Reverse Engineering Ticketmaster's Rotating Barcodes
TicketMaster introduces SafeTix with rotating barcodes to prevent fraud. Issues with connectivity reported. Barcodes contain TOTPs and bearer token. Concerns raised over functionality, privacy, and user experience despite enhanced security claims.
Read original articleTicketMaster has introduced SafeTix, a system where tickets are issued as rotating barcodes displayed in their web or mobile app, aiming to prevent fraud and scalping. However, users have faced issues with connectivity and functionality at crowded events. The rotating barcodes are based on PDF417 format and include base64-encoded data, two Time-based One-Time Passwords (TOTPs), and a bearer token. By reverse engineering the system, it was discovered that the TOTPs are likely generated from shared secrets and a timestamp, allowing for offline generation of valid barcodes. TicketMaster's motivations behind SafeTix include controlling ticket resale and gathering user data. The contradiction arises from the claim that tickets cannot be transferred outside TicketMaster while being saved offline. Debugging the web app revealed insights into how the barcodes are generated and the structure of the data involved. Overall, the SafeTix system raises concerns about functionality, privacy, and user experience, despite TicketMaster's marketing claims of enhanced security.
Related
The tiny chip that powers Montreal subway tickets
The article discusses the MIFARE Ultralight EV1 chip in Montreal subway tickets, detailing its battery-free operation, NFC communication with turnstiles, security measures, and data storage capabilities. It highlights the chip's design, functionality, and handling requirements.
ID verification service for TikTok, Uber, X exposed driver licenses
A cybersecurity researcher found AU10TIX's admin credentials exposed online, risking data breach for TikTok, Uber users. Concerns rise over ID verification services' vulnerability to cyberattacks, emphasizing the need for enhanced security measures.
Identity Verification Used by X, TikTok, and Uber Exposed Driver's Licenses
An identity verification firm, AU10TIX, exposed login credentials, risking access to sensitive data like driver's licenses. Despite claims of prompt revocation, functional credentials were found. AU10TIX partners with major platforms.
Ticketmaster has begun warning customers about data breach
Ticketmaster notifies customers of a data breach involving personal information theft. 1.3 terabytes of data were compromised and sold on the dark web. Snowflake denies involvement. Ticketmaster enhances security measures.
How random are TOTP codes?
The blog post examines TOTP code randomness using HMAC with SHA-1. It analyzes digit frequency in generated codes, showing diminishing bias over generations. Readers discuss and suggest additional analysis methods.
> “What I can say for sure is that TicketMaster and AXS have had every opportunity to support scam-free third party ticket resale and delivery platforms if they wished: By documenting their ticket QR code cryptography, and by exposing apps and APIs which would allow verification and rotation of ticket secrets,” Conduition told me in an email. “But they intentionally choose not to do so, and then they act all surprised-pikachu when 3rd party resale scams proliferate. They're opting to play legal whack-a-mole with scammers instead of fixing the problem directly with better technology, because they make more money as a resale monopoly than as an open and secure ecosystem.”
from https://www.404media.co/scalpers-are-working-with-hackers-to...
When you purchase a ticket from them and resell it on their marketplace, once someone purchases it, they(Ticketmaster) hold your funds and only give you the money ~7-14 business days after the event is over. They say this is to verify the validity of the ticket.
On the buyer side, you purchase the ticket from the marketplace and it gets added to your account immediately. (I think) You get the barcode some time ~1 week before the actual event begins.
The confusion for me? Ticketmaster owned the ticket and all logic relating to the validity of it. The logic to validate this shouldn't be complex at all. They OWN the ticket. They KNOW it's legitimate because it never left their database. Yet they double dip and hold both buyer and seller funds. Events can be close to a year in the future but the seller won't see that until after that event ends.
There's a section named "Pirating Tickets", that just explains how to re-create a barcode that you already paid for. You're not using this to rob anyone of anything.
And at the end, "Have fun refactoring your ticket verification system". Why? There are no vulnerabilities here. A rotating barcode (even if following a known pattern) is still more secure than a static barcode on a piece of paper.
> Can I work for a bad company and still be a good person?
> No.
I have been to Ticketmaster events that use reasonably priced, printable tickets, you could even buy a printed ticket with cash. In fact, even though there are so many Ticketmaster events, they are not all working the same way. And Ticketmaster doesn't have the monopoly on shitty practices, the article gives a good example in the beginning.
What I suspect is that Ticketmaster is nothing more than a service provider. The venue/event organizer/... looks at the Ticketmaster catalogue and pick the product they want. There are "evil" products in that catalogue, and they are probably the ones with the best returns, but I am sure people have a choice.
