“Bot’s the Story, Morning Glory?” Oasis Ticket Scalper Bots

[00:00:00] Andrew Ash: Hello and thanks for tuning in to the Cybersecurity Sessions Podcast Season 3 from Netacea. I'm your host, Andy Ash, the CISO at Netacea. We have a special episode today where we'll be discussing the latest news around Oasis, the announcement of them getting back together and going on tour. There's been lots of press around the ticket sale process, and a lot of people are unhappy with not getting tickets, so we thought we'd dive into the challenges around events like this.

[00:00:30] Today I'm joined by two familiar faces to the Netacea podcast, Andy Still, and Matt Gracey-McMinn. Andy, do you just want to introduce yourself quickly?

[00:00:41] Andy Still: Thanks, Andy. I am, Andy, I'm CTO and one of the founders of Netacea. I've obviously been here battling bots for a long time. This episode is particularly relevant for me because my background is in ticketing sales. So I've sat on the opposite side of this fence trying to sell tickets in really busy events and buy tickets in really busy events.

[00:01:02] So hopefully that can contribute a bit to our conversation today.

[00:01:07] Andrew Ash: Cool. And MGM?

[00:01:09] Matthew Gracey-McMinn: Hi, so yeah, I'm Matt or MGM, and I'm the VP Threat Services here at Netacea, where I'm responsible for our threat research function. So basically we are, we were quite interested in the Oasis drop and we're spending a lot of time pretending to be attackers in the kind of attackers communities, watching what they're talking about and that sort of thing.

[00:01:26] So hopefully, provide some useful insights.

[00:01:30] Andrew Ash: Thanks, Matt. So before we get started on the actual, what happened, quick question to both of you. What's your favorite Oasis song, Andy?

[00:01:42] Andy Still: My favorite Oasis, that's a tricky question. So what I will tell you is it isn't Wonderwall. No, Wonderwall is one everyone holds up.

[00:01:49] That isn't even the best song on that album. Champagne Supernova is better, What's the Story Morning Glory is better. Half a World Away is a great song as well, but I think peak Oasis. What's the Story, Morning Glory is one of the best albums. You'll get going back and listening to that again on the announcement of reforming.

[00:02:08] Forgotten quite how good it was. Reminds me of time in the 90s when Oasis were everywhere.

[00:02:14] Andrew Ash: They were, that is absolutely true. Now I'm going to ask MGM as well, but I do know that MGM is not fully aware of Oasis.

[00:02:22] Matthew Gracey-McMinn: No, I, did a bit of googling on the songs because I'm not really familiar with them. I was about three or four when Oasis were quite big, so I don't really remember much their songs.

[00:02:33] I know Wonderwall, that's about obviously the main one I know about. Obviously I've heard of Champagne Supernova as well, Supersonic and a couple of others, but yeah.

[00:02:42] Andrew Ash: Do you like Wonderwall? Is that a song that you enjoy?

[00:02:46] Matthew Gracey-McMinn: I think I enjoyed it when I was younger and then going through school where everyone who learned to play the guitar played Wonderwall. I got sick of it.

[00:02:54] Andrew Ash: Yeah. Yeah. I think that's where I'm coming from. So my, definitely my favorite song is Half the World Away. Definitely, that is definitely mine, but partly because it's the theme music for, BBC comedy show, The Royle Family. And I absolutely love that.

[00:03:12] Still great today if you've not watched it. But I did have the original demo cassettes of Definitely Maybe when I was 17, so 1993, which I was incredibly thrilled with. Apparently had Noel's handwriting on it, and I knew people who knew the band and I was obsessed with them. 17, I was obsessed with Oasis.

[00:03:34] Now, not so much. Not so much. I don't think they got better with age, but that's just my opinion.

[00:03:42] So obviously there's been a whole lot of chatter in the news about this. What is a seminal event, one of the biggest bands in the world getting back together and playing a whole lot of concerts. Did anybody that you know actually get a ticket, either Andy or MGM, because nobody I know, so my family were trying to get tickets and absolutely couldn't, they were left very frustrated.

