• Our booking engine at tickets.railforums.co.uk (powered by TrainSplit) helps support the running of the forum with every ticket purchase! Find out more and ask any questions/give us feedback in this thread!

Why do you need a smartphone for a 26-30 railcard?

Status
Not open for further replies.

tobiast

Member
Joined
10 May 2019
Messages
27
I'm 26, but I - and I'm not alone in this - don't possess an expensive smartphone. Why do those like me need to get one in order to get a railcard, when all the other railcards can be bought as an actual 'card'? This also seems to preclude those who most need the railcard for financial reasons from getting one!

I have started a petition calling for this to change; please sign it if you agree with me:

https://you.38degrees.org.uk/petitions/let-26-30-year-olds-get-a-railcard-without-a-smartphone
 
Sponsor Post - registered members do not see these adverts; click here to register, or click here to log in
R

RailUK Forums

tobiast

Member
Joined
10 May 2019
Messages
27
My reasons for not having a smartphone aren't financial - but I believe that for some this will be a factor.
 

30907

Veteran Member
Joined
30 Sep 2012
Messages
17,866
Location
Airedale
Welcome and good luck!
Railcards are a commercial product of the rail companies, although government has tried to take credit for this one, so the logic is - if you can't afford a smartphone, you probably can't afford to spend more than you do now on rail travel, so we're not interested in selling you one. Rightly or wrongly, they are not intended to subsidise your leisure travel.
(ISTR reading that none of the Railcards make a profit for train operators, but they were made mandatory at privatisation.)
 

Samuel88

On Moderation
Joined
20 Jan 2017
Messages
385
Welcome and good luck!
Railcards are a commercial product of the rail companies, although government has tried to take credit for this one, so the logic is - if you can't afford a smartphone, you probably can't afford to spend more than you do now on rail travel, so we're not interested in selling you one. Rightly or wrongly, they are not intended to subsidise your leisure travel.
(ISTR reading that none of the Railcards make a profit for train operators, but they were made mandatory at privatisation.)
I thought that's what Railcards WERE meant for?
 

ForTheLoveOf

Established Member
Joined
7 Oct 2017
Messages
6,416
I'm 26, but I - and I'm not alone in this - don't possess an expensive smartphone. Why do those like me need to get one in order to get a railcard, when all the other railcards can be bought as an actual 'card'? This also seems to preclude those who most need the railcard for financial reasons from getting one!

I have started a petition calling for this to change; please sign it if you agree with me:

https://you.38degrees.org.uk/petitions/let-26-30-year-olds-get-a-railcard-without-a-smartphone
It's simply the first Railcard that has been made digital-only. In the long term it is no doubt the ambition of the train companies to decrease overheads by moving to a digital-only Railcard system, but I see a fully digital system many years away (not only from the glacial pace of change within the rail industry, but from the fact that people still want physical Railcards).

I don't disagree with your sentiment - especially in view of the fact that the current, awful implementation of Railcards is such that all the risk of failure is on the passenger, with no rights or safeguards if the app breaks (as it has done numerous times already). But at the end of the day, Railcards are, other than a limited subset of all those available, a commercial product. They are there to ultimately make the train companies more money, not less. So they are quite happy to exclude people such as you in avoiding the costs of rolling out paper/card 26-30 Railcards.
 

SussexMan

Member
Joined
23 Oct 2010
Messages
476
Not that it might help the OP but is the Railcard App fully accessible to disabled people, particularly visually impaired people?
 

yorksrob

Veteran Member
Joined
6 Aug 2009
Messages
38,818
Location
Yorks
It's a stupid idea making any railcard digital only, regardless of what the industry apologists say.

Why should the 26 - 30 year olds have to buy a piece of electrical tat, rather than just have a railcard. 21st century nonsense.
 

yorkie

Forum Staff
Staff Member
Administrator
Joined
6 Jun 2005
Messages
67,430
Location
Yorkshire
Because they can get away with it with younger people. If they tried it with Senior Railcards there'd be uproar of course.
Not that it might help the OP but is the Railcard App fully accessible to disabled people, particularly visually impaired people?
If not, I suspect they can get away with this one by saying anyone affected would qualify for a Disabled Railcard, which doesn't have to be digital.
 

bb21

Emeritus Moderator
Joined
4 Feb 2010
Messages
24,151
It's a stupid idea making any railcard digital only, regardless of what the industry apologists say.

