0

The bus company that I use (Arriva UK) is trying to persuade passengers to switch from buying paper tickets to tickets stored on their app. They are particularly pushing this for 'bus passes': tickets that allow you to take any bus in a given area for a week, 4 weeks or 1 year.

Passes must be purchased in advance and are then displayed on exactly one device linked to your account. You can only switch device by e-mailing customer services.

When you open a ticket or pass in their app, it displays the time until ticket expiry and a QR code which changes every so often (so it's presumably a pass ID hashed with a timestamp). When you board the bus, your QR code is scanned (otherwise you must pay and claim a refund by e-mail).

However, you can only open a ticket or pass with a live Internet connection. At bus stops, this usually means using mobile data. Once the ticket is opened, you can usually access the ticket until you close the app (even without data), but you can't rely on this working.

This process regularly fails because passengers can't get a reliable data signal at every bus stop, as hundreds of reviews attest. It also forces you to buy an expensive data package, because if you run out of data you can't use your expensive bus pass either.

So why does the bus company insist on having a live Internet connection in order to use the pass?

I realize you might need a connection to download the pass once, but surely then the key that you need is stored? After all, smart cards don't have their own Internet connection and they are used for hundreds of millions of journeys every day.

I know that the bus company is worried about people trying to scan screenshots of someone else's ticket. I have been accused of doing this by a bus driver, when the problem was just that my phone couldn't get signal. Surely using a code that's a hash of passenger account number, IMEI (which is fixed since the pass is tied to one device), and timestamp would avoid any such attempt at fraud?§ That could be calculated both by the phone and the bus' QR scanner.

I am thinking about asking the local council (which subsidizes bus services) to try to get the app changed but want to campaign for something that's actually workable for both the company and passengers.

EDIT: The buses should all have an Internet connection, because they have free WiFi for passengers.

§ How tickets could be checked without a live Internet connection

  • The phone app encrypts the account number and IMEI using the current timestamp (e.g. the current minute) and the bus company's public key and puts it into a QR code.
  • The bus reader decrypts the code using the current timestamp and the company's private key.
  • If the code decrypts to gibberish (malformed account number/IMEI), then reject (the timestamp must be wrong or its another bus company).
  • If the code decrypts to a valid (correctly-formed) account number, compare it to the reader's internal database (updated whenever it does have a good data signal). If the account has a pass for this route and the correct IMEI then accept, otherwise reject.
  • If the QR code is a screenshot, then the timestamp will be wrong (given the amount of time it takes to take and forward a screenshot).
  • If the phone user's pass has expired, then it won't match the internal database. If the user is trying to use the same pass on multiple devices, then the IMEI won't match the database.

Isn't this sufficiently safe against fraud?

Matthew
  • 162
  • 6

2 Answers2

3

I suspect this internet usage requirement have more a data-collection reason than validation. It can work without internet connection, and I don't think scanning other people's QR-code would be an issue.

The QR-code on your app should have your account number and timestamp. It can even store tickets' serial numbers for offline usage, and only create the QR-code when needed.

If the valid window for that timestamp is short enough (30 seconds, for example), it will not be practical to someone take a picture of someone trying to board, and use that for paying the fare. And the company should not be concerned if someone far away screenshots its own code and sends it via messaging apps to someone else. The company will get paid the same, unless this fare is a subsidized one (student, elderly fare).

The company could create a WIFI hotspot on each bus that only access its own systems, so everyone could connect to it and use the connection to validate the fare and nothing else. That would not be expensive, and would not require all customers to pay for internet connectivity to use the bus.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
1

A hash of the passenger account number, IMEI and time stamp won’t work, because the bus driver’s app has no way to independently verify the account number or IMEI for the phone on which the scanned image is being displayed. What you need to do is include in the hash a random key that changes very frequently, which both the customer’s app and the driver’s app can download at the point where the ticket is scanned. That way, the driver’s app can be sure that the code it’s scanning was just created. And that’s why you need an Internet connection.

Mike Scott
  • 10,118
  • 1
  • 27
  • 35
  • Thank you for your reply. But I don't understand why the driver's app needs a freshly downloaded, random key to be sure that the QR code was just created. Why isn't the current time good enough? If a cheat shows a QR code screenshotted from someone else's phone, then it would have an outdated timestamp and fail the check. Do you have in mind another form of fraud that I have missed? If so, I would be grateful for an explanation. I have updated the question to explain how a timestamp would guard against all the fraud that I can think of. – Matthew Aug 30 '21 at 14:26
  • 1
    @Matthew If it’s just a time stamp, I can set the clock on my phone forward a day and give QR codes to all my friends that will look as if they’re fresh when they use them tomorrow. – Mike Scott Aug 30 '21 at 14:32
  • Thank you, it's a good point. In order to work, it requires the cheat to know in advance exactly what minute their phone will be scanned. If I knew when the bus would arrive to a precision of one minute, then I would be very happy!! But you are right to point out that this is a theoretical possibility, though I am not convinced that it is a real problem given the threat model (buses do not run to such precise timetables, and you may not be front of the queue). – Matthew Aug 30 '21 at 23:59