As long as they don’t figure out how to take a ticket and turn it into multiple scannable tickets….
That's where I thought this was going. What's to stop them?
"inventory"
the hacker-scalpers aren't "creating" new tickets in the system, they are "referencing" existing tickets (hence the need to grab the ticket's token first).
gross generalization: a seat in a venue, for a given performance, is given an "inventory ID" of 12345. the rotating barcode system generates a new barcode every 30 seconds, but when that temp barcode is scanned it ultimately resolves to 12345. if you crack the barcode generation system, it means you can insert yourself in front of that 12345 ticket - but you can't create, say, ticket 54321 because 54321 doesn't exist in inventory. once a ticket is scanned, it's marked as "used" in inventory so you can't scan it a second (or third, or...) time.