Why should the 26 - 30 year olds have to buy a piece of electrical tat, rather than just have a railcard. 21st century nonsense.
They don't have to. No one forces them to.
 

sor

Member
Joined
15 Nov 2013
Messages
405
I have a smartphone. I have a 26-30 railcard.

I completely agree that it is stupid to be digital only, given that the ticketing laws haven't caught up with it. No provision for lost or broken phones, no provision for phones with flat batteries, no provision for when the railcard app seems to have deleted your railcard - as happened to me at the exact moment an RPI wanted to see it. Fortunately she was happy to come back later once I'd redownloaded, could possibly have gone a lot worse

What's wrong with an actual plastic card? Or, to be a bit more 21st century, both digital and plastic at the same time? At least then I don't have to keep my phone on its battery saver mode as I did recently on a day trip
 

Bletchleyite

Veteran Member
Joined
20 Oct 2014
Messages
97,533
Location
"Marston Vale mafia"
The digital thing is fairly cack-handed, giving a need to switch between apps to have your ticket checked. I'd rather a plastic one too.

I wouldn't mind it being an online account where I could buy tickets and the ticket itself would (with photo ID) constitute the Railcard, though.
 

Adam Williams

Established Member
Joined
2 Jan 2018
Messages
1,704
Location
Warks
>I completely agree that it is stupid to be digital only, given that the ticketing laws haven't caught up with it. No provision for lost or broken phones, no provision for phones with flat batteries, no provision for when the railcard app seems to have deleted your railcard - as happened to me at the exact moment an RPI wanted to see it.

+1. It's very much a "you're screwed if you can't show your railcard at the exact moment an RPI/conductor asks for it"*. This is silly, because:
  • There's a perfectly good database that the phone app pulls data from in order to display your railcard. There's no reason railcard validity couldn't be checked by e.g. postal or email address and tied to a person instead of a physical object. There is no reason to issue a fine if there is proof that the customer held a valid railcard at the time of travel.
  • Requiring the customer to present an easily faked screen to a member of staff who relies on visually checking the details is subject to fraud. It doesn't add any appreciable security to the process. It is equivalent (or perhaps even worse than) to a plastic card in this respect.
* With the possible exception of the first time you forget your railcard.
 
Last edited:

Ianno87

Veteran Member
Joined
3 May 2015
Messages
15,215
I wonder if you polled a sample of actual 26-30 Railcard users (as opposed to those on this forum), how many 'real' people are actually so aversed to a Digital-only Railcard. I bet it's not that many.
 

Bletchleyite

Veteran Member
Joined
20 Oct 2014
Messages
97,533
Location
"Marston Vale mafia"
I wonder if you polled a sample of actual 26-30 Railcard users (as opposed to those on this forum), how many 'real' people are actually so aversed to a Digital-only Railcard. I bet it's not that many.

I'm only averse to how cack-handed the implementation is. Same as M-tickets - I'm totally fine with e-tickets and indeed proposed the concept some time ago to views of "no, that won't happen" - then it did.
 

jon0844

Veteran Member
Joined
1 Feb 2009
Messages
28,013
Location
UK
  • Requiring the customer to present an easily faked screen to a member of staff who relies on visually checking the details is subject to fraud. It doesn't add any appreciable security to the process.

Is it easy to fake? There are a lot of security measures in place I thought?
 

Adam Williams

Established Member
Joined
2 Jan 2018
Messages
1,704
Location
Warks
Is it easy to fake? There are a lot of security measures in place I thought?
Getting slightly off-topic here, but the last time I used the app, there was no barcode in place. Hence, the entire system was reliant purely on code running on the phone. Such a system is doomed from the start when it comes to security. I don't know if this has changed recently, but until conductors/RPIs are scanning barcodes displayed by the app and actually checking for a purchase record in the database, the usefulness of the system is limited.