[00:04:08] Andy Still: No, none of my family could, we had four of us attempting on various different devices, and none of my friends did either. So I didn't know anyone who actually managed to get one.

[00:04:23] Andrew Ash: MGM?

[00:04:23] Matthew Gracey-McMinn: Same for me. I know quite a lot of people tried to, quite a few members of the threat research team here at Netacea tried to get them.

[00:04:31] None of us could.

[00:04:34] Andrew Ash: So I think, it's completely understandable. There's a lot of disappointed people. It's such a seminal event, like I say. I think we know of one person in the office that got a ticket. We did a quick poll earlier. She's very, she's, whether she got one or four, whether she got one on her own, I don't know, I suspect she got four.

[00:04:52] Andy Still: I believe she got four, and then had to find who to give the other two to. So I think, once you're on there, I think it was, we'll get as many as we can. Someone's bound to want them.

[00:05:03] Andrew Ash: Yeah, yeah, So just, a few stats about setting the scene. So Oasis are going to play to 1.4 million people during this tour, over 17 concerts according to the BBC, I don't know, off the top of my head, but according to the BBC, that's how many tickets were actually on sale. And, we did quite a lot of work over the weekend of the sale. And, anecdotally we saw between half a million and 1 million people queuing over various different websites.

[00:05:36] So to put that into context, that's a big number. It's a very big number, but to put it into context, if that was a physical queue, and everybody had a reasonable amount of space to stand up, it'd probably stretch the length of the country, or fill 40 football pitches if it was that kind of airport queuing system.

[00:05:54] And it'd be very unpleasant. You would never get to the, you wouldn't join that queue. It would never form that big. And then of the 1.4 million tickets, if it took one minute per transaction on each of the websites that had tickets for sale, the whole year of compute time will be required to process the requests.

[00:06:15] And that is a significant technical challenge for any organization. Ticket vendors are used to this kind of demand, but scaling to that level is a significant challenge. And it's something that Andy will touch on, because he does have quite a lot of experience in this. And, I think we all have experience in hosting high volume websites.

[00:06:37] It's not straightforward. This is made more challenging by the fact that there are malicious actors out there who are trying to scalp tickets.

[00:06:48] That adds vastly to the number of entities that are trying to buy the tickets. Like I say, we were watching this very closely over the, over the weekend and in the lead in. MGM, so what chatter did we see from the online bot operators and organized gangs around this ticket event?

[00:07:08] Matthew Gracey-McMinn: From the very moment the tour was announced, we saw huge amounts of interest in it.

[00:07:14] A lot of these groups, either were involved, so there's sort of two types of groups. There are those who were involved in ticketing before, in which case they've hit things like Taylor Swift's Eras tours and earlier things as well, and they've made a lot of money. So they were really keen, when they heard the news about Oasis, they're like, great, payday for us, basically, we can make more money if we can attack this successfully, so let's figure out how... they start planning their attack.

[00:07:36] There are other groups as well who saw... the second type of group basically saw other groups making a lot of money on the Eras tours and other earlier, earlier tours and so forth, and so decided to basically get into the game themselves. It's a way for them to make money. The second that the Oasis tour release dates were announced, they started going, we better start building tools, basically cyber weapons that can allow us to attack these, these ticket drops, these releases, and get as many tickets as possible, try to bypass any security controls that are put in place, any sort of limits on numbers of purchases and stuff like that.

[00:08:14] We need to figure out ways around those controls and we're going to start building tools. So within 36 hours of the announcement of the tools, that, I think it was on a Saturday, if I remember correctly, within 36 hours, there were tools had been, the people who'd started from scratch had developed these tools, and over the next couple of days, they iterated on them multiple times, testing them, making sure they worked, improving them, giving them new functionality, and so forth, so that by the time of the actual ticket release, they had a very sophisticated suite of, basically, cyber weapons, basically, that they could use to attack the drop and make sure they acquired as many tickets as possible.

[00:08:51] And as part of this, we actually saw a sort of, almost a small ecosystem develop around it with people developing individual components that would be needed in the attack, and then selling them to someone who was pulling all of these components together. So people were selling like, bypasses, oh, I've got a way, I promise I have a way around a queue.

[00:09:10] I have developed some way to try and bypass the queue. Whether that's true or not is up for debate, but people, but someone who is building a weapon to attack this drop would then buy that component that would allow their users of their weapon to bypass the queue, for instance.

[00:09:24] Andrew Ash: Yeah, and, in terms of number of actors we were tracking is, we do have a really big spread of intelligence.

[00:09:35] Was it basically everybody that we track in this area, you're saying?

[00:09:39] Matthew Gracey-McMinn: Yeah, pretty much to be honest. There wasn't even a hesitation. There were no questions around for most of the groups. There was no question around legalities or anything like that. They just saw it. It was almost Looney Tunes style, dollar signs in the eyes and they ran straight at it.

[00:09:55] Andrew Ash: Yeah. And it's understandable. These events are such massive target of scalpers, we can look back at the Eurovision sale from 2022, I think. And the Taylor Swift you already mentioned, that actually ended up in front of Congress in the U. S., that was such a... is it a national scandal?

[00:10:19] Is that fair to say? Is this a national scandal? Have we got to that level?

[00:10:23] Matthew Gracey-McMinn: I don't know if I'd say we've got to the level of, sort of Parliament...

[00:10:29] Andy Still: We have, the government have come out and said that they are going to look into this. They have come out saying they were already going to look at the issue of ticket scalping anyway, as a result of kind of previous promises that they've made.

[00:10:47] They're extending that to cover some of the issues that were raised within this. So ticket resale is one, variable pricing, some of the other restrictions around how ticket selling works, slightly different from other industries. So yes, I think this has hit the level of national scandal.

[00:11:08] From a politics point of view, it's a fairly easy target. This isn't the, jump on the bandwagon. You can be very popular with a large amount of people by, looking, coming out saying you address this against the kind of evil corporations. At the back of it, obviously, the truth is somewhere behind that, but you can see why they're wanting to get involved in this.

[00:11:31] Andrew Ash: Are you saying there's going to be a lot of political tub thumping about this, Andy?

[00:11:35] Andy Still: I'm saying there's going to be a lot of political tub thumping, and based on past history, they will probably decide it's a very hard problem to solve and, yeah.

[00:11:44] Andrew Ash: But for now, now it's a good campaign, right? Yeah. At a time when there's not a lot of news this time of year, isn't it?

[00:11:51] Okay. The news coverage was everywhere across all, platforms and it wasn't particularly good. It didn't play well at all. So I guess there's, there's been, we've already mentioned Eurovision, Taylor Swift, and we could, there's Radiohead, et cetera.

[00:12:13] There's been a lot of opportunity to address this issue. How are scalpers and bots still so disruptive in this market?

[00:12:23] Andy Still: The issue you've got here if you start from the very simple standpoint, and like you say there was a lot of, there was a lot of news coverage ahead of... this was probably the biggest event in the UK last week bar none.

[00:12:37] This was what all the news was about. Everyone was ready for the on sale. It was well over 15 years in the making that this was coming. So you end up with a situation where even if there was no bots involved whatsoever, you've got 1.4 million tickets, probably 2.4 million people wanting to go.

[00:12:56] So there's a million more people who want to go. Some of those people are willing to pay quite a lot to go to these events. So even if there was no bots involved, some of the people who bought those tickets legitimately might decide I'd quite like to see Oasis, but I'd like a thousand pounds more. So I'll sell my tickets to someone else. So that there's a market there regardless.

[00:13:22] But what the bots do is obviously see that market and they want to be part, part of that market and they're going in with the intent of buying the tickets just for resale and the intent of buying those at some sort of scale. It's an obvious market for bots to get hold of and once they do that, it's actually quite difficult to detect that bot activity.

[00:13:46] If you think of the ways that you can stop bots. The easiest way is, what sounds easiest way is to say that, stop them from buying the tickets in the first place, in which case you need to look at the technology to do that, particularly when blended in to however many million other people that you've got, that you've got there and their behavior will look relatively similar to those people as well, because essentially they're doing the same thing.

[00:14:17] So that's the challenge that you've got with bots. There's another approach you can say with bots, which is, you stop them after the event. You take the ticket back off them. You stop them reselling it, which is an approach that is taken. So the ticket resellers will monitor transactions as they come in.

[00:14:40] They will try and extract ones that they consider not legitimate, and they've got different approaches to do that. We're looking at how the orders are placed and how they correlate to each other and, you know, shared data across them. So once it looks suspicious, they do also do some monitoring of the resale sites to see tickets that are being sold above face value to do some refunding.

[00:15:05] So the ticket manufacturer, the ticket sellers are doing something around that. Now, what would make this problem go away completely would be if no one ever bought one of those tickets. That's how you make this problem go away. There's no market for them. The bots will go away. Now that from experience, no matter what you do is not going to happen.

[00:15:26] And we've seen in the past people's... Bands being relatively draconian on the restrictions for using tickets. So insisting on multiple forms of ID once you've bought it and then other people, they need to see the ID of the people who've bought it. And you need to put that ID in up front. That can have an effect.

[00:15:47] But what those sort of things tend to do is they end up affecting legitimate fans. So people, you buy a ticket to go and see something. There's many reasons why 12 months in the future, you can't go to that event. You want to pass that ticket on to someone else, which is quite a legitimate thing to do.

[00:16:07] And if you can't do that, you feel, you're aggrieved against that situation. You've basically spent hundreds of pounds, which you then can't take advantage of. The other aspect of bot and ticket resale and touting is that those people who are driving that market, they're effectively the problem here.

[00:16:32] They make that market happen, but they're also, categorized as victims of this situation. So there is the view that they are being forced to spend those thousands of pounds to be able to go and see the band that they really want to see. This is, this, you could categorize this as a once in a lifetime thing, similar to Eurovision, similar to Taylor Swift.

[00:16:55] Will they, will these people tour again? Will Oasis make it through this tour, let alone do another? These are the questions... if you are a big Oasis fan, and you don't go and see them now, will you ever get this opportunity again? This is, which unlike some of the other kind of items we talk about, like Playstations, you know there will be more Playstations at some point in the future, but events are events.

[00:17:17] Even if you go to this, people will go to multiple dates within one tour because each one is different. So you have that kind of very distinct market and people will drive that market. But ultimately they're classed as victims though they are actually the perpetrators of the problem and you're probably never going to get around that.

[00:17:37] That feels like a supply and demand issue that is almost impossible to stop. So what we end up having to do is try and remove that, those bots from sale point. And that is a very complex technical problem to solve. And I think there is a sense at the moment that in these kind of things, the bots are winning and the the attackers are managing to get sufficient success. And from our point of view as a bot management company, you... in terms of the general level of defense across the industry, we are seeing that as well.

[00:18:17] We're seeing that actually there's a, kind of sense at the moment that bot management techniques that are undertaken by, not by Netacea, I will call out, we take a different approach, but as standard across a lot of our competitors are starting to fail because the attackers have actually determined effective bypasses to those systems. So certainly what, and this is speaking as outsiders. So we don't know what methodologies the ticket sellers we're using, but we certainly, from what we hear from chatters, the standard bypasses that are used on other systems, they were working to bypass bot protection.

