A federal grand jury in New Jersey has indicted four owners and key employees of a California-based company that prosecutors said for years illegally cornered the market on the best concert and sporting event seats.
The grand jury indictment claims the company controlled thousands of Internet and email addresses, telephone numbers, and credit card accounts to make it appear that thousands of individual consumers were buying seats. In reality, the indictment alleges, all of the tickets were going to the company, Wiseguy Tickets, for resale to ticket brokers for as much as US$1,000 in excess of their face value.
The efforts resulted in more than $25 million in illegal profits, according to U.S. Attorney Paul Fishman.
Just ‘Camping Out’
The allegations are weak, according to K&L Gates partner Mark Rush, who represents Wiseguy’s cofounder and operations chief Kenneth Lowson.
Lowson and his colleagues did the computer version of hiring “a bunch of their friends to sleep in sleeping bags and camp out at the ticket office,” Rush told the E-Commerce Times.
“What I find most troubling is that the U.S. Attorney is attempting to criminalize that which Congress has not, which is ticket brokering.”
Ticketmaster, the largest online ticket-seller in the U.S., and one of the alleged victims of Wiseguy’s attacks, did not respond to a request for comment by deadline for this article.
Details of the Scheme
According to the indictment, the Wiseguy scheme worked like this:
Lowson and his colleagues hired programmers in the U.S. and overseas to assemble a network of computers that would monitor online ticketing sites for the exact moment when tickets to desirable events would go on sale.
A bank of computers programmed with instructions to bypass Captcha, the simple reading or audio tests used by many Web sites to weed out human users from automated ones, would then take over.
Captcha images are generally distorted text that users can more or less easily recognize, but which are harder for computer optical character recognition programs to make out. Among other things, the indictment alleges Wiseguy employees developed a database of the limited number of Captcha images, file names and answers, so that its computers could quickly answer the challenges and gain access to buying pages.
The indictment alleges Wiseguy officers worked hard to conceal their efforts, registering disparate Internet addresses from which to operate and requiring brokers to contribute hundreds of discrete credit card accounts that could be used to purchase tickets.
The effort, which ran from approximately 2002 to January 2009, netted 1.5 million primo tickets for events such as Bruce Springsteen and Hannah Montana concerts, the NCAA Rose Bowl game, New York Yankees and New York Giant playoff games and even tickets to tapings of the television show “Dancing with the Stars,” according to prosecutors.
Ticketing companies tried to stop Wiseguy from the automated buying, but the company kept changing tactics to avoid detection, according to the indictment. The ticketing companies spent some $1 million combating the problem, it claims.
The 43-count indictment accuses Lowson and colleagues Kristofer Kirsch, Faisal Nahdi and Joel Stevenson of various criminal acts, including wire fraud and conspiracy to commit wire fraud. Lowson, Kirsch and Stevenson also face charges of gaining unauthorized access and exceeding authorized access to computer systems, and causing damage to computers in interstate commerce.
If convicted, each defendant could receive up to five years in prison on the conspiracy charge and up to 20 years on each wire fraud charge. Lowson, Kirsch and Stevenson face up to five years in prison and $250,000 in fines on each of 19 illegal access counts, and 10 years in prison on each of six damage counts. Lowson, Kirsch and Stevenson surrendered to the FBI on Monday. Nahdi is overseas, but is expected to surrender in the next few weeks, according to Fishman’s office.
Can Only Hope to Slow Them
So long as Captcha images are remotely discernible to humans, hackers can gain access to systems that rely on them for security by building databases or employing optical character-recognition programs to determine answers, Nick Chapman, a researcher at SecureWorks, told the E-Commerce Times.
Hackers have even been known to use unwitting visitors to porn sites, or low-paid third world workers, to solve Captchas on behalf of automated systems trying to gain access to systems elsewhere, he said.
“A Captcha is only effective to a point,” said Chapman. “It can only slow someone down.”
Law Is Best Defense
The most effective means of combating such efforts is intensive law enforcement and finding ways to make doing business for would-be Captcha busters too expensive, Chapman suggested.
For its part, Google — which owns reCaptcha, a company that provides text-based tests to thousands of Web sites — said the company still believes the tests are effective but shouldn’t be the only line of defense.
“Captchas remain a powerful and effective tool for fighting abuse, but they are best used in combination with other security technologies,” spokesperson Jay Nancarrow told the E-Commerce Times.” At Google, we modify our Captchas when we detect new abuse trends.”