I'd even go as far as calling Ticketmaster "Evil as a Service". So people can say "fuck Ticketmaster" instead of saying "fuck Taylor Swift". I would be very surprised if artists (and their agents) at the level of Taylor Swift didn't have a say regarding ticket sale practices, even with Ticketmaster.
Of course, the monopolistic practices of Ticketmaster are a problem, people are most likely paying more than they should because of it, but all the crap with apps, resale platforms, etc... I am pretty sure the event organizers, maybe the artists themselves are as much to blame.
This part made me want to throw up, preferably a couple of buckets full, right onto the heads of the marketing team who came up with it.
Kudos to the author of the article. Great work and a great read to go with it.
I've been a couple times, and what I've learned that was still not common knowledge to faire vendors as recently as last year is that T-Mobile brings out a mobile cell tower to support the faire, and no other cellular network does.
So if you're trying to accept electronic payments, the whole thing tends to fall over and you only get to sell to people who brought loads of cash and prioritized hitting your booth first. Only the vendors on T-Mobile are able to take purchases for a big part of the day, and a few other people who use the rare billing system that is fine queuing up Visa transactions until after the bulk of people leave. The line for the cash machine sucks up a substantial part of your time budget for the faire, meaning you probably miss out on some things altogether.
Who thought it was a good idea to require an internet connection at an event. For anything, not just ticketing. It is as if the people who designed these apps never went to a large event.
No internet is the rule, not the exception. Sometimes, you can't even send a SMS. Apps designed for use in events should always work offline, and if internet use is justified, take into account latencies in minutes and use bandwith sparingly. Failing to do that will make the experience terrible for everyone, as bandwidth will be saturated by thousands of phones trying to do something with that damn app.
At least Ticketmaster does it somewhat right here. The app is supposed to refresh the ticket 20 hours before the event, to account for the fact that the internet may be unavailable at the gate.
Isn’t this not true? The risk with printable tickets is that a seller could sell it to multiple people, who all print it out, but then only the first person who uses it can get in?
Even if the venue doesn’t check to see if a ticket has already been used, only one person can sit in the actual seat.
Of course we all like to dream up all sorts of technical crypto solutions to this, preferably decentralized to remove evil Ticketmaster from the equation. But I don't think the ticket scalping problem is a technical problem per se. I believe it is because tickets are currently sold under the wrong terms, which encourages scalping.
A possible solution could be to make tickets non-transferable, but always refundable. So only you (the buyer of the ticket) can use it, but you can't resell it. But if you decide not to go, you should be able to refund the ticket to the ticket office for full price. The ticket can then be sold again to someone else, for the same price.
Now, of course this is a naive idea. There are many practical and technical challenges to it, not to mention the politics of the entertainment industry. I'm not too familiar with the event industry, so I'm not sure if this would even align all the incentives, but it would benefit the fans and the performers who care about their fans.
This reverse-engineering also breaks if ticketmaster forces venue staff to only scan if the barcode is in the ticketmaster app. Unless you create a lookalike app to trick the staffers.
$ date=$(python3 -c 'import datetime; print(datetime.datetime.fromtimestamp(1707074879).isoformat())')
Consider reaching for `date` from GNU coreutils instead: $ date -Is -d @1707074879
Fewer keystrokes, faster execution, and the output includes the TZ offset.Once I buy a ticket, it's my property. I should be able to sell it, by any means I want, to any person I want, at any price we agree upon.
On non-rooted devices, those are pretty much impervious to the user trying to inspect their contents.
I can definitely think of worse things programmers are doing aside from making it mildly difficult to see Taylor Swift .
I have personal qualms with working in certain industries because of this, but Ticketmaster ultimately provides a luxury. You don't need to see a concert, and if you have such an issue with their business practices you can do something else with your Friday night .
I've actually never had an issue with Ticketmaster. At a point a certain other ticket provider just blocked me without any explanation, and I had to go down to the box office to buy tickets. That sucked, but compare to airlines who do weird things like print off tickets without the actual seat number, Ticketmaster doesn't bother me too much.
Well, F.U. $COACH_COMPANY. I don't want to have to install your app for that, but I guess I won't have any other option if I need to get to the airport.
I'd say this highly depends on the fastidiousness of the ticket taker and the rules of the venue. I purchased Major League Baseball tix recently through my employer which uses a 3rd-party seller site that has restrictions like this (a moving graphic behind the barcode with the admonishment not to take a screenshot because it won't work).
I was unable to attend the event that night so I sent my wife a screenshot of the ticket. Two tickets, in fact. They were taken with zero issue.
That's a good incentive for companies to keep up with the "high-tech experience".
No they are not. The big difference is that wizards and shamans closely guarded their secrets to keep their position secure, while software developers will happily give them away to as many people as possible.
This means that software developers as such have close to zero leverage.
I saw the New York Red Bulls play not long ago and had to use Ticketmaster's system for the first time. I travel with a tablet, not a smartphone, and I was expecting trouble. Turns out the only trouble I had was that they didn't want to let me in with a tablet but they did when I explained my ticket was on my tablet. It did require an internet connection but Red Bull Arena has great WiFi so that was no problem.
Bet your bottom dollar it’s good for 24h and they added 4h of buffer in their API guidance to handle admissions after the start of the show “for free.”
Not that this really gets you anything, just made me chuckle.
So he reversed engineered it, but its still secure: You need the token.
But if each ticket is for a particular seat, would ticketmaster notice if too people came with tickets for the same seat? I bet not. I bet they just trust their ticketing system to be foolproof. If anything they might just reject the second ticket without any way to know which was authentic.
Scalpers are the problem that you have to accept. At the time of purchase, there's no way to tell the difference between a legit purchaser and a scalper or even someone who bought it and simply can't go and needs to resell.
IDs, ticket limiters, CCs, etc, etc. All methods can be circumvented by someone dedicated enough. You can only make it "not scalable" but the tickets still need to be transferable, securely.
Unless we're willing to go ID checking at the gate, there's not going to be a true solution.
Scammers - yes; but how scalpers? Does this mean there is no way to resell or give the ticket to another person?
Edit: The answer was couple of sentences later; looks like yes, unless via an official marketplace. I like this even less than scalpers.
"SafeTix makes it harder for people to resell tickets outside of TicketMaster’s closed, high-margin ticket-resale marketplace, where they make a boatload of money by buying low and selling high to customers with no alternative."
Very minor nitpick: I don't like the term "technologically disadvantaged" here. While it is undoubtedly true that there are many people who are without smart phones due to economic reasons, or because their battery died or their phone was just stolen ... there are also lots of people, myself included, who would CHOOSE to forgo a smart phone when attending a concert / event.
My wife and I live in a city with a Caesar's hotel and casino within walking distance. When there are shows and concerts we are interested in, we don't hesitate to buy tickets. When we go to such a show for a date night, we would like to leave our phones at home. Some of this might be due to our being middle aged, and so we're not glued to our phones 24/7, but it's also just a hassle to bring them through security, and to often have to put them in those lock bags because they don't want people recording etc.
So to us, e-tickets are evil for no other reason than the fact that it assumes that we want to have a phone on us and to use it as a ticket. I will happily pay the fee for a physical ticket whenever available.
This is horrible. Please stop.
But then ticket resale online marketplaces aren't a thing around here either. When people resell event tickets, it's usually an entirely DIY affair.
Of course they can. All they need is a secret key embedded somewhere that the app can access but you can't. It's just a happy circumstance that they used a simple protocol in which the key is easily extracted. But they could have used a proper PKI protocol instead, which would have made it much harder, if not impossible, to hack.
I bought a ticket that someone had double sold, and by the time I got to the door, they turned me away and said the ticket had already been used. So their system has good intentions, they just need to make it work offline.
Is this still true in the age of locked-down bootloaders, secure enclaves, TPMs etc?
Side note: this is actually a great advertisement for server side rendering! If they didn't do all this client side rendering, exposing data in JSON APIs, then I doubt this reverse engineering would have been possible.
it's not like a ticketmaster account is 'worth' anything, so the seller can simply set up a new one for their next purchase.
I feel like I am in a Disney movie.
The "robust DRM" is called "ID cards". Here in Europe, it's become commonplace to tie soccer tickets to ID cards that are verified at the gates to keep hooligans (or those suspected of being hooligans, which is a status that is way WAY easier obtainable than one might reasonably assume) out, and high-class events that attract scalpers like a pile of dungs attracts flies have been doing that for even longer.
Can we also please acknowledge that if people stop going to the things Ticketmaster sells tickets to, they will stop these practices? No one is forcing people to participate in these things; I don’t.
Lastly, it even calls itself Tomicketmaster. And you didn’t realize you are a Ticketslave? It is right there, in the name! Right in front of your eyes!
It always amazes me what they can get away with and people just behave like buffalo on the Serengeti, stampeding through the crock infested river … “those crocks are the worst! Ok, Karl, we are up next”
Instead of chiding your TicketMASTER devs and alpha slave MBAs, maybe stop being a TicketSLAVE altogether. Has that dawned on any buffalo?
