Judge Clears CAPTCHA-Breaking Case for Criminal Trial
A federal judge in New Jersey has cleared the way for a landmark criminal case targeting CAPTCHA circumvention to proceed to trial.
The case targets a ring of defendants who used various means to bypass CAPTCHA — the squiggly letters and numbers websites display to prove a visitor is human — in order to automatically purchase thousands of tickets from online vendors and resell them to premium customers.
The defendants have been charged with wire fraud and with violating the anti-hacking Computer Fraud and Abuse Act, in an elaborate scheme that allegedly used a network of bots and other deceptive means to bypass CAPTCHA and grab more than 1 million tickets for concerts and sporting events. They made more than $25 million in profits from the resale of the tickets between 2002 and 2009.
Prosecutors alleged that bypassing CAPTCHA constituted unauthorized access of ticket seller servers.
Lawyers for the defendants had filed a motion to dismiss the charges on grounds that the government was trying to turn what should be a breach-of-contract civil matter into a criminal case, potentially increasing “exponentially” the universe of federal crimes.
“This Indictment does not seek to punish computer fraud, it inappropriately tries to regulate the legal secondary market for event ticket sales through an overreaching prosecution,” the defendants argued in their motion.
The Electronic Frontier Foundation filed an amicus brief (.pdf) also urging dismissal of the case.
But the government maintained that the defendants’ actions constituted traditional fraud. They “lied about who they were,” prosecutors argued. “They lied about their business model. They lied when they impersonated thousands of individual ticket buyers. And they lied when they established thousands of false email addresses and domain names.”
Last week U.S. District Judge Katharine S. Hayden sided with prosecutors and declined to dismiss the charges. The case is now set for trial on March 1.
Defendants Kenneth Lowson, 40, and Kristofer Kirsch, 37, operated Wiseguy Tickets and Seats of San Francisco. They were indicted, along with employees Faisal Nahdi, 36, and Joel Stevenson, 37, for allegedly setting up a nationwide network through which they were able to impersonate thousands of individual ticket buyers, defeating the security and fraud measures that online ticket vendors such as Ticketmaster, Musictoday and Tickets.com put in place to thwart automated ticket buying.
Stevenson, who earned $150,000 as the outfit’s chief computer programmer and system administrator, allegedly created code used to purchase the tickets and also oversaw a team of other programmers based in the United States and Bulgaria. The ring used two shell companies called Smaug and Platinum Technologies to purchase IP blocks and rent servers to conduct the attacks.
Wiseguy often obtained so many premium tickets for an event that it was the leading source for the best tickets to some of the most popular venues, according to prosecutors. They allegedly purchased tickets to Miley Cyrus, Barbra Streisand, Bon Jovi and Bruce Springsteen concerts, as well as tickets to the Rose Bowl football game in 2006 and the 2007 Major League Baseball playoffs at Yankee Stadium.
Lowson allegedly boasted to one of his contractors in 2005 that Wiseguy had purchased 882 out of 1,000 Rose Bowl tickets that had gone on sale for the 2006 championship football game. In 2007, the owners offered employees a 100 percent salary bonus if the company met a goal of purchasing 1 million tickets of a certain value, authorities said.
In 2007, they thwarted a ticket lottery set up to purchase tickets to the New York Yankee playoffs. The lottery limited purchases to two tickets per person, but Wiseguy was able to purchase 1,924 tickets worth about $159,000, authorities said.
In arguing for dismissal, the defendants cited the cyberbullying case of Lori Drew. Drew had been charged with a criminal violation of the Computer Fraud and Abuse Act for essentially violating MySpace’s terms of service agreement when she set up a MySpace account with co-conspirators. Although a jury convicted Drew on two misdemeanor counts and hung on a third count, the judge overseeing the case ultimately threw out the conviction on grounds that the verdict would criminalize a breach of contract.
