[cryptography] CAPTCHA as a Security System?

John Levine johnl at iecc.com
Mon Jan 2 22:08:07 EST 2012

Ticket sellers and scalpers have been been fighting since long before
there was an Internet.

>To do much better than slow down the scalpers Ticketmaster would have
>to either do a lot of work (with payments system providers' help) to
>ensure that payments are not anonymous and that the there is one
>person per ticket purchase for any one event

They already do that -- the only way to pay on their web site is with
a credit card, and you can't use the same card for a lot of purchases
in a row.  I'm pretty sure you can't use another card with the same
mailing address, either.

> or else they'd have to auction off the tickets so as to find the
> market price for them.

For a variety of business reasons they usually don't want to do that,
and they don't want brokers to do it for them.  Sports teams want it
to be at least somewhat possible for fans to get tickets.  That's why
they let people wait in long lines, since that's correlated with fanly
devotion rather than wealth, and sends the message to the rest of the
fans that if they were equally devoted, they too could get tickets.

Ticketmaster wants to make it as easy as possible for individuals to
buy tickets, while making it as hard as possible for scalpers
pretending to be individuals, or individuals working for scalpers, to
buy them.  CAPTCHAs keep out the less determined scalpers, but there
is no reliable mechanical way to tell a nice human from a nasty one.

Scalping can be very profitable, with markups of $100 per ticket not
unsusual, so if I were a scalper, I'd have a network of web proxies,
to make it hard to tell that they're all me, a farm of human CAPTCHA
breakers in Asia who cost maybe 5c per CAPTCHA, a large set of
employees, friends, and relatives who will let me use their names and
credit cards (for a small commission) and scripts that blast through
Ticketmaster's web pages as fast as they can, so they can buy the
tickets the moment they go on sale, before real humans can.

At some point, since there aren't that many large scalping operations,
rather than playing an endless game of jumping through hoops and
crypto cat and mouse which will certainly have the side-effect of
losing some legit purchases, it is perfectly sensible to go after them
legally.  One of the advantages of having a working legal system is so
that we can live reasonable lives with $20 locks in our doors, rather
than all having to spend thousands to armor all the doors and windows,
like they do in some other parts of the world.


More information about the cryptography mailing list