back to article Bus pass or bus ass? Hackers peeved about public transport claim to have reverse engineered ticket app for free rides

A hacker collective has said that it found the private keys for a Manchester bus company's QR code ticketing app embedded in the app itself – and has now released its own ride-buses-for-free code. In an interview with The Register, the hacker claiming to be behind the breach of First Buses' ticketing app said he had noticed …

  1. Ben Tasker

    Still too expensive

    Our local buses are run by First.

    I'd still feel overcharged if they were free. It's "normal" for buses to be late, but with First it's far more common that they just don't turn up at all, because that run's been cancelled. Because they've not invested in the fleet for ages, if the bus does turn up there's a reasonable chance it's going to break down on the way and you'll be stuck waiting for a replacement to turn up and take you onwards (they won't generally let you off).

    We used to have buses run by the council, and they were reasonably reliable (if not always there on time). First set up alongside them and eventually took over the lot. If you actually care about getting somewhere, taking a First Eastern bus is the very last thing you want to do.

    Sounds like their investment in the app mirrors their level of investment in the fleet.

    1. Halfmad

      Re: Still too expensive

      Cost of a bus journey to my work is greater than a train ride, there are fewer of them (1 bus per hour, 2 trains per hour) and the journey takes longer compared to a train (bus is 45 minutes, train 8) due to the route.

      Monthly tickets are cheaper however, but not by much and ironically if the trains aren't running I get a more direct route which is faster by replacement bus service than by bus.. where as if the bus isn't running I get to pay for my own taxi.

    2. jmch Silver badge

      Re: Still too expensive

      "...stuck waiting for a replacement to turn up and take you onwards (they won't generally let you off)."

      If they don't let you off in request, that would be kidnap. If the doors are broken and won't open, then it qualifies as enough of an emergency that you can break the emergency glass and leave.

    3. israel_hands

      Re: Still too expensive

      @Ben Tasker

      How do they not let you off the bus? There's a button directly above the doors to open them, so even if the driver is being a dick you just hit the button and step off. There's nothing they can do about it. Generally they're only worried that you'll get off and step into moving traffic or get hit by a cyclist or something. Just assure them that you're not an imbecile and they should let you off. I've only had 1 guy ever refuse, so I just opened the doors and got off while he sat in his little plastic cubby and fumed in silence.

      I do agree First run a shit, overpriced service though. I'm assuming that they use the same app across all their fleets, so this trick should work for anyone forced to endure their "service". May have to test it out next week.

      1. Anonymous Coward
        Anonymous Coward

        Re: Still too expensive

        Never tried Stagecoach then.....they take crap to whole new heights, including getting a peachy and very lucrative publicly funded contract to run transport to the local college and bringing up a knackered old double decker bus from Manchester for the service, said bus laid down a dense smoke screen everytime it pulled away with an engine that sounded like it was full of shrapnel, I and others complained about it (and the air pollution it was leaving in its wake), to be told that the "vehicle is in good operating order and was transferred to run this service to a high standard, the maintenance depot have examined the vehicle and found no fault", they deigned to "have it re-examined" when I told them I had video of said smoke screen and I'd ask the traffic commissioner for their viewpoint, found out 2 weeks later that the bus had dropped all its oil on the road one morning after the motor went pop, leaving a double deckers worth of students in the middle of nowhere..........

        Scot gov is giving £7.8 MILLION of taxpayer's money to First, Stagecoach, National Express Xplore et al to "upgrade their fleets to Euro 6 compliance to improve air quality"

        1) Why aren't they required to do this anyway as part of their operators licence?

        2) Why are they giving seemingly scarce taxpayers money to private companies?

        3) Why has no one in the media yelled "corruption!" yet?

        3a) Particularly as Brian Soutar, founder of Stagecoach is a major donor to the SNP aka current scot gov, can anyone say "conflict of interest?

        1. Muscleguy

          Re: Still too expensive

          They are doing it because the EU will fine them for breaching air quality rules the govt is signed up to and because ScotGov groks that air pollution is harmful to meatsacks, especially junior meatsacks.

          Here in Dundee we have the Seagate all the buses use, it winds and is a canyon and the wind cannot clear it (an original design feature before internal combustion engines). Idling diesel buses stopped there were causing big problems. Now we have electric hybrid buses with flywheels where the engine is off when the bus is stopped. It can get going on the flywheel from regenerative braking or going downhill.

          The companies have no market incentive to do this, zip, nada. They are not fined, ScotGov is. ScotGov cannot run a deficit so fines are a problem. So it funded the upgraded vehicles. All this is in the public domain so there is no conspiracy, unless you are so blinkered you keep yourself deliberately ignorant.

          Note the buses are a mix of National Express and Stagecoach buses. So not just Souter. Imagine that Souter doesn’t have a monopoly where he and Sis first started out. Some conspiracy in the marketplace for sure.

          1. Claverhouse Silver badge

            Re: Still too expensive

            Why aren't the bus companies --- in the 'free market' --- not responsible and willing to upgrade and pay for their own polluting vehicles rather than taking money from government welfare ?

            Quite irrespective of the virtues of nationalisation/privatisation or exactly how much industry bosses bribe donate to nationalist parties.

            1. Robert Carnegie Silver badge

              Re: Still too expensive

              If the vehicles they've got run perfectly well, why should a bus company raise fares to buy new green vehicles that are not particularly better at being buses? Except in London for instance where you may be actually charged for operating a more polluting vehicle. So, either legislate to take polluting buses off the roads (at least in cities), or let government pay for them to be traded-in for new ones. And if legislating, the new vehicles still have to be paid for.

              In one edition (maybe made more than once) of "The Mark Steel Solution", which consisted of proposing an unusual public measure and performing comic sketches about it, he argued that public transport should be paid for only by people who aren't using it. I think the Labour Party in Scotland is talking about free public transport for all, probably expecting they won't be invited into government to execute their policies - but I haven't looked at it closely. And Mark Steel talked some sense. (I think he also proposed everyone should have to be gay for two years, like National Service.)

          2. Anonymous Coward
            Anonymous Coward

            Re: Still too expensive

            Well aware of the Seagate, solution to the airpollution issues would quite simply be to tear down the buildings on the tay side of the street to allow better air flow in, rather than the 6 odd story buildings either side of a comparitively narrow street.

            Or you know the SNP could at some point since 2014 mandated that all buses by this year / 2020 comply with Euro 6 emissions standards, oh wait that would require brain power and a will to do something rather than grandstanding to the media and then quietly walking it back - i.e. shock collar "ban" and then turns out its nothing of the sort, leaving Mairi Gougeon (an otherwise decent person) to admit that its not actually a ban at all...

            I mean its not like the bus companies are required to have operators licences or actually comply with the law or anything is it?

            Nat Express and Stagecoach had quite deep ties on the Rail side as they did with Virgin. So smells more like a cartel than any real competition...

            Why would they upgrade the vehicles when they know nicky and her gang will just hand over public funds to them under a positive PR banner rather than admit its due to their incompetence and unwillingness to make private companies obey the law. If they are SO concerned about the health of children, then they would already have sorted the clean air act, banned wood burners and open fire places in any city, town or village, given that even the cleanest woodstove (greenwashed as "eco") emits more pollution than SEVENTEEN diesel cars idling in close proximity and far more than a 10 year old arctic lorry, and thats under ideal lab conditions, which no one will replicate in the real world, its dieselgate ALL over again. Already they are walking back and copy and pasting DEFRA's plans, just like they've copy and pasted PIP and given it new and stupid name - DAWAP

            Souter and his sister didn't exactly play fair when they started up in Perth, running services at a loss to drive out the competition and then when someone started up in competition to them, filed every complaint under the sun until something stuck.....

            Then there's also the matter of him being a homophobic bigot, having donated heavily to the "keep the clause" campaign aka "prevention of promotion of homosexuality in schools" and trying to coerce ministers into doing what he wanted as he wa a major donor, now nicky would just roll over to him.

    4. Mattjimf

      Re: Still too expensive

      Growing up in the home of First Bus (Aberdeen), where the original motto was "We bought the Buses for you!", that was quickly dropped same as the non-profitable routes as the prices went up.

    5. cbars

      Re: Still too expensive

      Weirdly I had this conversation today... the cost of fitting all First buses with a GPS tracker is zero. Uber do it, bus driver just signs into app when he gets on. Result would be increased reliance on buses as you dont have to sit in the pissing rain for 2 hours for two to turn up. The two fecking buses could coordinate to switch passengers and stabilise the timetable, and people would have increased trust in the provision such that usage increases.

      Why they dont spend 50k on an internal app is beyond me

      1. SloppyJesse

        Re: Still too expensive

        "The two fecking buses could coordinate to switch passengers and stabilise the timetable,"

        I used to travel out of Swindon (unfortunately I had to go back the next day) on a service which always got bunched up by the time it got to the edge of town. The drivers would regularly swap passengers while queuing a cross the motorway junction to allow the first bus to 'go direct'. But that was in the days before CCTV and GPS monitoring - I bet they'd not be allowed to do it now.

