Hacker News new | past | comments | ask | show | jobs | submit login
How not to run a ticketing website
36 points by mydigitalself on July 9, 2012 | hide | past | web | favorite | 16 comments
This weekend, I had the misfortune of attending Bloc Weekend, a music festival in London that was shut-down by police due to overcrowding (http://www.thecmuwebsite.com/article/bloc-weekend-shut-down-amidst-over-crowding/).

The ticket vendor, ironically named CrowdSurge, are wiping their hands clean of the incident:

"Upon release of any further information from Baselogic, in particular the refund process for which they are solely responsible, we will contact you again."

The really interesting bit for me is that there were obvious problems with the ticketing system with the barcodes not being scanned correctly, I saw numerous people experiencing this.

I had 3 tickets, each sent to me via email. The ticket contains a barcode, which was scanned at the door. Allow me to present the HTML from the ticket below, in all it's secure glory:

http://crowdsurge.com/et-TicketBarcodeBig.php?code=862484 http://crowdsurge.com/et-TicketBarcodeBig.php?code=862483 http://crowdsurge.com/et-TicketBarcodeBig.php?code=862482

Now I'm not saying that CrowdSurge are solely responsible for what happened at the event, but as you can plainly see above, it's not very difficult at all to fake a ticket. Buy one, you'll have the numeric sequence, print numerous, arrive early, you're in.

Obviously the barcode image URLs need to be protected by unguessable ids with some sort of brute-force velocity checking, not just a URL that you can pass any number into and get a valid barcode in return.

The really unfortunate thing here is that CrowdSurge are a startup trying to disrupt the industry, but surely they have to get their technology a whole lot smarter than this if they want any skin in the game.

Well, let's be fair -- while the ticketing system is obviously rubbish and tickets can be spoofed, there are other organizational issues that were present. The article talks about on-site staff letting in anyone with a ticket, and that the wrong wristbands were given out, just to name a few of the issues.

It's bloody hard to run an event. I've done it for hundreds, and it isn't pretty. 15,000 is a lot, and if you don't have operational experience or a great ops plan, things get very bad very quickly.

So again, while the ticketing is a problem, the other issues would still be present had they used EventBrite or Ticketfly for their ticketing solution.

Tech problems are often the favoured problem space of HN'ers but in this case it seemed that staff training and logistics played just as much if not more of a hand in this failure.

Isn't a barcode easy to generate anyway without the provided URL? I could just make my own software to create the barcodes. A better system of verification would be perhaps matching the barcode ID to the name on the ticket when it's scanned (this data retrieved from a central database).

A barcode is just encoding a number. Creating a barcode is obviously easy, finding a valid number is supposed to be the hard part.

I was there too and don't believe that the problem was with the ticketing system. They overestimated the maximum capacity. The Swamp 81/Numbers stage was massively popular and had a max capacity of 700... for an event with 15,000 attendees.

Well, they surely disrupted that concert.

Oh the irony of the event being shut down for overcrowding, when the company is called crowdsurge

For just £15 you can take them to small claims court if you're refused a refund, I'm not sure if you should be pursuing CrowdSurge (who are clearly inept) or the concert organiser. Either way, don't settle for less than your money back.

You say that the barcode was scanned at the door, and still think you could get all your friends inside using the same ticket?

And how do you know any barcode you get from that website is a valid barcode? It's just a barcode, you can make one in Word if you have the right font..

Edit: Of course, having the ticket codes after eachother like that without any form of security check makes it a bad ticket system, but it doesn't necessarily lead to an overcrowded concert, just a lot of unhappy customers.

A couple of friends of mine were planning on going to Bloc on the Saturday night. They didn't even get near the venue, and I was online immediately trying to piece together the story of what happened. Some reactions from people on Facebook: http://twitpic.com/a4pei0/full

Another nail in the coffin for British festivals. Sad.

The numbering is really the issue, the barcode printing via a URL is no big deal. The barcode should be encoding a secret number, not just encoding some sequential number in a semi-secretive way.

With a barcode that horribly long, wouldn't they have been better going with a QR code for reliability?

Iterating the # gets another barcode, this is poor.

Did you report this issue to CrowdSurge?

If you tell them, then they'll probably come up with a solution, and in the process you would be helping a startup.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact