Bus pass or bus ass? Hackers peeved about public transport claim to have reverse engineered ticket app for free rides

Re: Still too expensive

Cost of a bus journey to my work is greater than a train ride, there are fewer of them (1 bus per hour, 2 trains per hour) and the journey takes longer compared to a train (bus is 45 minutes, train 8) due to the route.

Monthly tickets are cheaper however, but not by much and ironically if the trains aren't running I get a more direct route which is faster by replacement bus service than by bus.. where as if the bus isn't running I get to pay for my own taxi.

Re: Still too expensive

"...stuck waiting for a replacement to turn up and take you onwards (they won't generally let you off)."

If they don't let you off in request, that would be kidnap. If the doors are broken and won't open, then it qualifies as enough of an emergency that you can break the emergency glass and leave.

Re: Still too expensive

@Ben Tasker

How do they not let you off the bus? There's a button directly above the doors to open them, so even if the driver is being a dick you just hit the button and step off. There's nothing they can do about it. Generally they're only worried that you'll get off and step into moving traffic or get hit by a cyclist or something. Just assure them that you're not an imbecile and they should let you off. I've only had 1 guy ever refuse, so I just opened the doors and got off while he sat in his little plastic cubby and fumed in silence.

I do agree First run a shit, overpriced service though. I'm assuming that they use the same app across all their fleets, so this trick should work for anyone forced to endure their "service". May have to test it out next week.

Re: Still too expensive

Growing up in the home of First Bus (Aberdeen), where the original motto was "We bought the Buses for you!", that was quickly dropped same as the non-profitable routes as the prices went up.

Re: Still too expensive

Weirdly I had this conversation today... the cost of fitting all First buses with a GPS tracker is zero. Uber do it, bus driver just signs into app when he gets on. Result would be increased reliance on buses as you dont have to sit in the pissing rain for 2 hours for two to turn up. The two fecking buses could coordinate to switch passengers and stabilise the timetable, and people would have increased trust in the provision such that usage increases.

Why they dont spend 50k on an internal app is beyond me

Re: Still too expensive

"break down on the way and you'll be stuck waiting for a replacement to turn up and take you onwards (they won't generally let you off)"

Isn't that kidnapping? It's not like a train where getting off might be onto a live line on operator owned property.

With an .apk I think you mean the ever friendly mouse hack... File -> Open.

Give the .onion website a read through. They've done a fair bit more than that.

Re: Eh?

Thank you Captain Obvious!

I was thinking it was a naming convention and they report to buspiratea.

Could also be Danish or Swedish, meaning "the bus pirate".

I guess he fixed the back-end problem by putting the keys in the front-end.

Nearly all bus companies use the same cloud based ticketing system these days, and so the same base app which they then add branding to. This will impact more than just First. The QR codes contain minimal clear information, e.g purchase time, valued from/to time, ticket type (company specific code), and then various base64 strings which I’m guessing are encrypted with the mentioned keys.

Re: Unghh

They also do Go-Ahead and TfL so those apps will probably be cracked by about this time tomorrow.

Re: Unghh

Strongly suspect that he just reached 18 and was asked to pay for his bus ride, hence the anger directed towards the unfortunate bus company.

In the meantime we regret to announce that the "Public Transport Pirate Association of the United Kingdom" has been sent to his room.

Re: Free public transport in the UK?

Back in my day busses in the Soviet Republic of S Yorkshire were almost free.

They had a fare of 2p/5p because making them free was blocked by the ticket collector's union

Re: Did the hacker find the keys

I was going to mention service bus but I feared that would be considered off topic

Re: Free buses

"Either the people who user the bus pay for their use, or everyone (regardless of if they use buses or not) pay for the buses via their taxes."

Or option C), good, clean, free public transports pays for itself by bringing people, business and money into the town because it's a "public" service designed for the "public" to use and benefit from.

Oh, and since you ask, yes the sky is pink on my planet.

Re: Why have the Plod become involved?

The only crime committed here is that by Corethree, and nobody else.

Well, apart from the year of fare dodging you mean?

First are terrible, but 'political statement' or not, they waited a year. A year of free bus travel is still several hundred pounds; Ironically paid for by all the people they're aparently trying to help.

Re: Obvious Mistake?

No, more like they took a conscious decision to ensure customers could use their tickets rather than hammer their servers in the mornings causing them to lose actual money by having drivers wave people onto the bus rather that have them fuming and cursing the app because the servers' have fallen over (again).

Having a few miscreants get some free rides is much better than thousands of free rides every week because of server timeouts during peak hours, or paying for suitable elastic hosting to cope.

Re: Shut it down

"Adjusted operating profit ahead of our expectations at £332.9m, led by growth and margin expansion in First Student and First Bus"

Source: First group 2019

Re: Shut it down

There are profitable routes (almost all of them using hub and spoke routes), its the suburb to suburb routes that don't make money and are dying. Usually because first know that the route won't earn a profit and thus don't contest them with smaller players (a local route recently closed and on the last day they ran 2 heritage buses for free that they'd privately owned for 40+ years. I hardly think I'd ever see that from the likes of first).