In rejecting the defendants’ motion (.pdf) Judge Hayden noted that the Drew case was dismissed by a judge only after prosecutors had an opportunity to prove their case at trial.
“The Court is satisfied that the indictment sufficiently alleges the elements of unauthorized access and exceeding authorized access under the CFAA, and sufficiently alleges conduct demonstrating defendants‘ knowledge and intent to gain unauthorized access,” she wrote in the Wiseguy case.
She further dismissed the relevance of the Lori Drew case, saying the Wiseguy case is more substantive and involves not only allegations of breaches of contract but also of code-based restrictions, that is, the CAPTCHA features.
“In this case, the facts and the law are so closely related that further development of the record will shed light on crucial questions, such as what exactly the defendants did, how the alleged code-based restrictions worked, and whether the defeat of CAPTCHA challenges and circumvention of Ticketmaster‘s security measures is indeed distinct conduct from the terms of service violations described in Drew,” wrote Judge Hayden. “It is only at that point that the Court can examine and rule on the defense theory that the CFAA and wire fraud counts are inextricably entwined, and so if the CFAA counts fall, so must the wire fraud counts.”
Primary online ticket vendors sell tickets on a first-come, first-served basis and have invested millions of dollars in architecture that queues up customers in the order they arrive to a site. This protocol reserves a ticket or block of tickets in the system for a limited time, such as 5 minutes, while the buyer decides whether to complete the purchase.
Premium tickets can sell out within 30 seconds for popular events, making it crucial where a buyer stands in the queue.
To prevent bots from purchasing tickets in bulk, online ticket vendors use CAPTCHA challenges and Proof of Work software that is designed to detect and slow down computers that are attempting to purchase large numbers of tickets. Online vendors also block IP addresses used to make bulk purchases.
According to the indictment, Lowson and Kirsch interviewed former employees of online ticket vendors to determine what measures they took to thwart automated buying and also obtained source code, in some cases through hacking. They then advertised for programmers who could bypass CAPTCHA challenges to get to the purchase page and figure out ways to defeat ticket queues to land coveted spots at the front of the line.
The perpetrators’ bots monitored ticket websites and sprang into action the minute tickets went on sale, opening thousands of internet connections simultaneously, defeating both visual CAPTCHAs and audio CAPTCHAs used for visually impaired customers. The bots also filled out purchase pages with customer credit card information and fake e-mail addresses.
Ticketmaster used various means to try to thwart Wiseguy’s operation, at one point switching to a service called reCAPTCHA, which is also used by Facebook. It’s a third-party CAPTCHA that feeds a CAPTCHA challenge to a site’s visitors. When a customer tries to purchase tickets, Ticketmaster’s network sends a unique code to reCAPTCHA, which then transmits a CAPTCHA challenge to the customer.
But the defendants allegedly were able to thwart this as well. They wrote a script that impersonated users trying to access Facebook, and downloaded hundreds of thousands of possible CAPTCHA challenges from reCAPTCHA, prosecutors maintained. They identified the file ID of each CAPTCHA challenge and created a database of CAPTCHA “answers” to correspond to each ID. The bot would then identify the file ID of a challenge at Ticketmaster and feed back the corresponding answer. The bot also mimicked human behavior by occasionally making mistakes in typing the answer, authorities said.
The perpetrators took orders from ticket brokers, who were required to provide credit card numbers and account holder names in advance of a purchase so they could be programmed into the bot. Once the account holders received the tickets, they’d send them to Wiseguy, which would refund their credit card account. Wiseguy also had a bank of about 1,000 phone numbers that the bot submitted as customer contact numbers.
The bot would seize a block of prize seats, from which Wiseguy employees would cull the best for clients, then release unwanted seats back to the system. A legitimate ticket buyer who tried to purchase the same seats during this time might find them unavailable one minute, then available the next minute.
Also on Wired.com
very very interesting they would chose APRIL 14... what happens on APRIL 15???
never forget #wtc7