Fake rail tickets in the age of the dark web and ‘smart’ payments
An investigation has revealed that forged train tickets are being sold at a fraction of their retail price on the dark web and then used at UK rail stations. Is this a passing phase or the start of a new form of fraud?
Late last year, a team at the BBC bought a first class ticket from Hastings to Manchester and a monthly ticket for the Gatwick Airport to London route; nothing remarkable about that, at first glance.
However, these tickets were not purchased through a website, via an app, or in person at a ticket office. Rather, they were sourced on the dark web - the shadowy part of the internet that flourishes with illegal trade of weapons, drugs and stolen credit cards, among other things.
These ‘passes’ were used up to 12 times by the BBC, although due to differences in the magnetic stripe they were unable to pass through the ticket barriers and had to ask station staff to let them through.
After this revelation, the group selling the tickets said in a statement: “The train companies keep stuffing their pockets with public subsidies while treating the operation of rail services as an inconvenience.
“We wish one day everyone will be able to use an affordable public service. Until then, we will be providing it.”
This “public service” consisted of a discount on fares, with the first class ticket to Manchester sold at £111, rather than £285, and the Gatwick monthly pass for just £100; a large saving on the retail price of £308.
Speaking about the quality of the tickets, rail fraud investigator Mike Keeber told the BBC that while they passed the initial check, "there's something on there that shouldn't be on there".
"I'd rather not say what it is, as people who make this [could] change it and make our lives harder,” he added.
The dark web and rail
The dark web has long-worried security officials and cybercrime specialists, but this diversification into new markets poses unwelcome questions for the rail sector.
It is well-known and accepted that fraud takes place on the railways. Take one example from March 2015, when it was revealed that a man had been travelling in first class with tickets he printed at home. Or the case of a London City banker who, according to reports, glued a number over the expiry date of his season ticket to extend its use and travel for free.
So, authorities will be hardly dumbfounded to learn that people are prepared to travel with forgeries. However, the emergence of the dark web changes the game. Andres Baravalle, a researcher at the University of East London, with his colleague Dr Sin Wee Lee has spent years investigating dark web retail and recently found an increasing number of train tickets on sale.
Dr Lee says: “At the time of our first look, in 2015, they did not feature at all.” Their research shows that, as of the 18 January, there was one seller on the dark web’s largest market place with 36 transactions in 12 months, which includes single tickets and travel passes.
“It’s an escrow sale, meaning that the funds are held in a third-party provider and released only if the goods are received,” explains Baravalle, who adds that the main currency is bitcoin.
The researchers add that the dark web is growing all the time, creating a more professional seller; “everything is on sale”, says Dr Lee. For rail, there’s a consensus that paper tickets are the most vulnerable. But just how common is fraud?
Fighting the crime of fare dodging
“Fare dodgers deprive the railway of about £200m every year,” says a spokesperson for the Rail Delivery Group, which represents train operating companies. “Being in possession of a forged ticket is a criminal offence and risks a hefty fine or prison sentence.
“Train companies work closely with the British Transport Police (BTP) to combat and investigate fraud, and operators take a range of measures to make sure that customers are buying and using the correct tickets. Staff carry out regular inspections on trains and at stations, and automatic ticket barriers are installed in many stations.”
When asked to comment, the Department for Transport said in a terse statement: “Train ticket fraud is illegal. People caught with forged tickets can be jailed.”
For the BTP, Detective Inspector Jeremy Banks of the Cyber Crime Unit, says they are “aware that criminals have been using the dark web in order to exploit rail firms by fraudulently selling tickets”, adding that, “[our] Cyber Crime Unit works closely with the rail industry as well as police forces nationally”.
And, as online and mobile tickets grow, so does the importance of cyber units. However, Simon Goodale, business development director at Tixserve, is critical of some of the mobile apps on offer.
“What has happened in the move to mobile so far?” he asks. “Well, they've taken the existing world of paper tickets – a barcode – and put it onto an app. These can be very unsophisticated.” On the other hand, he continues, fraud and dark web activity is getting more and more sophisticated.
“The consumer demand…everything is on mobile and so people are designing mobile solutions but that opens up a broader area to be targeted by the fraudsters,” says Goodale. “The more tech grows, the more points of compromise grow, too."
Tixserve, which delivers secure digital tickets to customers on behalf of ticket sellers, has spent two and a half years developing new technology to combat fraud. As of the end of 2016, however, Tixserve is not actively working with any rail operators, although Goodale is keen to stress that the company is working hard to change that.
Goodale describes the technology – originally developed for live events before the company decided to try its hand at transport – as a ‘wallet’ that stores the ticket.
“The ticket itself has a number of security features built in, for example, a geo-fence so the ticket can only become 'live' either time-based or within a certain radius [to a station], say 100m,” he adds. Traditional ticketing, continues Goodale, can be easily replicated “at high-quality, [but] we believe we have a cocktail of security features that will allow some resolution to the issues that are permitting the fraud”.
In essence, what Goodale and his colleagues have tried to create is something that can track a ticket, from its inception to point of use. On some levels, this is similar to how Oyster cards and contactless payments work.
Banking-level security for rail
Since launching in 2003, Oyster has changed how people get around London. It has removed the need to buy paper tickets, instead giving passengers the choice to continuously top-up one card.
“Part of the motive [for Oyster] was to do with fares policy,” explains Mike Tuckett, Transport for London’s (TfL) head of transformation delivery. “But we were aware at the time that the security around magnetic stripe [paper] tickets was, frankly, extremely low. The cryptography you get on an Oyster card is in a different ballpark.”
Nonetheless, Oyster cards have been cloned. In 2008 researchers from Holland discovered a fault in the system whereby they were able to use a card reading unit to gather the cryptographic data stored on the card. When asked about TfL’s response, Tuckett insists improvements have been made: “Since 2010, we've upgraded the technology behind the card, whereas the ones that were compromised used an older system.”
There’s also the fact that TfL, through its back-office monitoring, can see if a cloned card is being used. “As soon as our systems see two cards with the same number being used, we can close that down,” says Malcolm Woolston, payment operations manager at TfL. “For Oyster, I know every single card number and the time they went in or out. It's not a profitable fraud, therefore it has not become widespread.”
As for contactless payments, TfL acts as any other merchant does when accepting bank cards. “Essentially…[you] piggyback with the high level of security that is demanded by the payments industry,” states Tuckett.
But, are Oyster cards available on the dark web? There’s no research to suggest they are, although Woolston believes “it's not the sale of the card that is the issue” because “if someone is selling cards on the dark web...that's fine, in a sense. But as soon as you put a product on it [money], our systems will see it."
He adds: "Paper tickets are an obvious product of choice to clone and counterfeit, [as] the only way of finding them is if it's a poor copy and staff see it. With Oyster, the system does that for you.”
One does wonder if the rise of the dark web as a new market place for rail tickets is down to frustration with higher prices or simply the opportunities created by an ever-growing network of dubious ‘businessmen’ who use the backwaters of the internet to hide their illegality.