I recently purchased tickets via SeatGeek and was provided a link to one of these barcodes, which accepted as a querystring parameter an access token that seemingly had a long expiration attached to it. It was hosted on “downloadmytickets.com”, which doesn’t look legitimate and caused me to do this same type of analysis to see how it all worked. Whether or not this was a way to bypass the “security” to enable sale via third parties, or just a very untrustworthy-looking official domain, I don’t know. But in the end it worked fine at the venue. Definitely more stress involved than I would have liked though.
Yes, these systems are getting more popular recently, I believe they are typically being run by large ticket broker platforms.
I don't know about the specific site you mentioned, however the large broker platform Automatiq runs a number of domains like this, where they effectively proxy the original ticket token, recreate it with TOTP just as in this article, and display it to any user who has the right link in a similar format to how TM displays it. They advertise this service as "Transferless Delivery" to their ticket reseller customers. The main Automatiq one is called "secure.tickets".
It reduces work for sellers, because they never even have to transfer the tickets out of their Ticketmaster account anymore. Of course, it's horrible for buyers because they have no idea whether the random website link they were sent is actually going to serve them a barcode corresponding to a real ticket or not, or whether the site will be up, and they have no rights to the ticket as far as the primary ticket issuer (TM) is concerned, buyers don't even know the name on their own tickets.
Seatgeek and StubHub seem to be aware of these systems because of how closely they work with ticket brokers, and just coach customers to accept them if they are from any of the domains known to them. See https://support.seatgeek.com/hc/en-us/articles/2074030716443... the Automatiq site is called out specifically on that page.
