Cyber secure ticketing

Cyber secure ticketing

As people become increasingly mobile, agile and connected, Internet-based crimes are on the rise and identity has become a very lucrative target…




Fraudsters capitalize on identity information hidden just behind security breaches which has resulted in an increasing number of attacks in the recent years. According to the latest Price Waterhouse Cooper reports, the number of security incidents increased by 34 per cent from 2013 to 2014 and by 38 per cent  from 2014 to 2015.

What this means for ticketing

Fare collection systems have been facing tremendous changes from paper tickets to magnetic tickets, from smart tokens to smart tickets and cards and from cash handling to cashless payments. Banks provide new contactless features on their bank cards, and the fare collection industry is now moving towards processing payment directly at gates and validators, without the intermediate fare purchase step.

It means seamless trips without queuing for a ticket. It means straight access to the turnstiles without looking for a specific media, but just using the bank card or the smart phone. It is also means more flexibility for the transport operator with centralized processing for payment, trip reconstruction, fare policy setup, etc.

Technically, it means moving from a card-centric system where the fare products are in the transit cards to a back office centric system where the fare products are centralized in a back-office system, duly connected to gates and validators in every station and every bus or tram.

This move creates major changes as far as privacy, compliance to standards and of course security is concerned.

Key areas at stake 

The migration from a legacy card-centric system towards the back-office system, also called Account Based Ticketing, makes ticketing systems subject to more cyber-attacks, and changes the standard, specification and regulatory landscape.

Current legacy ticketing specifications such as Calypso, UK ITSO, VDV Core Application, Dutch SDOA will be impacted. Data anonymization and encryption operations will be added to the transactions.

Web Customer Portal

Account Based Ticketing requires to authenticate securely the customers and to protect their data during the exchanges and storages.

What are the new threats?  

An account based ticketing system is a centralized system, relying on large communication networks and new interfaces like an online ticket office. This can lure the sort of people who enjoy interfering with fare collection systems and see causing security issues as a challenge. It can also attract cyber criminals interested in making money from the sale of customer’s personal data.


A typical scenario 

Pharming – a fake website where the customer is invited to give his personal data to enter his account

remote access trojans – where criminals take advantage of high-profile security breaches to get in touch with individuals and trick them into installing remote access trojans

cross-site scripting – where criminals use client-side code injection to execute malicious scripts into a public transport agency website. The attacker exploits vulnerabilities within the website or web application as a vehicle to deliver a malicious script to the victim’s browser.


Targeted attack  

A targeted attack is often more damaging. It is specifically tailored to attack a dedicated system with the most popular being a technique called spear-phishing. This is where the attacker sends an email to a targeted individual that contains an attachment with malicious software, or a link that downloads malicious software.

An attack on a rail service would be a DDOS (distributed denial of service) with the aim of creating revenue loss or safety issues. For example, all access gates being blocked at peak time in the most crowded station.


Security tips

First, it is a question of design. At any step of the development, state of the art design rules must be applied. Applications and programming interfaces (APIs) shall be designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations.

Web applications enable new avenues of attacks by making use of complex, asynchronous client side-scripts, and by combining services across domains. It is far more effective to test web applications through end-to-end checks, rather than through various intermediate checks.

Secure the network by managing passwords, securing privileged access, ciphering the exchanges, and tracing connections.

Key management and key usage should be separated duties. Keys should not be stored in the cloud but maintained by the cloud consumer or trusted key management provider.


Financial data protection

Fare collection systems need to be PCI-DSS certified to accept contactless bank cards as fare media. It is recommended to limit the scope of the audit by using anonymization technics (tokenization) and encryption methods. This would minimize costs, effort and risk.

Personal Data protection is ruled by local laws and each country has its own privacy rules. In addition, some laws, such as those in European countries, protect citizen data even if they are outside their territory.


Cryptography can be used to create trusted digital credentials to strongly authenticate users, devices and applications. It can also render data unreadable by only allowing access to authorized, dedicated users. Where other security technologies such as anti-virus, firewalls and monitoring systems protect data indirectly by protecting the IT infrastructure, cryptography, and in particular encryption, goes deeper and protects the data itself within the data centre, within the cloud and everywhere in between.

Cloud security

Cloud access security brokers (CASBs) are placed between cloud service consumers and cloud service providers to combine and interject client security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement including authentication, single sign on, authorization, credential mapping, device profiling and encryption.

Applied individually or together, these techniques provide solutions for many of the major threats to cloud security.

At the heart of any system that relies on the use of cryptography is the topic of key management – the processes for protecting, administering and controlling the use of cryptographic keys.


Suitable business model  

In 2008 the most popular MiFare Classic chip was hacked. Today, millions of MiFare Classic cards are in use in bus and metro systems across the world.

Most transport companies are simply waiting for the their MiFare systems to expire before replacing them. In many cases, they have already selected a new type of smartcard, implemented a new data layout and are ready to deploy their new system in case they detect a massive attack.

This example shows that investments in security are usually always aligned with risk mitigation. Privacy rules are becoming stricter, however, with possible high penalties, applicable standards are more and more costly and cyber-attacks are rising.


It is time to reassess the importance of cyber security, analyse the risks, the costs and the benefits and decide on where to invest.

There is no zero-risk system, but cyber insurances can offer protection against security failures or privacy breaches by combatting the ever-evolving nature of cyber-attacks.

Etienne Chevreau – Thales

2016-11-30T12:35:56+00:00 December 1st, 2016|DECEMBER 2016|