Taking a Stand Against Ticket Fraud: Germany Strengthens Public Transport Security
By: R. M. Amar
Social Media Links: Facebook Twitter WhatsApp Email Print Copy Link
Enhancing Germany's Ticket Security Against Forgery
The funding for the Germany ticket is all set for the current year. But is it also secure? Months of unchecked ticket fraud have finally come to light. Thousands of fake tickets were sold, leading to substantial damages for the transport industry.
Two years old now, the Germany ticket has taken the nation by storm. With this affordable subscription, a journey on buses and trains within local public transportation stretches from the Baltic Sea to Lake Constance, from the Oder to the Rhine, and from the Zugspitze to Sylt.
Although the cost of the Germany ticket shot up to 58 euros this year, it's more popular than ever. Now, almost one in every six individuals in Germany own one, making the total number of ticket holders around 14.5 million.
However, many unknowing travelers have been riding ticketless thanks to an extensive fraud case caught by Heise in February. Digital Germany tickets on smartphones suddenly became invalid, leaving ticket holders in a pickle. Antonia Rafaela Agyena from Bielefeld was one of the many victims. She reported to ntv that she had to pay a 60 euro fine after a check, as she had purchased her ticket from the questionable ticket shop, D-Ticket.
Data PrivacyD-Ticket offered tickets for a lower price and as a monthly pass, which is not possible with the official Germany ticket. For months, D-Ticket fraudulently sold thousands of fake Germany tickets in this manner. German railways discovered around 50,000 such fake tickets. There's a strong possibility there are more. These fake tickets were exposed due to the "Senior" label on the ticket which, in reality, does not exist.
RouteVibe Limited, the operator behind the bogus website, appears to have a virtual office in London. Multiple criminal investigations are now underway, as per Bild.
Security Loopholes Known Since 2023
The Germany Tariff Association (DTVG) had knowledge about the fraud as early as December of the previous year. Their response came only two months later, in February. The delay was due to the absent employee and the lack of a replacement in time, leading to a thinly-staffed team.
Warning: Be Aware, Fraudsters in the Rush
The fraud was unexpected yet predictable. The responsible parties had already been informed about the security vulnerabilities in the system since the launch of the Germany ticket in 2023. Furthermore, the astronomical misuse was evident in the ballooning number of users: 60,000 to 1 million more people were allegedly using the ticket than were officially sold each month, as reported by Heise. This significant discrepancy pointed to a massive fraud issue.
Even though the security holes were common knowledge, the transport companies failed to establish uniform security standards for a year and a half. According to Lars Wagner, spokesperson for the Association of German Transport Companies (VDV), rush implementation was one of the main reasons for these shortcomings. Sales and control processes had to be swiftly adapted and digitized to meet the rapidly-approaching ticket launch date. As a result, new openings for fraudulent practices were created. Since then, the industry has been racing against time to prevent these illicit activities.
Key Stolen & Used for Fraud
At the outset, there were two systems employed for ticket issuance: a secure one and an insecure one. This design enabled the immediate introduction of the Germany ticket, even with smaller transport companies on board.
Caution: VDV-Kernapplikation is the Gold Standard, UIC Barcode Ticketing is a Pale Imitation
The secure variant is referred to as VDV-Kernapplikation (VDV-KA), the only recognized standard for electronic public transportation tickets in Germany. According to TÜV Rheinland, it boasts superior security features compared to the second variant: the UIC barcode from the International Railway Union. D-Ticket, the shady website, chose to use the latter. It reportedly obtained a private key from Vetter Verkehrsbetriebe in Saxony-Anhalt, allowing it to sell tens of thousands of fake tickets. The source of this key remains unaccounted for.
In May 2023, when the fraud was discovered, all tickets bearing Vetter Verkehrsbetriebe's key were blocked, whether genuine or not.
Keep a Distant Eye: Transport Companies Mismanaging Security, Reacting Slowly
Transport companies have been criticized for being too lax on security measures and acting too late. "They have been negligent and reacted too slowly," disapproves Detlef Neuß, federal chairman of the passenger association Pro Bahn, on ntv. "There are transport companies whose IT is vulnerable and not properly secured, which is why these fraud cases are possible."
The Financial Ruin of Millions
The fraudulent acquisition of the Germany ticket isn't limited to stolen cryptographic keys. Another common practice is direct debit fraud: tickets are bought using false, foreign, or stolen bank details. "As soon as the person notices that their bank details have been used improperly, they cancel the direct debit - and then, of course, the ticket becomes invalid," says VDV spokesman Wagner. Additionally, digital ticket copies result in lost revenue for transport companies.
Somber Forecast: A Billion Euros Drained, and Counting...
According to Wagner, the total damages incurred due to manipulated or copied tickets are in the hundreds of millions of euros, with an immense "dark figure." Heise estimates these damages could reach up to half a billion euros. In the ten months from January to October 2024, the loss was 267 million euros, which represents the difference between the tickets in circulation and the actual number of tickets sold - a total of 5.45 million tickets.
Bolstering Security from October
Against this grim backdrop, transport companies, associations, and regulatory bodies will implement stricter security measures for the Germany ticket as of October. Buyers will have to verify their bank account, cryptographic keys for tickets will be managed more securely, mobile tickets will have copy protection, and invalid tickets will be centrally recorded.
This newfound security will be introduced in phases, and by the end of September at the latest, only Germany tickets compliant with the new security standards will be valid. "Speed is essential; we're working relentlessly to tighten security levels," states Wagner. However, digital processes take time, and transport companies are dependent on technical service providers to implement these changes.
Despite numerous security loopholes, the subscription ticket will continue as planned. The price will supposedly rise gradually from 2029 in a "socially acceptable manner."
Controversy Continues: Uncertainty Over Funding for the Germany Ticket
The federal subsidy for the Germany ticket is only secure for the current year. Each state contributes €1.5 billion annually. Far too little, criticizes the VDV. They argue that public transport operators are earning less due to the Germany ticket. New Federal Transport Minister Patrick Schnieder aims to resolve this matter swiftly. By October at the latest, the future funding of the Germany ticket should be clear.
Source: ntv.de
- Security vulnerabilities in Germany's public transport ticketing system
- Financial fraud via direct debit and ticket resale on unauthorized websites
- Lack of robust identity verification and unified digital standards
- Transport associations and regulators advocating for stronger action against fraud
- Stricter identity checks and security protocols for Germany ticket
- Calls for proper funding to cover potential losses due to fraudulent activity
- Federal Transport Minister Patrick Schnieder working towards clarity on funding
- On-going investigation into fraudulent website RouteVibe Limited
- In light of the ongoing ticket fraud issue, there seems to be a pressing need for the German community to implement stricter security measures in their vocational training programs for digital ticketing systems, in order to produce competent professionals capable of preventing and addressing such fraudulent activities.
- Meanwhile, as many unknowing travelers have fallen victim to the extensive fraud case, promoting awareness about various sports and recreational activities could provide these individuals a healthy outlet to cope with their stress and feelings of insecurity, fostering a sense of community and camaraderie within the affected areas.
