Website with in-depth technical description of Aztec (barcode) tickets

[Mawkie]

I stumbled upon this website today. I have to admit, I didn't understand a lot of the technical aspects of the site, but I thought if it would be of interest to anyone in the world, they would be member of this forum!

"But what data is inside the barcode of a mobile ticket, and how do they work? Could people who aren’t ticket inspectors get the data out of them? It turns out that the answer is a bit more interesting than I initially expected!"

Reversing UK mobile rail tickets

The UK has used small credit-card sized tickets to pay for train travel for years and years, since long before I was born — originally theAPTIS ticket1,which...

eta.st

 

[Skie]

That was an interesting read, thanks for posting! RDG will probably go spare over the fact she has now created a web-based ticket scanner, but it's some good sleuthing.

 

[Jamesrob637]

I'm going to Mexico this week so it might give me an insight into Aztec tickets

I'll grab my coat

 

[Facing Back]

That was an interesting read, thanks for posting! RDG will probably go spare over the fact she has now created a web-based ticket scanner, but it's some good sleuthing.

It was indeed an interesting read and thanks.

I would assume that the RDG were expecting this kind of reverse engineering - it happens everywhere. There are a few lessons to learn about privacy there.

 

[[.n]]

Agreed really interesting read

 

[mr_moo]

Most interesting. Thank you.

 

[skyhigh]

RDG will probably go spare over the fact she has now created a web-based ticket scanner, but it's some good sleuthing.

I don't see any issue with that, it's not as if it can be used to fake tickets.

What is an issue is you can see the precise scan details publicly of any ticket.

 

[Bletchleyite]

I don't see any issue with that, it's not as if it can be used to fake tickets.

What is an issue is you can see the precise scan details publicly of any ticket.

I certainly think that should be accessible to the ticket holder from the sales site used to purchase the ticket. If the railway intends to use it against someone, then they should be able to see it. It's only a quirk of how it is stored in two separate databases that prevents a subject access request being used to get it.

 

[Skie]

I don't see any issue with that, it's not as if it can be used to fake tickets.

I didn't say it would have any basis in sense or proportionality RDG, like other organisations that act as an instrument of their members interests, could quite easily send all sorts of nasty threats just to hush something up they may not like being exposed.

Though the fact there is already a fairly open app on the apple app store that can do this might indicate they really don't care. Though lets hope this prompts some official documentation, as the author states the ability to read these tickets and automate/validate some part of expense claims would actually be very useful.

 

[skyhigh]

I certainly think that should be accessible to the ticket holder from the sales site used to purchase the ticket. If the railway intends to use it against someone, then they should be able to see it. It's only a quirk of how it is stored in two separate databases that prevents a subject access request being used to get it.

Yes I fully agree with that. Allowing anyone to view that data with no restrictions is a little concerning though.

 

[Bletchleyite]

Yes I fully agree with that. Allowing anyone to view that data with no restrictions is a little concerning though.

Agreed. It could be used to e.g. stalk someone.

 

[PupCuff]

One hopes that all of the staff usernames used for scanning tickets are ID numbers and not names, just what you want is someone you've had a barmy with being able to access the scan history and see its [email protected]

 

[_toommm_]

I’ve just given this a go on my own tickets from yesterday. For the life of me I cannot get TTK app to open up my camera and start scanning. The website that decodes it doesn’t display much personal information either.

 

[subk2010]

I tried to scan my tickets that were issued on board, and it seems doesn't work?

 

[bspahh]

I enjoyed reading this blog again about getting a Prime Minister's mobile phone number from an Instagram post

When you browse Instagram and find former Australian Prime Minister Tony Abbott's passport number

Do not get arrested challenge 2020

mango.pdf.zone

 

[sor]

I certainly think that should be accessible to the ticket holder from the sales site used to purchase the ticket. If the railway intends to use it against someone, then they should be able to see it. It's only a quirk of how it is stored in two separate databases that prevents a subject access request being used to get it.

and that also brings it loosely in line with smartcards (well, anyone can read the scan data, but at least you have to be in physical possession of the card to do it).

And just as with smartcards where various TOC apps will do it for you, an "official" app to give you the pertinent information would be a bit of a pressure release valve. Much like (at one point) how the UK gov had its own apps on the stores to allow you to read the passport chip, though any number of third party apps work too.

As you say, if more monitoring/tracking is a standard part of these post-magstripe tickets, they could at least let us see what they hold on us

 

[yorkie]

The data held needs to be visible to the customer, in my opinion.

The website provided is a good start, but an accessible method of accessing the central database should also be provided; the article doesn't appear to state how one would go about doing that, but presumably they are waiting for the sensitive data to be redacted first.

 

[ainsworth74]

Fascinating! Thanks for sharing that article.

 

[mike57]

A interesting post, thanks for sharing.

It does raise some privacy concerns, once the data is out there it potentially becomes available to criminals as well as the legitimate users, one example mentioned up thread was stalking, i could think of several others.

 

[thejsa]

I’ve just given this a go on my own tickets from yesterday. For the life of me I cannot get TTK app to open up my camera and start scanning. The website that decodes it doesn’t display much personal information either.

You have to press and hold buttons for them to work; though I believe TTK may have blocked the app server-side now for devices that haven't been properly registered, so you might not be able to get the necessary decryption keys from their server anymore.