Abstract
The term security ceremony describes a technical system extended with its human users. In this paper, we examine the inspection ceremony for the mobile transport ticket in Denmark. We find several security weaknesses that are ascribable to both human and computer components of the ceremony. The main vulnerabilities are due to the design choices of how the visual inspection ceremony is organised and the lack of information that is stored into the 2D barcode. These vulnerabilities allow a ticket holder to travel up to 8 zones with a 2-zone subscription and enable several people to travel with the same subscription. The attack is significant as it can be automated, and rather modest skills are necessary to break the inspection ceremony. We state four principles that aim at strengthening the security of inspection ceremonies and propose an alternative ceremony whose design is driven by the stated principles.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Ministry of Transport of Denmark: Danish infrastructure investments (2012). https://goo.gl/irpQQR
Ministry of Foreign Affairs of Denmark: Transport infrastructure in Denmark (2012). http://denmark.dk/en/practical-info/work-in-denmark/transport-infrastructure-in-denmark
Ellison, C.: Ceremony design and analysis. IACR eprint (2007)
BBC News: Forged rail tickets sold on dark web, BBC investigation reveals (2016)
International Union of Railways: Uic 918–3: International rail ticket for home printing (2007)
International Union of Railways: the UIC public key management website (2017). https://railpublickey.uic.org/download.php
Radke, K., Boyd, C., Gonzalez Nieto, J., Brereton, M.: Ceremony analysis: strengths and weaknesses. In: Camenisch, J., Fischer-Hübner, S., Murayama, Y., Portmann, A., Rieder, C. (eds.) SEC 2011. IAICT, vol. 354, pp. 104–115. Springer, Heidelberg (2011). doi:10.1007/978-3-642-21424-0_9
Bella, G., Coles-Kemp, L.: Layered analysis of security ceremonies. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IAICT, vol. 376, pp. 273–286. Springer, Heidelberg (2012). doi:10.1007/978-3-642-30436-1_23
Johansen, C., Jøsang, A.: Probabilistic Modelling of Humans in Security Ceremonies. In: Garcia-Alfaro, J., Herrera-Joancomartí, J., Lupu, E., Posegga, J., Aldini, A., Martinelli, F., Suri, N. (eds.) DPM/QASA/SETOP -2014. LNCS, vol. 8872, pp. 277–292. Springer, Cham (2015). doi:10.1007/978-3-319-17016-9_18
Probst, C.W., Kammüller, F., Hansen, R.R.: Formal modelling and analysis of socio-technical systems. In: Probst, C.W., Hankin, C., Hansen, R.R. (eds.) Semantics, Logics, and Calculi. LNCS, vol. 9560, pp. 54–73. Springer, Cham (2016). doi:10.1007/978-3-319-27810-0_3
Garcia, F.D., Koning Gans, G., Muijrers, R., Rossum, P., Verdult, R., Schreur, R.W., Jacobs, B.: Dismantling MIFARE classic. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 97–114. Springer, Heidelberg (2008). doi:10.1007/978-3-540-88313-5_7
Murdoch, S.J., Drimer, S., Anderson, R., Bond, M.: Chip and pin is broken. In: 2010 IEEE Symposium on Security and Privacy, pp. 433–446 (2010)
Schneier, B.: Flying on someone elses airplaine ticket (2003). https://www.schneier.com/crypto-gram/archives/2003/0815.html#6
Jaroszewski, P.: How to get good seats in the security theater? Hacking boarding passes for fun and profit. In: DEF CON 24 Hacking Conference (2016)
Acknowledgement
This work is supported in part by DemTech grant 10-092309 from the Danish Council for Strategic Research, Programme Commission on Strategic Growth Technologies.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Giustolisi, R. (2017). Free Rides in Denmark: Lessons from Improperly Generated Mobile Transport Tickets. In: Lipmaa, H., Mitrokotsa, A., Matulevičius, R. (eds) Secure IT Systems. NordSec 2017. Lecture Notes in Computer Science(), vol 10674. Springer, Cham. https://doi.org/10.1007/978-3-319-70290-2_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-70290-2_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-70289-6
Online ISBN: 978-3-319-70290-2
eBook Packages: Computer ScienceComputer Science (R0)