        In my current city they tried an intelligent bus stop system that shows time to the next bus. They bought it cheap second hand from another council. The bus companies refused to use it saying it was too expensive to integrate with their vehicles. Even on then trial routes it never gave accurate information anyway. One wonders why the original council never used it... Council. Booze up. Brewery.

        The only way our bus services will get better and be comprehensive is if they can be run properly on an area basis, rather than this crazy route by route basis where private companies can take profit from busy routes but expect subsidy to run others. Even our dear leader(*) has said public transport would be better if everyone followed TfL's approach - unfortunately he failed to point out that would be illegal under the current transport acts.

        * or "Babbling fatberg of dishonesty" as Ratbiter in Private Eye has decided to refer to him

    6. John Brown (no body) Silver badge

      Re: Still too expensive

      "break down on the way and you'll be stuck waiting for a replacement to turn up and take you onwards (they won't generally let you off)"

      Isn't that kidnapping? It's not like a train where getting off might be onto a live line on operator owned property.

  2. Tom 38

    reverse engineering the app

    strings blob
    is called reverse engineering these days?

    1. Anonymous Coward
      Anonymous Coward

      With an .apk I think you mean the ever friendly mouse hack... File -> Open.

    2. Cl9

      Give the .onion website a read through. They've done a fair bit more than that.

  3. Potemkine! Silver badge

    "Magic hand" at work ^^

    Our view is that this is symptomatic of the deprofessionalisation of the development community over the last ten years but, but, but... it makes applications much less expensive, and it makes more cash available for the C-suite and shareholders! Isn't that the most important?

    1. Caver_Dave Silver badge


      I had this discussion with a C-Suite once - on a plane (it was me that got the upgrade, not him that got a downgrade!)

      He asked why our certifiable development cost so much, but I was struggling to get the point across and used this (very simplistic and not quite applicable) analogy:

      Your average web app is designed and tested at kindergarten level

      Your average commercial software is designed and tested at high school level

      Your certifiable software is provably correct at PhD level

      Which software do you want to have been used in this plane?

      Yes, there is great software developed by committed people at all levels within the industry, but at the project level, you certainly get what you pay for!

      1. EBG

        Which software do you want to have been used in this plane?

        was it a Boeing ?

        1. el_oscuro

          Re: Which software do you want to have been used in this plane?

          Nope. An Kindergartner would have probably made a paper or balsa airplane and known what would happen if you pointed the back wing down that much.

  4. Locky

    It may be free


  5. Anonymous Coward
    Anonymous Coward

    "Buspiraten" is German for "bus pirates", in case the connection was not obvious.

    1. Aitor 1

      Re: Eh?

      Thank you Captain Obvious!

      1. Anonymous Coward
        Anonymous Coward

        Re: Eh?

        Surely Oberleutnant offensichtlich?

        1. OssianScotland

          Re: Eh?

          Oberst, if you are going for nautical rank equivalents*

          *may not be exactly equivalent. For full terms and conditions see....

      2. Anonymous Coward
        Anonymous Coward

        Re: Was?

        My apologies for not realising you'd all recognise it as German. BTW the author not only doesn't mention German, but consistently uses the singular in the article.

        In other news, Schnee is white and Bären shit in the woods.

        1. ElectricPics

          Re: Was?

          Gelber schnee?

          1. bpfh

            Re: Was?

            Essen nicht

    2. Huw D

      I was thinking it was a naming convention and they report to buspiratea.

    3. DeskJockey

      Could also be Danish or Swedish, meaning "the bus pirate".

      1. Kabukiwookie

        Or dutch

      2. Nick Kew

        That was my thought. The singular, for one person. And that's an exact translation you gave: the "en" suffix is the definite article, and the rest is obvious.

      3. DCFusor

        So it's probably a french guy trying to throw the plod off, right?

  6. Flywheel

    Sounds like another boss's nephew summer internship project. *sigh*

    1. Grooke

      I guess he fixed the back-end problem by putting the keys in the front-end.

    2. Anonymous Coward
      Anonymous Coward

      Nearly all bus companies use the same cloud based ticketing system these days, and so the same base app which they then add branding to. This will impact more than just First. The QR codes contain minimal clear information, e.g purchase time, valued from/to time, ticket type (company specific code), and then various base64 strings which I’m guessing are encrypted with the mentioned keys.

