GERMANY: Two waves of fraud have hit sellers of the Deutschlandticket monthly public transport pass, and the fightback against the criminals has been hindered by the lack of a central body with overall responsibility for the tickets.
The Deutschlandticket covers all local and regional public transport services across Germany. Other countries considering launching a similar product should learn from its mistakes, according to Nils Zeino-Mahmalat, Managing Director of VDV eTicketservice which co-ordinates standards for electronic ticketing systems in German public transport.
Speaking at the Transport Ticketing Global trade fair in London on March 4, Zeino-Mahmalat explained that while the Deutschlandticket is sold everywhere and valid everywhere, there is no central product owner. There are more than 80 regional transport associations and 700 operators across the country, and as a result the Deutschlandticket has more than 130 separate product owners.
The pass is only sold digitally, as a subscription currently costing €58 per month. There are now 14 million customers, and growing, and it accounts for more than 80% of operators’ revenues with sales of single tickets now ‘very rare’. The Deutschlandticket involves €10bn of revenue and €3bn of government support annually, which is ‘a lot of money’ and thus ‘of interest to criminals’.
Zeino-Mahmalat said ‘new products mean new responsibilities’, but these had not been legally defined. Different organisations have different levels of cybersecurity, even though ‘only one company leaving open a back door means someone can get in’.
He said there were two phases of criminal activity. The first involved individual attacks with manual processes. People bought tickets using false or stolen payment details and fraudulent direct debits, then resold them to others online. By the time the banks cancelled the payments, which took a few days, the tickets were already in the hands of passengers, and there was no mechanism to cancel the bar code tickets.
The second stage was more sophisticated, and involved ‘cyber mafia’ moving in to replace ‘the nerdy guy from next door trying to increase his pocket money’ in the first phase. Professionally organised criminal groups with access to ‘cyber crime as a service’ tools made automated attacks, and convincing fake ticket selling websites were set up.
Spelling error
It was recently realised that a private key used to create valid Deutschlandtickets had fallen into the hands of fraudsters. This was discovered when a ticket inspector noticed a spelling mistake in a seemingly authentic pass. Following an investigation, it became clear that the process of generating the ticket had been compromised. ‘It’s still not clear how this happened’, said Zeino-Mahmalat. ‘No-one knows where this backdoor was.’
Measures now being taken to address the problems include the use of account authentication and AI-based fraud detection when selling tickets. A national hotlist is to be established, which all retailers will be able to use to stop fraudulent sales, while VDV eTicketservice’s MOTICS technology is ot be deployed. This provides stronger security than the UIC barcode alternative by preventing copying. There is also nationwide monitoring in place to see the extent of fraud.
Zeino-Mahmalat said the German experience provides two lessons for countries looking to launch similar products. The first is to have one product owner with clearly defined responsibilities. The second is to make proper investment IT security.
‘You are facing the cyber mafia’, he warned. ‘You have to be strong enough to get the battle won.’