[00:19:02] And this is largely down to the kind of approach that's often taken to bot protection, which is looking at things like, for example, capabilities of browsers that are connecting to them. The devices that connections are coming in from. IP address that you're connecting from.

[00:19:20] Andrew Ash: So it's that client side fingerprint that essentially is what they're looking for.

[00:19:26] Andy Still: Yeah, and that's essentially what we see. That was a traditional way of detecting bots. And what we see from our approach to detecting this, but also from what Matt and team see is that it's easily bypassed. So the approach that Netacea takes here is, to look at intent and activity. And that's the only way that we see that you can start to effectively detect that if you're going down the Kind of upfront approach of trying to stop them at the point of purchase.

[00:19:57] Andrew Ash: Just to go back to a point you made a little bit earlier around, the kind of secondary marketing and the demand for that. Secondary marketing isn't just from bot vendors. It is, it is, from people who've bought tickets who genuinely then can't go to the gig and, they'll lose what is a significant amount of cash.

[00:20:16] That secondary market makes it easier for the, for the bot operators to actually, this is a mature marketplace. There are revenues where paths to revenue or revenue streams are available too. So that's, that already exists. And the interesting piece for me is for other high value

[00:20:35] goods and items such as, we think PlayStation 6 is probably on its way. The, PlayStation 5 drops, they were very much scouted and then sold potentially individually. Other secondary markets are on the way would be my thinking. Yeah.

[00:20:54] The ticketing secondary market is just the first example of this.

[00:21:01] Andy Still: We already see it for sneakers, don't we.

[00:21:02] Andrew Ash: There's a stock market for sneakers, but yeah, tickets and sneakers are the two that are clear. But I can't get past thinking that as more high value, especially tech, goods come out, you're gonna start to see these secondary, these initial secondary markets.

[00:21:19] Matthew Gracey-McMinn: So I'd also note that, we've seen in this specific release for Oasis, previously scalpers who bought up tickets on previous tours for other bands and so forth, sold them to try to resell them typically through the legitimate marketplaces. In this case, we think at least partially because Oasis themselves said they didn't want that to happen.

[00:21:41] And there has been more crackdown on this. They've actually started setting up their own marketplaces, often in hidden forums like Telegram and Discord. So we saw that with this release.

[00:21:50] Andy Still: It's interesting. Yeah, because they are different. So tickets and sneakers are different in that they are unique, limited edition items.

[00:22:00] The tech products like your PlayStations, they go via eBay, et cetera. Don't you? Because essentially you, you want a PlayStation, that's, any... they're all the same. If you want a ticket, you've got things like the level of ticket, the date, the venue. There's a lot of variants on the ticket.

[00:22:23] Tickets are, in terms of the complexity of selling them, they are one of the most complex items just because any individual ticket is unique. You can't resell, you can't sell that more than once, which in terms of the challenge of the technical overhead makes ticketing way more complex than anything.

[00:22:45] Most things you sell, you just have a bucket of so many and you knock them down till they're gone. When you're selling tickets, you essentially have to allocate a specific ticket to a person and then they pay and then you allocate it to someone else. You, the bit where you've sold the same ticket twice, that's the point where you get a lot of angry people.

[00:23:05] Andrew Ash: Angry people who actually meet each other as well, which is suboptimal in the process, I'll suggest. But it, is, you were saying, the human desire for these high value scarce items. The kind of, I want a PlayStation 6 and I want it now, and I'm actually happy to pay three grand for it rather than 600 quid because I can.

[00:23:27] That drives similar behavior. That drives a similar behavior. Yes. I can't sell it to two people at the same time because I have to send it to one of them. But yeah, I do think that this is going to become the secondary market pieces is going to expand over the next few years. Just to move on to something a little more technical, Matt, we talked about what we saw in the lead into the, to this, event, what did we see during and after what were the, what was the path taken by the bot operators and, and what was their return on investment?

