internet immediately, the smartphone just being an easy portable way to do so.

    1. i see it more an issue of using technology in a naive application. anyone who has run a game studio or even a modding community knows how dangerous it is to let artists go nuts with their polycounts and texture sizes. in that case you eat up the system resources and the game performs badly.

      same applies with em spectrum apportionment. if your programmers are doing something that breaks the infrastructure (especially that owned by others) that is a serious problem. you just spam it until your legitimate use case becomes a defacto ddos attack. there will be lawyers.

  2. Been there, done that. Ticketmaster app failed right in front of the scanner.
    Send the ticket to Google Wallet. It works without cell and WIFI.

    Day one on ticket release and there is no original priced tickets in Ticketmaster.
    And that’s not scalping?

  3. If those tickets can only be accessed via smartphone and needs to be updated every 15 seconds before getting through, imagine if someone also had an illegal cell phone jammer? Hundreds if not thousands people stuck at the gate because no one can get the valid ticket data to load.

    Bring back old paper ticket, tie the purchaser to ticket and require valid ID to get in with paper ticket to prevent counterfeit ticket, and would discourage fake ticket seller since they’d have to come and show ID.

    1. You don’t even need to do that as it is already happening. The number of events that this has affected is countless at this point. Cell providers do not put that capacity around event centers permanently and only add extra infrastructure for events like the super bowl etc…. So most other events you get hosed at. I’ve seen college bowl games where they are still trying to get people in at half time because of lack of services. Even smaller events can cause big issues with cell and data infrastructure not being what is needed to handle the tickets. The issue with that part anyway is not customer complaints but how much $$$$ livenation/ticketmaster throw at legislatures to make sure they get to keep their monopoly.

    2. becomes problematic because its not uncommon to have parents get tickets for their kids or somone purchasing for a group, where they need a number of contiguous seats. where its not convenient to bring the whole bunch to the box office. also closes the door to ticket gifting, especially in situations where it is not appropriate to hand out or even have the personal information of the recipient (use as contest prizes).

      even if you limited each customer to a certain number of tickets, scalpers would just pay smurfs to collect them. even if tied to an id, scalper could forge those credentials to go with the tickets.

  4. Re: a removed thread about scalping, arbitrage, and ticketmaster-like entities.

    A gap in prices isn’t all it takes to make arbitrage work. It also needs to be sufficiently easy to “flip” whatever the thing is that’s being bought and sold. For example, if tickets were impossible to resell because you had to show photo ID’s or because only the first N people in line would get in, then either you would get a ticket at the nominal price or you wouldn’t. And your chance of doing so would be based on only competing against the people who actually intend to see the performance, not just anyone who smells money. Of course that’s got its own problems, but still.

    Instead they’re made very easy to resell, without too many awkward anti-scalping measures, because that allows as much as possible of the gap in value to be captured by the arbitrageurs, market-makers, or other middlemen. I’m speaking more generally here although I’ll use tickets as an example because as far as I know it’s still true. If ticketmaster or someone provides easy access to a large fraction of the supply of tickets and ticket buyers, then the way they can contribute to scalping without doing it themselves is by making it more effective. It’s most effective if there’s a big gap and low friction / high liquidity / etc. Then, if people will value something at $2.5k, you can probably find a thousand buy offers for 2.4k and a thousand sell offers for 2.6k. And ticketmaster or whoever will be there to collect their percentage on every single one.

    Ticketmaster can charge however much of a fee they think won’t stop people from using them, and if they’ve made their market otherwise efficient enough and are perceived as reliable enough, then they might be able to extract a substantial fee before people can or will find an alternative. Plus, if they begin raising barriers to stop tickets from being sold to anyone outside of the marketplace, they can suck more money out of the marketplace without losing market share to the bandits outside the walls.

    1. One problem is that tickets are often sold out very quickly because of the low prices. If you charge too low it will be sold out too fast, if you charge too much you might not sell all tickets or you will alienate your fans.
      I think a better system would be to start ticket prices higher when opening and then lower the prices over time. Those willing to pay more are guaranteed a ticket and don’t have to be afraid it will be sold out. Others can wait a little and then buy a ticket at a reduced price. This would prevent scalping too.
      So if a ticket is $100, you offer it for $200 then $150 and then for $100. Scalpers would have limited time to sell the ticket since the price is dropping constantly.
      Basically it’s dynamic pricing following supply and demand. At first the sale isn’t open yet. Then when it opens there is a rush in demand, because people don’t want it to be sold out. So the price should be higher at that stage so it will spread out the sale over time.

      1. The total number of tickets available is going to be well known and if the show is expected to sell out, then the scalpers could still tell their bots to wait and then buy every available ticket once the price is below a certain threshold. Might help, i guess.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.