      1. Anonymous Coward
        Anonymous Coward

        Arriva Stevenage Return Ticket QR Code between Old Town and Bus Station

        Ticket QR Code scans as:


        Fields look like:

        4 2 1540253bca54448aa7257d88aff209c7 X106 11671a94 11682a1f 204 0 JAQ9n+9x+zEjwo1SAS0/xvaLy0o=

        15 40 25 3b ca 54 44 8a a7 25 7d 88 af f2 09 c7 = MD5(?)

        11671a94 = 2019-04-03T06:41:24 ... (seconds since 01/01/2010 00:00:00)

        11682a1f = 2019-04-04T01:59:59

        JAQ9n+9x+zEjwo1SAS0/xvaLy0o= <-- Base64(24 04 3d 9f ef 71 fb 31 23 c2 8d 52 01 2d 3f c6 f6 8b cb 4a) = SHA1(?)

  7. Anonymous Coward
    Anonymous Coward

    Loving it in Luxembourg

    Free from next March.

    Mind, almost everything else is expensive.

  8. Bronk's Funeral

    I liked the bit where he posted it to r/manchester, and everyone pretty much went 'huh?'

  9. Snorlax


    From CoreThree’s website:

    ”Tickets are locked to a device to prevent ticket sharing and duplication.”


    The hacker...discovered "the entire thing was client side".

    So basically a rushed group project by a bunch of computer science students?

    Enjoy the free rides while they last.

    1. Dan 55 Silver badge

      Re: Unghh

      They also do Go-Ahead and TfL so those apps will probably be cracked by about this time tomorrow.

      1. Anonymous Coward
        Anonymous Coward


        Is this the TfL oyster app?

        Never used it myself, but might be worth looking at purely for interest and to see how well the code is written.

        1. Mark 85

          Re: TfL?

          Never used it myself, but might be worth looking at purely for interest and to see how well the code is written.

          You sir, are obviously a glutton for self-inflicted punishment.

        2. Anonymous Coward
          Anonymous Coward

          Re: TfL?

          TfL uses contactless technology (Oystercard/Freedom pass, credit/debit cards, Applepay and similar) for payment, so the app is for managing your card(s) transactions rather than making the transactions

      2. Anonymous Coward
        Anonymous Coward

        Re: Unghh

        And 99% of other bus companies as well.

    2. macjules

      Re: Unghh

      Strongly suspect that he just reached 18 and was asked to pay for his bus ride, hence the anger directed towards the unfortunate bus company.

      In the meantime we regret to announce that the "Public Transport Pirate Association of the United Kingdom" has been sent to his room.

      1. Mark 85

        Re: Unghh

        So another self-entitled lad who thinks he's doing good by covering his deeds with political verbage?

  10. BinkyTheMagicPaperclip

    Free public transport in the UK?

    Unlikely. There's a free bus between stations in Manchester, but that's it. This has been the case for decades.

    Buses are reasonably good value, depending on distances and tickets. If you're daft enough to keep buying single tickets and travelling quite short distances they're very expensive, but for a one day pass on all buses in Greater Manchester for under six quid that's not bad. Longer term passes work out at under four quid for any bus at any time.

    I do miss the train anomaly from years ago where if you travelled out at around 7pm it was something like £2 to go twenty miles, to encourage people into the city..

    Of course this only applies if you stay inside county boundaries. As soon as you travel between counties it tends to become a tad pricey.

    1. Yet Another Anonymous coward Silver badge

      Re: Free public transport in the UK?

      Back in my day busses in the Soviet Republic of S Yorkshire were almost free.

      They had a fare of 2p/5p because making them free was blocked by the ticket collector's union

      1. juice

        Re: Free public transport in the UK?

        > Back in my day busses in the Soviet Republic of S Yorkshire were almost free

        Alas, before my time in Sheffield, though I think they were still fairly cheap in the 90s when I first landed in the Land of the Hills.

        I live on a reasonably long route which is rammed with buses from two separate companies; it's not uncommon for them to bunch up at the top end (for protection from marauding socialists, presumably) and then race the last section back into city centre in groups of three, occasionally leap-frogging each other whenever the one in front grudgingly agrees to pick up passengers.

        They've also standardised the prices and introduced a reasonably priced monthly ticket - last I checked, it was about £60 a month, or about £3 per day if you're using it for work.

        Unfortunately, a trade-off for this is that single tickets are relatively expensive, partly because fares seem to be based on "zones" rather than distance. For instance, there's only about a quid's difference in fares between the bus and an Uber when it comes to getting to the main train station, and the latter offers both door-to-door convenience and reduced travel times.