[00:24:02] Matthew Gracey-McMinn: So they were... frankly, a lot of them were quite successful. They essentially, the second they were up, ready to go, they had their weapons all spooled up, ready to fire. The second the tickets dropped, they were there. Bots were flooding the waiting rooms, the queues and so forth.

[00:24:20] And essentially the attackers were largely trying to either get around the queue, essentially queue cutting, or they were trying to, basically put so many of their sort of fake personas into the queue that they had a very good chance of getting through to the front and getting as many tickets as possible.

[00:24:35] To give you an example, the one group we monitored, they were able to get about 1,500 tickets. quite a substantial share of it for such a small group. Bear in mind that's a largely inexperienced group who've never previously been involved in ticketing. But they managed to get 1,500 nonetheless.

[00:24:51] Their ROI, their, so the amount of profit they made on those tickets, we estimate to be about £550,000 . So that is a phenomenal amount of money. One in... one other individual we tracked, so this is an individual. He built his own tools. He launched his own attack. He was able to acquire about 228, I think it was, tickets.

[00:25:13] And he made a profit of about £83,000. That, people made a lot of money, basically on that day. Most people are making a year, frankly, it's a, it's one of the reasons this is such a popular attack and so difficult to deal with. People are paying their mortgages.

[00:25:32] They're feeding their families off the back of this. They're getting rich off the back of this and they're incentivized to reinvest a lot of that money into future attacks to ensure success is there as well.

[00:25:42] Andrew Ash: It's a lot and it's not honest work.

[00:25:44] Matthew Gracey-McMinn: No.

[00:25:45] Andrew Ash: Is probably the way to look at it. Yeah, that, for a weekend, that's a staggering amount.

[00:25:52] And the return on investment, you can see the effort that's gone into the, the people who've been scalping. The, return on investment is so big. It's not going to go away. It's worth the risk. It's worth the investment of time, it's worth the investment of technology.

[00:26:13] It's a lot cheaper to run a bot farm than it is a ticketing website. For all the complexity of the bots and the way that they get around protection, it's a bot that makes web requests. It doesn't take web requests, it doesn't have to serve anything like a ticket site does, all the images, et cetera.

[00:26:31] So the cost is relatively low.

[00:26:34] Matthew Gracey-McMinn: Yeah.

[00:26:35] Andrew Ash: Did we see any evidence of different types of proxies being used to, run this, or is that just built into the kind of Adonis bot type, infrastructure that already exists?

[00:26:48] Matthew Gracey-McMinn: So in this case, we saw a lot of people using different proxies. So the whole ecosystem around scalping, both for, as you guys were discussing earlier, products like shoes and for events, like Oasis, the whole... there's a whole ecosystem, a whole industry with its sub industries built around it.

[00:27:07] So you have the people who actually use the tools, the scalpers themselves. So they actually often buy the tools from dedicated development teams. Some of the more advanced groups may have their own in house development teams. And, thinking back to my consultant days, frankly, a lot of these groups are better at agile development than a lot of professional companies I used to go into and consult for.

[00:27:30] So these guys are no joke. They're very serious, very professional. They know exactly what they're doing. This is their day job. This is their night job. This is their weekend job, and they work really hard at this is, and essentially, they, you've got the scalper bots, they basically usually buy or have their in house development teams build a tool.

[00:27:49] You have other sort of specialist groups who build components of those tools, like the, I mentioned before, like queue bypass systems and things like that. Ways of cutting the queue, ways to beat the security controls. You have people provide sort of fake identities, say, some people will have spent months or years.

[00:28:05] This is all they do, basically, is they create fake accounts on the ticketing site with believable identities and so forth and they sell those accounts to scalpers so that they can use those accounts to make purchases where they're limited to so many purchases per account. Those people are providing those details to the scalper groups as well.

[00:28:22] And then you have the infrastructure providers who essentially have huge botnets. Many of these people are frankly criminal. They have taken over their botnets using malware and so forth. So they've taken over, say, your phone or my phone with malware. And now they'll rent out access to that to allow someone to proxy and attack through that phone or that computer, to make it look like it's coming from us, not from say a data center somewhere else instead.

[00:28:46] So all of this combined creates this very sophisticated attack, coming from a very sophisticated ecosystem that can be very hard to stop.

[00:28:54] Andrew Ash: Yeah. and, These ecosystems are evolving all the time as well, getting more difficult to actually identify. I know one of the things that came out in the press over the course of the event was, people were being treated as if they were bots.

[00:29:12] How important is it for ticket sellers to get the balance right between blocking bots and not blocking humans by accident?

[00:29:19] Andy Still: Yeah. So I, all my family individually got called bots. As well as when we were trying to buy tickets.

[00:29:29] Andrew Ash: I've met them and I can say for sure they're not.

[00:29:31] Andy Still: My well, that's, one of my children said to me, dad. I'm a bot. Why haven't you told me before now? So it's this is how I chose to break it to you I mean what you already has as I mentioned earlier... you have a million people there who are not going to be happy at the end of this on sale. You also have a lot of people who've spent a lot of time in this. So I don't know about the others on this call.

[00:30:02] I was probably spent four or five hours across the day trying to buy a ticket. It's already frustrating enough waiting to get in the queue. When you get in the queue to actually get to the front and then you're told you can't buy a ticket for... because you're a bot when you're not a bot. Anything like that, Thert's already a sense of unfairness that is there, and to have that taken away, the chance when you've actually got there, to take away.

[00:30:32] Similar to other things like, people being knocked out of the queue ahead of time and all these kind of things that you, all these stories that you hear, create this sense of dissatisfaction. That sense of dissatisfaction plays out on social media, in the news stories. These are, this is what hits the headlines.

[00:30:51] What doesn't hit the headlines at the end of this day, as a, from my background as a ticket seller, you don't get stories out there of 1.4 million happy people who've got the tickets. You get a small group of people who are unhappy for various reasons. And the amount of kind of conspiracies that build up in people's minds as to why that was. I still... I was responsible for the Glastonbury sales back many years ago and I still remember on Twitter reading the next day, yet again people from Wales have not been allowed tickets to Glastonbury. And I can tell you for a fact that was not the case. There was no blocking people from Wales, but people will put that. And I think that's the sense of why it's really important that you were not blocked. Essentially accusing someone of fraudulent behavior, which, it's quite a, it's quite an accusation.

[00:31:44] People don't like being accused of that. And on top of the unpleasant experience I already have in trying to buy this. That's why it's really important to get it right. It's also really important to get it right the other way. So it's really important that obviously what we've heard from Matt, bots were successfully getting through this process and humans were being taken out, categorized as bots was clearly that those attempts weren't working correctly. But it's important to have that defense in place to stop this activity, but it's really important that is accurate. It's also, when we look at really busy on sales like this, people's behavior is slightly unusual.

[00:32:28] So normally if i'm buying a ticket, we will not have eight or nine devices coming from my house trying to buy a ticket at the same time. We will not have one all those computers potentially with multiple sites open, pressing, refreshing and trying different things to get different things working.

[00:32:50] So behavior is already unusual so any of those kind of normal defenses that you would put in place that look at that kind of device activity or down to individual households... they are not typical, and as I say, we've no idea what the methodology used to detect bots here. But I suspect it was that kind of thing where unusual behavior was being seen, but that unusual behavior was usual, or legitimate in that situation.

[00:33:24] Andrew Ash: Exactly, and the kind of frustration of being in a queue for three hours drives different behavior from humans. It doesn't drive different behavior from bots. They still do exactly the same thing as they've been programmed to do. So it's more likely that the humans will look bot like, and the bots will look human.

[00:33:42] Andy Still: Yeah, humans keep pressing refresh on the... yeah.

[00:33:48] You want to make something happen. Yeah.

[00:33:50] Andrew Ash: A very British thing to queue but to complain while you're in the queue.

