Have Booking Bots Beat You? How Concert Ticket And Slot Bots Snatch Your Bookings | Talking Point

So, I've decided to take a day trip to JB over the weekend and bring the whole family with me. But instead of driving, I'm going to take the train to try and skip the jam. So, let's try and get some tickets. Saturday, 21st February. Oh, all the seats are taken. Let's try 22nd Feb. There are no tickets at all. From 10:00 a.m. onwards, all the tickets are sold out. Let's try another weekend. I wonder if I tried a Friday. Oh, zero. Man, it's really hard to get these tickets. Looks like I'm not the only one. And it's not just train tickets from driving lessons. >> If you've been trying to book classes on BBDC, you know how challenging it is. It's a six month wait till my next driving class at BBDC courts. And behind this frustration are bots. Bots first made headlines snapping up high demand items like concert tickets, toys, sneakers, anything scarce but valuable. But it's now being used for everyday essentials. Which is why in this episode of Talking Point, I'm investigating what it takes to beat a bot. Bot, short for robot, automates task online. And what it means is that if I use a bot, instead of just me trying to make a booking, it'll be hundreds, even thousands of me all clicking at once. Now, using one would clearly give me an advantage. So, I want to find out how to create my own Emil Tan is part of a volunteering group of tech developers that helps people concern about cyber security. But what I'm about to ask him to help with, that's a first for him. >> How easy or difficult is it to build a bot? >> It's actually extremely easy. >> For you is extremely easy. Would it be extremely easy for me? It might take uh a while for you to understand it. But pretty much a board is emulating the interaction that you have with the website. You're just putting that uh into codes. >> But I don't know how to write code. >> So there are two ways of doing it. >> One is of course you have to look at a little bit of code. I have this proxy website that I created. Imagine we have a sports facility. Let's say go for sports hall. >> 8 p.m. >> 8 p.m. Here we go. It's booked. Right. So everything is confirmed. >> But this is just the normal book that I would do as a human being, right? >> Exactly. >> If I want to automate it, this is the bot that we've created. >> Oh, okay. >> This is a low code method. >> You go Chrome web store, click install, and that's it. And you get this blank page. And you can just say you want to create this workflow. And it will tells you, all right, what do you need? Do you want to emulate creating a new tab? You want to emulate clicking of certain elements of the web page, find that form, >> you can [music] drag and drop it. >> Oh wow. >> When you design the whole board, you just need to rethink about what is the actual interactions. Now let's try on the proxy website. So if I click play on that, it opens the new tab. Y >> click on the facilities. Done. Done. >> Boom. Boom. >> So, I actually tell you to continue repeat to book as many as two or three of the slots. >> Okay. That took like one less than a minute. >> Probably less than 10 seconds. >> Yeah. >> And this program is absolutely free. >> Oh, it's free. Okay. >> This is another website we created, right? So, let's say we want to go JB coming back from Woodlands with a train, >> right? So now I can see every seat being selected. >> Yeah. So I'm not doing anything. This is all the boards doing it. >> Wow. Okay. Yeah. It's happening in real time. As you're blocking it, I can see it showing as reserved on my side. >> Mhm. >> So for this we actually use another program also free. This particular website actually a lot of legitimate business use it for their day-to-day workflow in processing of invoices uh sending out certain emails and so on. for this instead of looking at codes you actually do a bit of image recognition right here so this is a lot easier this is a no code method >> how effective is this >> so if the website change let's say is the the URL change or the schedule change the bot will not be able to find that the correct button >> how sophisticated can these bots become >> everything is up to your creativity you can create bots that create a lot of accounts I can then tie it to some of the AI that is really easily accessible as well to say that generate me a list of 500 uh randomized name, last name, emails and so on and so forth. I feed that into my bot, create 500 uh accounts. >> Okay. >> With all this B creation software is very accessible now. Bots is actually business illegitimal business. Yeah. >> Yeah. >> From a recent study, bots now make up more than half of all global internet traffic. Some of these are from good bots like search engine crawlers or tools that help websites function. But around 37% of that traffic was malicious. These refer to bots that steal data, facilitate payment fraud, and manipulate online booking systems. In Singapore, whether a bot is legal depends on how it's used. If it's used to spread fake news, it can fall foul of laws like POFFMA. And if it's used for hacking or scams, that's clearly illegal. Customer service chat bots and social media automation bots are perfectly legal. And that's why ready-made booking bots can still be found openly on online marketplaces. These are bots that claim to snap up train tickets to JB, book driving lesson slots, and even sports facilities. Prices can start as low as $3 to $10. Those are the cheaper ones. There's this one that goes for around $100, promising to tailor a bot that can secure concert tickets or booking slots for you. >> [music] >> Sneaker enthusiast and IT graduate John started using ready-made bots to snag limited edition shoes of auction sites. After some success with the bot, he learned to code his own, which he then sold for between $150 to $600. These are all limited edition sneakers. All the sneakers you see, I've used BS to actually purchase them. I realized I could make some money by leasing out these boards. I developed myself with a team of people behind me. One can only do so much, but working together with experts from different industries that knows these markets better helps you to conquer more in a shorter period of time. >> So you created this software and then you said now you want to use it, I'll let you use it. Just pay me a fee. >> That's right. >> How much money were you making from doing that? Well, it's a good sizable six digits. Yeah, it's a monthly subscription. There's many bot providers in the market, right? We're just one of the many. Right now in the market, you see many people using bots. You say it's an unfair advantage. I think it's about how you see it. It's more in perspective. >> How do you justify that? >> Everything's unfair. Just how you see it. Whether do you want to try a luck or do you want a sure win kind of thing, right? For me, I prefer a sure win. Right? If that costs slightly more than whatever I'm paying, I think it's better than rather guessing whether would I get it or would I not get it? >> So you don't feel in any way that it might be a bit unethical to sort of game the system this way. >> I think any of a willing buyer, willing seller market as long as it's a willing buyer, willing seller, people are willing to pay the price for it. >> What are the things people are using bots to buy? >> Anything under the sun? driving lessons, tennis bookings, bminton cards, shoes, labu, Pokemon cards, train tickets to Malaysia, concert tickets, whatever you can turn off. People that sell these products or tickets or service to make money. >> Train tickets, you know, driving lesson, booking slots. I mean, how much money can you make from that? >> Peanuts compared to shoes, but it works in the volume. The more you book, the more demand for it, the more money you make across a longer period of time. for driving lesson bookings. The fee you're paying it's about five. >> Okay. Five bucks per booking. I mean if every day I get at least 100 customers >> maybe lesser. Let's do 50, right? And say 50 * 5 you're making what? 250. >> 250 bucks. >> Yeah. Somewhere there a day. They usually listed on different online marketplaces. There's many people who needs this service. Shoes is more of a one, not a need. Driving lesson booking is a need because you need to clear that before you can go on to the next stage to finally graduate to get your license. That's why people are willing to pay. >> You've asked us to keep you anonymous. Why is that? >> Better to be unseen rather than out there. That creates backlash that creates hate because at the end of the day, some people don't support such bad actors to purchase products or tickets or whatsoever. Platforms have been trying to keep so-called bad actors out, which is why you've probably come across this. But can these actually [music] stop bots in Singapore using booking bots in itself is not illegal. There is no specific law that bans the use of automated software [music] to secure tickets or booking slots. However, many platforms have their own rules. Websites like Ticket Master, Comfort Delgrow Driving Center, the Singapore Island Country Club, and Booking.com state explicitly that bots are not allowed. If you're caught using one, the most they can typically do is suspend or block your account. And when you log into many websites today, you've likely encountered a capture. You know those quick tests asking you to pick out the traffic lights, to solve a small puzzle, or to type out some distorted letters. Now, I bet you didn't know that capture stands for, wait for this, completely automated public touring test to tell computers and humans apart. Yeah, that really helps. But its purpose is simple, to prove that you're a real person and not a bot. Now, over time, captures have evolved from simple text challenges to image recognition and even behavioral checks. And as bots become more advanced, especially with the help of AI, even these tests are getting harder to rely on. to understand how far bots have come when it evades detection. I'm meeting someone who studies how AI systems behave, including bots. >> As AI gets more advanced, um some of these bots are using AI to basically solve some of these puzzles. >> Yeah. So, if you look at this, um this is how perhaps a traditional look. >> You're going to copy the same wording, the letters that you see on the screen. >> Exly. Let's say we use a arbitrary um you know, AI model to basically solve this. So what do you see in this image? >> Mhm. >> And the AI models will be able to tell what's the answer for this. >> Okay. >> So right now the bots can actually take this image, pass it to AI model to say, hey, what do you see from this image? Tell me the answer and I'll input that to basically overcoming this capture. >> Wow. >> Things can can actually get more advanced. I think you've probably seen some of these more advanced captures that look something along this line. Again, if we input this into the systems, the AI system again will be able to get it right as well, right? To solve this. In fact, it knows that it's a capture. >> Which one? Top row, second, the left >> and I'm sure it'll be super fast as well, right? >> Super fast. >> The other end, the website doesn't know that's not a real person, >> right? So many of these bots are designed or programmed to basically simulate human behavior on the web. Let's say if you're using it for booking a particular service, the B is able to simulate the human behavior to basically do their booking for you. The bots are moving very fast such that it's inhuman speed. If you are doing the bookings at that kind of speeds, many of these website would have known that doesn't look quite humanike and likely that's a bot activity. So the bot will try to slow it down to humanly possible speed so as to fool the platforms to say that no, I'm a human. So who should be the one to basically you know deter these bots, right? likely is the platform. If there is that overwhelming traffic coming in the website, actual users like you and me will have issues visiting website because it's going to slow and cause a huge disruption. So that becomes an issue. >> Some platforms now have gone on to suspend accounts. They they ban the use of bots. Is that enough? >> Things can be a bit more complicated than that because that banning um may not necessarily translate to effective outcomes. For for instance um you know if you were to do that ban then you are actually blocking that particular traffic from visiting [music] the website and the platforms have to be you know highly assured that you know the traffic I'm bing is really from a bot right if not you're actually banning a real actual customer right that's visiting your website that's the problem >> around the world governments have started to clamp down on booking bots especially where these bots are used to bypass purchase limits or security controls in the US and UK using bots to jump the queue, get around ticket limits or security measures is against the law. In the European Union, if you use bots to break ticket rules or buy more than allowed, it can be treated as unfair and you can face penalties for it. In Japan, bots aren't banned outright, but using them to buy up tickets and resell them at higher prices is illegal under the country's anti-scalping law. Singapore doesn't have a specific law banning booking bots. Instead, authorities rely on broader laws like the Computer Misuse Act if things cross into fraud or hacking. For now, it's up to platforms that value user experience to take the lead in detecting and stopping bots. At a time when bots are becoming easier to access and harder to detect, one platform [music] claims it's managed to curb this problem. In the past, active SG sports facility slots were frequently snapped up by bots and resource. But with the use of cyber security software like capture and cloudflare, active SG were able to identify and block these bots. Between 2021 and mid 2023, Sport SG suspended more than 200 users from its active SG platform for using bots to snap up booking slots for courts like these. In fact, it was one of the first agencies to tackle the bot issue head on. Janice Woon was tasked with the development of the new my active SG+ project in 2022. >> Now in the new system that we have launched is now called my active SG+. >> We actually put in the Sync pass authentication as a means of login. In the old system you can create multiple accounts using different email addresses. [music] However, with SP pass authentication is that is tack on to your IC. Technically one Singaporean can only have one account, right? So sync pass will prevent you to have multiple accounts. Then we know that it's the pick hour slot that a lot of the people are aiming for. We have balloting for pick hour slot which is weekdays after 6:00 p.m. and then the whole weekend 7 to 10. >> Can you show me how it works? >> Sure. >> These are all pick hour slots. So it's all balloted slots. >> Okay. >> Um I look at uh Bishan club's house. Okay. Let's say balloted, >> right? >> Yeah. I will pick my 9:00 slot. >> Review ballot. I see ballot. I go in, it will check whether if you're a human first, then it will review booking. >> Place your ballot. Oh, so you've put your ticket in the pool. >> Yes. With balloting for the pick our slot regardless of what time you put in your ballot. It will still go into the main pool and the following day you will get the results. So it's equal chance for everyone. >> Okay. Okay. So you you you're confident that this has effectively cut down the number of bots, but it's not guaranteed, right? You still can't be sure that >> we we can't be sure because technology is evolving. >> Yeah. >> Since the new Syncpath based authentication system was introduced, Active SG says new unique users have risen by 60%. Not every website needs to use secure login like Syncpass. It can slow things down, cost more to implement, and maybe [music] overkill for simple services. So, if identity checks aren't always an option, and bots are slowly learning how to evade capture, what other tools can be used to keep bots out? Ian Woo has been working with software that detects [music] and blocks automated abuse by analyzing distinctive bot-like behavioral patterns. So what we use is a specialized software called Ootion. We actually install it on the platform itself. The users wouldn't know it's there. It simply helps to differentiate the visitors whether the visitor is a bot or it's a human. >> Oh, how does it do that? >> So here on the left you can see we have actually created a bot. So what we've asked the bot to do is to basically click login, type in the username, type in the password to login. When we activate the bot, you can [music] see how fast the bot behaves. Do you catch that? It locked in very fast. >> Yeah, I think I [laughter] think I have to watch it again. It was so fast. I was thinking >> once we start the B how the B locks in and it locks in. >> Yeah. Wow. >> It's very very fast. So you can imagine thousands of bots right there. The software will actually track all these actions. So for example, you can see we capture this particular login. We give it an ID. For example, here 3 4 1 2 >> That's the name of the Okay. >> Yeah. Immediately in real time, our software already flags B judgement. >> B judgment. >> So what this software does, it just tells the website, hey, this is a bot. And then the website can block. So the software is able to differentiate between a bot and an actual human user. >> There are many patterns to look out for. So the bots are typically more fast. They don't hesitate. >> They don't make mistakes. Not like humans. We have emotions. We hesitate. We move our mouse in a very predictable manner. But the bots will have more robotic behavior. >> Other websites have capture. Bots can bypass that, right? >> Yes. Bots they learn. All the people who program the bots will learn to help them to bypass capture. >> So then we have to find other ways to identify these bots. >> One way is through the behavior of the bots and we can also look at big picture patterns. For example, if many accounts are behaving the identical way, okay, >> then chances are all of them are are the same board, right? >> Or we can detect a single device rapidly creating many accounts >> to login. >> Oh, okay. Technology keeps changing. I'm sure the bots will evolve. They get better. >> Can we [music] always stay ahead? >> Yeah, it's an ongoing battle. So, we have to always look at all [music] the data. That's why our software captures all these user behaviors. And when the bots evolve, we also [music] can see the new patterns and we have to update the software to be able to detect the new bots. [music] But right now what you're saying is actually platforms can adopt software that can detect bots and block at least what 90% of them. >> Yes. Yes. Or even more. Yes. >> Or even more. >> Yes. >> You're so sure. 100%. >> I don't think it will be 100% because there's always evolving. [music] >> Bots are fast. They're everywhere and they're evolving. when they snap up tickets or booking slots in seconds, it can drive prices up and shut ordinary users out. So, can we beat a bot in our own? Probably not. And while some countries have moved to restrict certain bots, here in Singapore, there's no specific law for that. For now, platforms will need to invest in developing better defenses [music] to help genuine users stay one step, or rather one click ahead.

Have you tried booking a service or high – demand item only to be frustrated because it seemed impossible to secure? That could be because bots are snapping everything up before you even have a chance. In this episode of Talking Point, host Steven Chia finds out how these bots are able to grab slots so quickly and often manage to slip past some of the defences put in place by many websites. So, is there anything we can really do to beat a bot? 00:00 Introduction 02:29 How do booking bots work? 07:18 Meeting a bot maker 08:56 What are bots buying? 12:18 How AI helps bots bypass CAPTCHAs 14:28 Global laws on booking bots 16:40 How MyActiveSG+ fights bots 18:47 How platforms detect bots 21:42 Can we beat booking bots? WATCH MORE Talking Point https://www.youtube.com/playlist?list=PLkMf14VQEvTai524iU74UlzpWvb1RRAvl About the show: Talking Point investigates a current issue or event, offering different perspectives to local stories and revealing how it all affects you. ================================================ #CNAInsider #CNATalkingPoint #Singapore #Ticketing #Ticketmaster #Bots #Tennis #Badminton #AI #ArtificialIntelligence For more, SUBSCRIBE to CNA INSIDER! https://cna.asia/insideryoutubesub Follow CNA INSIDER on: Telegram: https://t.me/CNAInsiderSG Instagram: https://www.instagram.com/cnainsider/ Facebook: https://www.facebook.com/cnainsider/ Website: https://cna.asia/cnainsider