It is my opinion that it would be straightforward to write your own implementation of the JSON API that the Digital Railcard app uses, patch the bytecode in the app to talk to your own service and repackage/reinstall it onto your phone. The result would be pixel-perfect and indecipherable from a real railcard displayed in the official app, because it would be rendered with the app's own code.

Disclaimer: I have previously worked in the information security sector, so security of systems like this is personally interesting to me from a technical perspective - but I do want to point out I hold a genuine, valid 3 year railcard. Taking the above route to deliberately defraud TOCs is unethical and illegal, and a falsified card would not hold up to any extended scrutiny from ATOC.
 

cjohnson

Member
Joined
3 Sep 2009
Messages
597
Getting slightly off-topic here, but the last time I used the app, there was no barcode in place. Hence, the entire system was reliant purely on code running on the phone. Such a system is doomed from the start when it comes to security. I don't know if this has changed recently, but until conductors/RPIs are scanning barcodes displayed by the app and actually checking for a purchase record in the database, the usefulness of the system is limited.

The app displays a QR-style code, and the FAQs state that it will work offline but only provided the device has connected to the internet within the past 24 hours. There also seems to be provision for the railcard to be “blocked” if suspicious activity is detected, so presumably there is some reliance on code running other than on the phone itself.
 

Adam Williams

Established Member
Joined
2 Jan 2018
Messages
1,704
Location
Warks
The app displays a QR-style code, and the FAQs state that it will work offline but only provided the device has connected to the internet within the past 24 hours.
Ah, good - this is the critical part! This must be reasonably new (I never saw it with my digital railcard which expired this spring and was replaced with a physical card). Hopefully these are being scanned, which should prevent most fraud.

the FAQs state that it will work offline but only provided the device has connected to the internet within the past 24 hours. There also seems to be provision for the railcard to be “blocked” if suspicious activity is detected, so presumably there is some reliance on code running other than on the phone itself.

Yes indeed, but as I mentioned this is reliant on talking back to the digital-railcard API. If an attacker is subverting that by having the app get its data from elsewhere, none of these controls really matter (and I'm sure it's pretty easy to patch out the offline check too).
 

jon0844

Veteran Member
Joined
1 Feb 2009
Messages
28,013
Location
UK
Some early 'cards' didn't have the QR code but staff can take down the details and request the account is fixed. Or I guess the card owner can?

There's a moving image too isn't there? To stop someone showing a screenshot if the card is faked, expired or blocked.
 

Adam Williams

Established Member
Joined
2 Jan 2018
Messages
1,704
Location
Warks
There's a moving image too isn't there? To stop someone showing a screenshot if the card is faked, expired or blocked.
Yup, you're quite right - there's a moving image + I think an interactive element (I think if you tap the graphic in the corner a few times it'll spin). Plus they set FLAG_SECURE on the activity which will prevent the user screenshotting it/recording it on compliant builds of Android.

None of these measures are effective in the same way as the barcode though, because you're still trusting the user's device. They'll defeat the most basic attacks.
 

smsm1

Member
Joined
3 Nov 2015
Messages
196
My Family Railcard has a barcode. The National Rail logo has a wavy background which moves, and double tapping it means it flips round.

I've seen guards scan the Railcard barcode before for other people, but not on my own use of it. With the previous set of phones the guards found that the scanning was so slow it took too long. When the phones were upgraded it became fast enough to be able to scan a trainful of passengers, however there could still be improvements due to the switching between apps for barcode and smartcard scanning.
 

island

Veteran Member
Joined
30 Dec 2010
Messages
15,980
Location
0036
Yup, you're quite right - there's a moving image + I think an interactive element (I think if you tap the graphic in the corner a few times it'll spin). Plus they set FLAG_SECURE on the activity which will prevent the user screenshotting it/recording it on compliant builds of Android.
I’m glad iOS doesn’t have a screenshot disabling function which app developers can use. 90% of the implementations I’ve seen in Android apps have been rather annoying.
 
Status
Not open for further replies.

Top