Booking-style example

This page gives a worked example for scarce-inventory transactional systems: appointments, ticketing, reservations, and similar services.

Throughout the project a mid-sized company running a booking-style transactional system — ticketing, reservations, appointment scheduling — anchors the abstract claims. It has the properties that make bot pressure an operational problem rather than a theoretical one: limited inventory or capacity, transactions with real value, a web/mobile interface as the primary surface, and limited in-house security capacity.

Most of the OAT events from the threat model have a concrete reading against this system: scalping and denial of inventory against limited slots, credential stuffing against the account layer, scraping of availability and pricing, and API abuse against the booking endpoints (OWASP; OWASP, Automated Threat Handbook v1.3).

The example is illustrative, not constitutive — the analysis aims to be general — but the register now grounds it in documented cases rather than hypotheticals. The fullest is Ticketmaster v. Prestige Entertainment (US federal litigation, 2017–2019), which maps the worked example almost line for line: Ticketmaster alleged that the defendants used bots and dummy accounts to buy scarce tickets faster than any human could and resold them for profit — estimating at least 313,528 orders across roughly 9,000 accounts over some twenty months, and 30–40% of inventory on certain shows — and the 2019 settlement permanently enjoined the use of ticket-bot software and the circumvention of CAPTCHA and purchase-limit controls (Ticketmaster v. Prestige 2018–2019). The caveat is the kind that matters here: those figures are Ticketmaster’s own estimates, accepted as pleaded for a procedural ruling, and the outcome is a settlement, not a trial finding or measured traffic.

The same pattern recurs across settings and evidence types: a public-sector near-match in the DVSA’s account of automated booking and reselling of driving-test slots (DVSA 2023), and a US enforcement record in the FTC’s first BOTS Act cases (FTC 2021). The Taylor Swift Eras Tour presale is an instructive counter-case — Live Nation testified to a US Senate hearing that bot pressure forced it to slow the on-sale, while also stating that the bots did not acquire tickets (U.S. Senate Ticketmaster hearing 2023); it shows both that failed automation can still degrade a service and that a platform blaming bots for a failure is contested testimony, not a verified cause. Together these evidence that the pattern occurs and how it is fought — not how prevalent it is.

Next: Adversary model

Sources used on this page

  • DVSA 2023 — DVSA / Ryder (2023). How we’re dealing with bots and the reselling of driving tests.
  • FTC 2021 — Federal Trade Commission (2021). FTC Brings First-Ever Cases Under the BOTS Act.
  • OWASP — OWASP Foundation (n.d.). Automated Threats to Web Applications (project page).
  • OWASP, Automated Threat Handbook v1.3 — OWASP / Watson, C., & Zaw, T. (2026). Automated Threat Handbook: Web Applications v1.3.
  • Ticketmaster v. Prestige 2018–2019Ticketmaster L.L.C. v. Prestige Entertainment, Inc. et al., C.D. Cal. (motion-to-dismiss order 2018; settlement 2019), with Proskauer settlement summary and Ballon legal-treatise context. Litigation allegations and settlement, not trial-proven fact or measured traffic.
  • U.S. Senate Ticketmaster hearing 2023 — Berchtold (Live Nation) and Bradish (American Antitrust Institute) testimony, US Senate Judiciary Committee, 24 Jan 2023, with Guardian reporting. Contested public testimony; core bot-volume claims are the platform’s own.