Unfortunately just like with the trains in the 60's not ever route has enough passengers to justify it. That's why local subsidiaries exist from the local council but these are being squeezed beyond belief by Westminster in the name of austerity.

Re: Shut it down

Contrasting two business models:

#1: A really large vehicle ("bus"), sharing the cost of the journey between 20-50 people. It maximises sharing by scheduling on predefined routes, at predefined timings. It needs public subsidy.

#2: A small vehicle ("Uber"), travelling from where you are, to where you want to go, when you want to do so. This is incompatible with ride-sharing, but has been named part of the "sharing economy". Apparently this is an economic miracle, so that even a company which only runs timetable and Payroll, is worth billions.

Yes, #2 is just a scam, defrauding both investors and drivers.

But it's strange that #1 can't be profit-making. The bus must be profitable when full, so the problem is likely that most buses run nearly empty. It's a Pareto paradox - 80% of the people want to use 20% of the buses, so 80% of the people see the buses as crowded, while actually 80% of the provided capacity runs nearly empty and un-profitably.

But you would think that something like an Uber app for buses could be exactly the thing. When the bus is full, it sticks to route & time. But when it's nearly empty, it can easily divert a few streets to pick up randomers on request, while only delaying one or two passengers on board for a couple of minutes. Plus, many buses have really winding routes around town to pass stops that might have passengers at them but usually don't.

Of course, you would have to explain to people that by doubling passenger numbers during quiet times, they could halve fares......

Bus companies are clearly getting *something* badly wrong, and should consider whether there is some more flexible service they could provide than traditional- otherwise they will locally optimise themselves all the way to bankruptcy.

Pretty much like a real ticket; for single fare*, activation performed by external hardware containing the private key. Of course there's an associated cost, however small, so First had to try and dispense with the hardware.

*for anything else, there's no real issue - besides the pervasive tracking of users, which companies insist is for our own good - because daily / monthly etc can be controlled by other means, for example a calendar.

The main rule for cellphone apps is that you never store anything on the phone except a successful login token. So then yes, any transaction, like buying or using a ticket requires a connection. But that is no big deal because you are not going to do either of those often. Tickets can persist forever once stored on the server side.

In Gothenburg, Sweden they introduced their app a few years ago. At the time you could buy (rent with refundable deposit) a reloadable travel card. You had the option to top it up in a shop or have it auto refill. Worked great, you just pop your card against the machine when you go on for most journeys, travelling further afield you just needed to pop it on a machine to check out.

Journeys by this card were discounted compared to buying a cash ticket as you might expect. What you might not expect is journeys purchased in the app were the same as a cash ticket (not sure but I think they were actually more than a cash ticket=. Hence very low uptake on the app - plus you needed an active network connection for your whole journey as the ticket magically hides itself after a couple of minutes without connection.

Solution? Bring the price of the app down to the price of the prepaid cards! Oh no, that would be too sensible, they actually brought the prepaid card journeys up to the price of the app. And removed the auto-refill ability.

Before the app you could get SMS tickets where the format was fairly simple to deduce and the drivers had no way to verify the code was genuine, so quite easy to forge those if you were so inclined.

These days you can freely get on without showing a ticket and the random controls are so rare it's not difficult to be a freeloader. I take the bike if I need to go in to town, infinitely faster and cheaper anyway.

Re: British buses are embarrassing

"(The UK exception is London, where the Oystercard actually works pretty well. Do any other big UK cities have something similar? The only one I go to these days in Glasgow, which doesn't.)"

Back when I was a kid, the new county of Tyne & Wear was invented. Part of that was the creation of the Tyne & Wear Passenger Transport Executive. All the local council bus services were transferred to it's control. Then the Tyne & Wear Metro system was built. Everything was intergrated, including the cross-Tyne Ferry. You could buy a ticket from anywhere to anywhere and change as required between bus, metro and ferry and the price was based on the zone boundaries crossed. Buses were generally timed to match with the Metro light rail system, especially at the main interchanges. It worked really well and prices were pretty reasonable. Then they privatised the buses and over a period of a few years, the buses no longer matched the Metro station arrival/departure times, the buses were dirty, the prices went up and the bus tickets and Metro tickets were no longer interchangeable.

In recent years, they have come up with the new and wonderful idea of inventing integrated combination tickets which let you travel on the buses and the the Metro. Whoop-de-doo.

Re: Why isn't public transport free?

Was well subsidised, not so much anymore with councils being starved of central funds.

Re: Why isn't public transport free?

Our Parish Council of a very rural village looked in to this. Would cost about £5000 year to put on a bus service to take villagers in to the nearest town, once a week. Given the PC's total income is £8000/year, it's simply not cost effective for the 10 people who would use it. The money would need to come from taxation at a countrywide level, not precept at a local level.