[00:33:53] Andy Still: Yeah.

[00:33:55] Andrew Ash: I think the refresh button is the complaint basically, isn't it?

[00:33:58] Andy Still: Yeah.

[00:34:00] Andrew Ash: We're a little bit up on time. So I just want to ask one more question to both of you.

[00:34:06] Is this a winnable battle? Can, there's, as you say, 1.4 million people will get tickets and they'll be very happy. There'll be a million people who are a bit annoyed about the whole thing and left with a bitter taste in their mouth. Is this a winnable battle?

[00:34:21] Andy Still: Is it, is it... I guess your question is, is the battle to stop bots reselling tickets a winnable battle? The answer that is yes, it's a multi pronged battle. So part of this as we said as bot protection vendors, we would say stop them at source, we at Netacea have the best bot detection approach .

[00:34:49] We can detect that bot activity as it happens and we will detect as much as possible. Will we get all of it? Probably not in that situation. So you then need to back that by post transaction analysis, canceling tickets. You, then also need to back it by clamping down on the resale of tickets.

[00:35:09] Now, ideally you remove them from the genuine secondary markets. That already has a big impact because there's a lot of people who buy tickets through one of those markets. A lot less so by it by your dodgy Telegram channel. So you do that, you drive that down. And the last level, the ultimate draconian level is that you start blocking the usage of those tickets and actually punishing the people who've spent the money to try and drive down the market.

[00:35:38] So it's a winnable battle, but it's not an easy one. There's not an easy fix for this in the same way. There's not easy fix to have a ticketing site that stays up when it's got 2 million people trying to buy tickets. It's a hard problem to solve.

[00:35:53] Andrew Ash: Very hard problem to solve.

[00:35:55] MGM, from your point of view, the kind of holistic approach, I know we were well informed as to what was happening on the day, and in the lead in, anything you want to add to that kind of, is this a winnable battle?

[00:36:08] How do we, what data do we need to try and beat these guys?

[00:36:13] Matthew Gracey-McMinn: I think I would distinguish that I think it's a winnable war. I think if, in my mind, every battle, every event is essentially a battle. And it's important to go into every single event, every single battle, with as much intelligence and much awareness of what the attackers are going to do.

[00:36:31] What their objectives are, what their capabilities are, what technologies they have available to them, what their tactics are going to be in that battle. And the more intel you have, the better your chances of winning that individual battle. And I think if we win enough battles against these guys, like I said, they're paying their mortgages, they're making money this way, this is their job.

[00:36:50] If they stop making money, if the ROI becomes too expensive for them, they will back out of the war, and ultimately we would win at that point. So I do think this is winnable. I think intelligence is core to that, because by understanding what the attackers are going to do, all those things I just said, the tactics, the techniques, the procedures that attackers are going to employ in the pursuit of this objective, if you can counter all of those and prevent them in one battle, then they'll come up with new ones for the next battle.

[00:37:18] But if you keep blocking those, eventually they're going to go, I'm losing too much money on this, or I'm just out of ideas. I can't beat this, these guys. I'm going to give up and move on.

[00:37:28] Andrew Ash: I'm going to go on to PlayStation 6s. I'm going to go on to whatever it might be next.

[00:37:32] Matthew Gracey-McMinn: Yeah, exactly.

[00:37:34] Andrew Ash: 50p coins, whatever's got some value in the market today.

[00:37:39] Very good. Okay. So on that note, I'd like to thank Andy and Matt for joining me today. I think that was reaally good discussion on what is a very relevant topic at the moment. If you have any questions for us, please either leave a comment if you're listening via Spotify or YouTube, or you can mention us on our X account @CyberSecPod or email podcast@netacea.com. Please do make sure you subscribe wherever you get your podcasts. And finally, thanks once again to the Netacea team for joining me today. And thank you for listening. We'll see you next time for the Cybersecurity Sessions.