Free Rides in Denmark: Lessons from Improperly Generated Mobile Transport Tickets

Giustolisi, Rosario

doi:10.1007/978-3-319-70290-2_10

Rosario Giustolisi¹⁶

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10674))

Included in the following conference series:

Nordic Conference on Secure IT Systems

1114 Accesses
3 Citations

Abstract

The term security ceremony describes a technical system extended with its human users. In this paper, we examine the inspection ceremony for the mobile transport ticket in Denmark. We find several security weaknesses that are ascribable to both human and computer components of the ceremony. The main vulnerabilities are due to the design choices of how the visual inspection ceremony is organised and the lack of information that is stored into the 2D barcode. These vulnerabilities allow a ticket holder to travel up to 8 zones with a 2-zone subscription and enable several people to travel with the same subscription. The attack is significant as it can be automated, and rather modest skills are necessary to break the inspection ceremony. We state four principles that aim at strengthening the security of inspection ceremonies and propose an alternative ceremony whose design is driven by the stated principles.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

Ministry of Transport of Denmark: Danish infrastructure investments (2012). https://goo.gl/irpQQR
Ministry of Foreign Affairs of Denmark: Transport infrastructure in Denmark (2012). http://denmark.dk/en/practical-info/work-in-denmark/transport-infrastructure-in-denmark
Ellison, C.: Ceremony design and analysis. IACR eprint (2007)
Google Scholar
BBC News: Forged rail tickets sold on dark web, BBC investigation reveals (2016)
Google Scholar
International Union of Railways: Uic 918–3: International rail ticket for home printing (2007)
Google Scholar
International Union of Railways: the UIC public key management website (2017). https://railpublickey.uic.org/download.php
Radke, K., Boyd, C., Gonzalez Nieto, J., Brereton, M.: Ceremony analysis: strengths and weaknesses. In: Camenisch, J., Fischer-Hübner, S., Murayama, Y., Portmann, A., Rieder, C. (eds.) SEC 2011. IAICT, vol. 354, pp. 104–115. Springer, Heidelberg (2011). doi:10.1007/978-3-642-21424-0_9
Chapter Google Scholar
Bella, G., Coles-Kemp, L.: Layered analysis of security ceremonies. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IAICT, vol. 376, pp. 273–286. Springer, Heidelberg (2012). doi:10.1007/978-3-642-30436-1_23
Chapter Google Scholar
Johansen, C., Jøsang, A.: Probabilistic Modelling of Humans in Security Ceremonies. In: Garcia-Alfaro, J., Herrera-Joancomartí, J., Lupu, E., Posegga, J., Aldini, A., Martinelli, F., Suri, N. (eds.) DPM/QASA/SETOP -2014. LNCS, vol. 8872, pp. 277–292. Springer, Cham (2015). doi:10.1007/978-3-319-17016-9_18
Google Scholar
Probst, C.W., Kammüller, F., Hansen, R.R.: Formal modelling and analysis of socio-technical systems. In: Probst, C.W., Hankin, C., Hansen, R.R. (eds.) Semantics, Logics, and Calculi. LNCS, vol. 9560, pp. 54–73. Springer, Cham (2016). doi:10.1007/978-3-319-27810-0_3
Chapter Google Scholar
Garcia, F.D., Koning Gans, G., Muijrers, R., Rossum, P., Verdult, R., Schreur, R.W., Jacobs, B.: Dismantling MIFARE classic. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 97–114. Springer, Heidelberg (2008). doi:10.1007/978-3-540-88313-5_7
Chapter Google Scholar
Murdoch, S.J., Drimer, S., Anderson, R., Bond, M.: Chip and pin is broken. In: 2010 IEEE Symposium on Security and Privacy, pp. 433–446 (2010)
Google Scholar
Schneier, B.: Flying on someone elses airplaine ticket (2003). https://www.schneier.com/crypto-gram/archives/2003/0815.html#6
Jaroszewski, P.: How to get good seats in the security theater? Hacking boarding passes for fun and profit. In: DEF CON 24 Hacking Conference (2016)
Google Scholar

Download references

Acknowledgement

This work is supported in part by DemTech grant 10-092309 from the Danish Council for Strategic Research, Programme Commission on Strategic Growth Technologies.

Author information

Authors and Affiliations

IT University of Copenhagen, Copenhagen, Denmark
Rosario Giustolisi

Authors

Rosario Giustolisi
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rosario Giustolisi .

Editor information

Editors and Affiliations

University of Tartu, Tartu, Estonia
Helger Lipmaa
Chalmers University of Technology, Gothenburg, Sweden
Aikaterini Mitrokotsa
University of Tartu, Tartu, Estonia
Raimundas Matulevičius

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Giustolisi, R. (2017). Free Rides in Denmark: Lessons from Improperly Generated Mobile Transport Tickets. In: Lipmaa, H., Mitrokotsa, A., Matulevičius, R. (eds) Secure IT Systems. NordSec 2017. Lecture Notes in Computer Science(), vol 10674. Springer, Cham. https://doi.org/10.1007/978-3-319-70290-2_10

Download citation

DOI: https://doi.org/10.1007/978-3-319-70290-2_10
Published: 04 November 2017
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-70289-6
Online ISBN: 978-3-319-70290-2
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics