▪Introduction

▪Bots 101

▪BOTS Act and what it covers (and doesn’t cover)

▪How bots can impact your major onsales and associated

mitigation strategies

▪StubHub case study

▪Q&A

Rami Essaid

CEO & Co-founder, Distil Networks

Niels Sodemann

CEO & Co-founder, Queue-it

Distil Networks is the only proactive and precise bot mitigation solution for web applications, mobile, and APIs.

▪ Founded in 2011

▪ 180 employees

▪ 5 offices

▪ $65 million in funding

The use of Queue-it has ensured online fairness during high-demand online events for more than 1.5 billion consumers worldwide.

▪Founded in 2010▪63 employees▪2016 TTA winner of Supplier of the Year

DenmarkSilicon Valley

Awards and Analyst Recognition

The only anti-bot solution to be included

in Gartner’s Online Fraud Detection

Market Guide 2-years running

“Distil’s ability to analyze behavior provides

the best chance of detecting and blocking

bot-driven attacks.”

“Clear innovation compared to

similar services.”2017 WINNER: Best Fraud Prevention

Solution

Bots 101

Good bots

▪ Search engine crawling

▪ Power APIs

▪ Check system connectivity & status

A ‘bot’ is an automated program that runs on the internet

Bad bots

▪ Steal content

▪ Scan for vulnerabilities

▪ Perform fraud etc.Traffic Distribution by Type, 2016

What concerns you most about the impact of bots on your organization’s website(s)?

▪ Website Security

▪ Transaction Fraud

▪ Lost Revenue to Scalpers

▪ Poor Customer Experience

Survey

How are you addressing your bot concerns?

▪ Addressing now

▪ Plan to address this year

▪ Plan to address next year

▪ No plans to address

▪ Don’t know

Survey

The BOTS Act explained

▪ Prohibits the circumvention of a security

measure used to enforce ticket purchasing

limits for an event with an attendance

capacity > 200 pers.

▪ Prohibits the sale of an event ticket

obtained through such a circumvention

violation if the seller participated in, had the

ability to control, or should have known

about it

BOTS Act key prohibitions

▪ Scalping

▪ Sniping

▪ Spinning

20% of traffic bad bots

OWASP Automated Threats relevant to BOTS Act

Ticketing Bots Sophistication

Other legislation

▪ Must Have Protections

Prohibits the circumvention of a security

measure used to enforce ticket purchasing

limits for an event with an attendance capacity

> 200 pers.

Who does it impact? Primary Ticketing.

▪ Federal Trade Commission Audits:

Treats violations as unfair or deceptive acts under the FTC Act. The bill provides authority to the FTC and states to enforce against such violations

▪ Must Have Protections

Prohibits the circumvention of a security

measure used to enforce ticket purchasing

limits for an event with an attendance

capacity > 200 pers.

Who does it impact? Secondary Ticketing.

▪ FTC Audits

Treats violations as unfair or deceptive acts under the FTC Act, provides authority to the FTC and states to enforce against such violations

Prohibits the sale of an event ticket obtained through such a circumvention violation if the seller participated in, had the ability to control, or should have known about it

Can you enforce?

Who does this impact? Venues.

Can you comply? Can you cooperate?

If you aren’t bypassing security measures on a website in order to get

tickets, you aren’t breaking the law.

▪ Doesn’t eliminate the ability to buy & resell tickets obtained legally

▪ Doesn’t address historical relationships between sellers and reseller

▪ Doesn’t make the 40% of tickets not on public sale magically reappear

What the BOTS Act does not address

▪ Bots: scapegoat for a bigger problem in ticketing

▪ Humans + scripts: Cubefarm of people operating

bots with industry experts managing them

▪ 7 years + $25M later, FBI cracks down in 2010

▪ Ken Lowson now a wiseguy turned good

…and then there’s Wiseguys

Source: https://motherboard.vice.com/en_us/article/the-man-

who-broke-ticketmaster

▪ Precise log in, processing thousands of

purchases faster than any human

▪ Fooling CAPTCHA, with huge database

of combinations + operating at

lightning speed

▪ Securing best seats & selling them at a

steep markup for resale to the public

How they did it

Source: U.S. Attorney Office, The Star Ledger

Other ‘wiseguys’ like ShowsOnSale continue to pop up,

historically hard & expensive to prosecute

Why you can’t sell out in 20 minutes

Ticket onsales timeline

It’s not possible to sell out in less

than 2x basket/cart timeout time

More info: https://queue-

it.com/presentation-can-you-sell-out-in-2-

minutes-no-learn-why/

In other words, as a venue, organization or ticketing

software platform, it is still on you to defend against

this fraudulent activity during your major onsales

How bots abuse the logic of online ticket sales

Distil Networks Queue-it Distil Networks

Before onsale: Account Creation

Distil Networks Queue-it Distil Networks

Before onsale: Account Takeover

Distil Networks Queue-it Distil Networks

Account Takeover Attacks

Financial fraud

Targets are accounts at financial or e-commerce services that store users’ banking details. The attackers perform unauthorized withdrawal from bank accounts or fraudulent transactions using the credit/debit cards on file.

This includes virtual currency such as bitcoin, in-game currency, and rewards programs. This is all worth real money.

Account Takeover Attacks: Why?

Spam

Spam can appear in any service feature that accepts user-generated content, including discussion forums, direct messages, and reviews/ratings, degrading platform integrity and brand reputation.

Phishing

Attackers can assume a compromised user’s identity and launch phishing attacks on others in his/her social circle to steal their credentials, personal information, or sensitive data.

Account Takeover Bots Sophistication

Day of onsale / During onsale

Distil Networks Queue-it Distil Networks

Volume

Distil Networks Queue-it Distil Networks

Volume

▪ To achieve this, spinner bots create

many hits

▪ Queue-it can recognize this as

coming from same device and will

block

▪ 50% of blocking during a major

onsale is due to spinner bots

Speed

Distil Networks Queue-it Distil Networks

Speed

▪ Any speed scripted

bots arriving before

the event are placed in

the randomized pre-

event waiting room

before the event

launches

Pre-event queue page Live event queue page

During ticket purchase

Distil Networks Queue-it Distil Networks

Credit card fraud

Multiple purchases, exceeding limits

Distil Networks Queue-it Distil Networks

IP Address

Header & User Agent Information

Cookie Browser

200+ Attributes of data Navigator, WebGL, Plugins, Audio, Video, etc.

Tamper proofing layer

Distil Hi-Def Fingerprint

Identification Must Go Beyond the IP Address...

StubHub Case Study

StubHub Case Study

Account Takeover and Fraud

“Distil helped us greatly reduce

transaction fraud and account

takeovers.”

Marty Boos

CIO, StubHub

StubHub Case Study

Ticket Scraping

“Competitive data mining for

ticket prices and inventory

information was a constant

threat.”

Marty Boos

CIO, StubHub

StubHub Case Study

Skewed Conversion Tracking

“The number of conversions were

greatly deflated because of bad bot

traffic. Now that we’re filtering bad

bot traffic out, we’re able to see

what the real data is and make

decisions based on real visitors.”

Marty Boos

CIO, StubHub

StubHub Case Study Conclusions

In reference to the before, wait and buyer journey:

“I like this multi-layered approach” George Loyer, Director

Technical Operations, StubHub

Distil Networks Queue-it Distil Networks

Free trial Free trial

www.distilnetworks.com/trial www.queue-it.com/free-trial