Fun fact, to drive the point home. Guess how the predators of the Serengeti are treated when they want to go to an event. You think they deal with Ticketslavery even though the Ticketslaves is how the cabal makes its money?
There's no other mention of spyware in the article - does anyone know what this is referring to?
But yes, its disgusting that i've needed a phone for events...
How hard is that really?
Until they change their encoding.
Requiring the installation of a proprietary app to do anything should be forbidden.
Uhm, you can save the tickets to Google Wallet.
Disclaimer: This isn’t from a real SafeTix barcode. I don’t want TicketMaster to be able to identify and harass me.
Bullshit, TicketMaster. It’s a CSS animation. Get over yourself.
I think we can all agree: Fuck TicketMaster
For a billion dollar corp that is some atrociously poor security
Taylor Swift is a nice-ish person and wants her fans to think they can buy tickets for her shows at about 25 bucks because that’s a lot of money for a 12 year old and she does not want to alienate her fans.
Her manager is an evil cackling bastard and wants to get as much as he can.
He knows if he sells all the tickets for 25 bucks he will lose money in the tour and the people who resell the tickets for 2000 will make 1975 dollars profit.
So he does a deal with ticketmaster.
They will sell 100 seats at 25 bucks, then announce “wow that sold out quickly” and then pretend that the other 5000 tickets they have are sold, and then resell them on secondary sites (ie ticket master is actually selling you orignal tickets through secondary markets).
Then they give the cash to the evil manager who twirls his moustache.
All the rest, the adding extra charges at end of sales process, the ridiculous rush to buy at a given moment in time instead of some auction or lottery, the whole thing of backhanders to venues, all that is secondary to enabling Taylor swift to take a huge cut without seeming like a evil moustache twirling money grabbing manager.
This is one of the most powerful truths underlying the world we currently inhabit. The sooner we can agree to behave accordingly, the better our prospects for ripping the reigns of society from the hands of those whose only animating principles are avarice and exploitation.
I go to 1-2 concerts a month so I'm well aware of how scummy TM is, but the problem with PDF tickets is that people sell fakes or sell the same ticket multiple times. I know multiple people who've been scammed this way. I get not wanting to use your phone for everything, but the changing barcode isn't just technology for the sake of technology, it's actually there to solve a problem.
> PDF tickets work even if your phone loses internet connection
So do the digital barcodes if you add them to your phones wallet.
TM even sends you an email before every event that says:
>> If you haven't already, download the Ticketmaster app or sign into your Ticketmaster account via mobile web. From My Events, tap view then add tickets to your phone's wallet for easy access at entry.
TM's help page for the Mobile Entry tickets also says (https://help.ticketmaster.com/hc/en-us/articles/978659778561...)
>> We encourage you to download your tickets to your digital wallet before you leave for your event. This ensures that you can always access your tickets.
> If you bought the ticket off the event’s official ticketing agency (not a sketchy reseller), you know for sure that they’re real.
The problem is that that isn't how the real world works. Ignoring the massive scalping problem currently happening (that TM is complicit in) sometimes plans change or people learn about events after the initial sale. Personally, any time I have to buy or sell through a reseller, I use StubHub, but I know plenty of people who don't want to use them as they charge high fees and they aren't much better than TM from a moral stand point.
Also, I get the impression that if TM locked all tickets so that they could only be resold on TM, the author of this article would have a problem with that.
Up to $1M per week.
Related
The tiny chip that powers Montreal subway tickets
The article discusses the MIFARE Ultralight EV1 chip in Montreal subway tickets, detailing its battery-free operation, NFC communication with turnstiles, security measures, and data storage capabilities. It highlights the chip's design, functionality, and handling requirements.
ID verification service for TikTok, Uber, X exposed driver licenses
A cybersecurity researcher found AU10TIX's admin credentials exposed online, risking data breach for TikTok, Uber users. Concerns rise over ID verification services' vulnerability to cyberattacks, emphasizing the need for enhanced security measures.
Identity Verification Used by X, TikTok, and Uber Exposed Driver's Licenses
An identity verification firm, AU10TIX, exposed login credentials, risking access to sensitive data like driver's licenses. Despite claims of prompt revocation, functional credentials were found. AU10TIX partners with major platforms.
Ticketmaster has begun warning customers about data breach
Ticketmaster notifies customers of a data breach involving personal information theft. 1.3 terabytes of data were compromised and sold on the dark web. Snowflake denies involvement. Ticketmaster enhances security measures.
How random are TOTP codes?
The blog post examines TOTP code randomness using HMAC with SHA-1. It analyzes digit frequency in generated codes, showing diminishing bias over generations. Readers discuss and suggest additional analysis methods.