Would there be any fool proof alternative to allow for offline ticket creation in a mobile app when that app can be reverse engineered?
- Phone registers public key with backend during signup.
- Phone generates ticket signed with private key.
- Backend checks signed ticket against registered public key to charge customer.
Fraud is still possible but limited to individual customer accounts.
- phone displays the generated ticket to the ticket scanner in the bus. - the scanner connects to the backend to verify the ticket.
this way the phone can remain offline after registration, and only need to get online to send money for your account.
i see no way for possible fraud as in fact all the ticket is doing in that case is to verify your identity to the server.
now how can we do the same thing but without revealing your identity, but just verifying that you paid?
I think the signed ticket scheme would have been better used for redeeming already issued tickets or tickets to identity verified previously.
Issuing a ticket with pre-signed identity token is essentially a good faith transaction - it is not guaranteed to be valid end to end - but you can compare against a blacklist of identities at redemption time to limit the impact of someone abusing the system.
The commuter rail lines in New York want to charge a premium for issuing a ticket onboard so they have this whole scheme where you have to activate an e-ticket before you leave the station and then it’s only good for an hour, and 90% of the time they don’t validate it - just see that a QR code is on your phone - the other ten percent of the time they want you to swipe or do something to prove it’s not just a screen shot. It can lead to a lot of drama in areas where the cell service is weak or none, or accidentally closed the app, and people don’t have cash on them. I think signing the tickets could solve a lot of the drama. If the conductor has internet connectivity he can validate and redeem tickets in real time, if not then the conductor can validate in real time, make sure no one else on the train has a duplicate ticket, and redeem in bulk when they get into cell range again.
Issue an asym key to a user upon them registering their official bank details. Backend holds one side of it (not sure whether to call this the pub or priv).
User uses the asym key to sign a message and shows that message to the inspector (in reality, QR code or similar).
If the user cheats you go after the account holder behind the key for reconciliation.
edit: Doesn't work as you need to enforce buying even if unchecked.
What does work is providing a way to check-in and out of transport via gates or poles not under the control of the traveller with a token like the Oyster card.
Now when offline, they can create their tickets by linking a token to a fare and sign that with their private key.
At check-in, collect those tickets and when online again, charge the credit card.
Also, historically bus tickets do not exist to keep passengers honest. They exist to keep the drivers honest. A valid ticket tells the bus company that the driver isn't taking passenger money but not declaring that money to the bus company.
Alternatively, Apply Pay works offline for NFC transactions - I've not tried doing an in-app purchase offline but that might work too.
The vehicle ticket scanner would log all tickets and make sure they were charged.
So basically, as you can sign many times same token with different time value, there is no solution for offline generate and offline use scenario.
The UK makes travelling by public transport as tedious as possible.
This is trolling, right?
I.e those not on benefits, over the age of 18, under the age of 60 etc.
Now count how long the bus idles while people line up so the driver can validate their ticket / check they tapped in on their Oyster card.
Now add in all of the infrastructure and staff required to collect fees and account for them.
Then add in all of the external costs of charging for public transport (more cars, less productivity)
The argument for charging isn’t that strong.
You mention Oyster cards so I'll assume you're talking about London in which case the operator (TfL) clearly states that "Fares are the single largest source of our income (projected to be 47% in 2019/20)". [0]
This income more than covers the operational costs, with the difference being used to support new infrastructure projects and upgrades such as the Elizabeth Line (as well as concessions for students, the elderly, etc).
Clearly there is a very strong argument for charging.
[0] https://tfl.gov.uk/corporate/about-tfl/how-we-work/how-we-ar...
Long distance: Paid
Urban FDB: Free
Urban ADB: PaidWhy do you think people claiming benefits get free transport?
Free public transports just mean that you pay it through another way, and most likely mean that you remove the "use tax", thus increasing the contribution from people who don't actually use public transports.
Because their position is naive and lacks any serious economic or political justification. Even assuming that their beliefs are sincerely held, this would not be the correct course of action to go about inciting change.
It may bring them more publicity though by the media that will talk about them, but they are also labeling this cause as being the criminal side.... which isn't really good (that's actually the strategy that multiple government use to push their agenda, making the opposite side seems like they are infringing the law).
Under the covers, it's an invitation to have a go at transport operators who are unpopular and have a reputation for offering low-quality services at high cost.
[0] https://en.wikipedia.org/wiki/Farebox_recovery_ratio
Still I agree that public transportation is a common good and I'm happy to live in a country with above-average networks (both at the local and national levels).
http://2dpue32kldx6sm24r2lbisilqhzlglffssgyjgqwwq7masm74rliw...
I'm not sure if I'm allowed to post this on HN – I think it should be legal to post a link.
Although, it redirects after a few seconds, but you should be able to see the link.
Introducing a fixed price gates the poor the most (eg. a wealthy individual can afford to spend a couple hundred pounds on a yearly subscription without much thought), and often incentivises trade-offs in favour of individual transportation (i.e. cars), which is less desirable in terms of pollution and traffic.
The poor already get free travel. As do pensioners.
Not questioning the title of the HN post, rather, wondering if I missed something going on I have missed in the news which would justify the term (instead of "hackers" or, even "security researchers", though the later seems to stretch the definition of responsible disclosure)