        (Yep, Uber = evil, and I should no doubt be taking a brisk stroll to the station... and then continuing to walk all the way to my destination rather than using any form of fossil-fuel based transport. But, y'know. Sheffield. Hills and all that.

        1. John Brown (no body) Silver badge

          Re: Free public transport in the UK?

          "partly because fares seem to be based on "zones" rather than distance."

          And notice how the zone maps always seem to be very carefully designed such that the vast majority of journies will cross a zone boundary. Locally, it's possible to take a 50p journey inside a zone, get off at the boundary, walk 2 mins to the next stop and pay another 50p to complete the journey because all single zone fares are 50p. Staying on the bus and crossing the zone boundary to do it in one trip is £3.50, so if you have the time and don't mind the inconvenience, you save £2.50. And that's still a lot cheaper than a day return, day pass, or week pass. It's even cheaper than the month pass, but not by enough to bother with.

      2. Name Withheld

        Re: Free public transport in the UK?

        I left before the age of majority but remember it was 2p within one town and 4p to enter the next, I could go 6 miles in one direction but it would cost 4p to go half a mile in the other, amazingly annoying at the time.

        Biggest problem was conductors didn’t like 50pence coins and don’t even think of presenting a £1 note, although not that many people had those in S York’s back in the day.

  11. don't you hate it when you lose your account

    Bus (ted)

    And that's all I have to say on that

  12. D.A.

    Does this only apply to the Manchester app?

    Corethree apps are used by numerous public transport companies, including Lothian Buses and Translink in Northern Ireland. (More are listed on their website)

    Also, recall the massive outage they had last year:

  13. Andy Non

    Did the hacker find the keys

    on the "data bus".

    1. MyffyW Silver badge

      Re: Did the hacker find the keys

      I was going to mention service bus but I feared that would be considered off topic

  14. bouncy

    CoreThree Garbage Transportation Apps

    CoreThree are also responsible for the god awful "get me there" tram ticket app. It continuously complains it cant connect to a server, even during off peak times. It sometimes feels like you have more chance of winning the lottery than actually getting a ticket by the time you arrive at the platform. Play store is full of the same negative views, with nearly everyone suffering at the hands of the garbage app developer.

  15. A Non e-mouse Silver badge

    Free buses

    There is no such thing as a free bus. Either the people who user the bus pay for their use, or everyone (regardless of if they use buses or not) pay for the buses via their taxes.

    1. Red Ted

      Re: Free buses

      Even they realised that. What they say is "...public transport free at the point of use for everybody."

      1. TheMeerkat

        Re: Free buses

        So it is everyone else paying for him taking a bus?

    2. phuzz Silver badge

      Re: Free buses

      Or C) you pirate your bus ticket and the bus is paid for by everyone else, (or just paid for by the bus company if everyone does it). I'd call that free.

    3. John Brown (no body) Silver badge

      Re: Free buses

      "Either the people who user the bus pay for their use, or everyone (regardless of if they use buses or not) pay for the buses via their taxes."

      Or option C), good, clean, free public transports pays for itself by bringing people, business and money into the town because it's a "public" service designed for the "public" to use and benefit from.

      Oh, and since you ask, yes the sky is pink on my planet.

  16. Sgt_Oddball

    First are in Leeds too..

    I find the reliability of service directly proportional to affluence (or lack there of) of the services route.

    As for the keys being hardcoded, that would explain why the ticket service works now... As opposed to how it used to (not) work on a Monday morning when tens of thousands of commuters all tried using the ticket app to find it moaning you needed to connect to the Internet because the servers been DDoS'd by normal, predictable surges in users all trying to get their weekly ticket bought and used...

  17. Zola

    Why have the Plod become involved?

    Hopefully it is to investigate the financial fraud committed by Corethree after flogging - no doubt for top dollar - their amateur hour software as if it were a professionally developed and secure product.

    The only crime committed here is that by Corethree, and nobody else.

    1. Anonymous Coward
      Thumb Up

      Re: Why have the Plod become involved?


      Upvoted for the Sparks reference.

      Cheers… Ishy

    2. FIA Silver badge

      Re: Why have the Plod become involved?

      The only crime committed here is that by Corethree, and nobody else.

      Well, apart from the year of fare dodging you mean?

      First are terrible, but 'political statement' or not, they waited a year. A year of free bus travel is still several hundred pounds; Ironically paid for by all the people they're aparently trying to help.

      1. Zack Mollusc

        Re: Why have the Plod become involved?

        I wonder if those lost hundreds of pounds would have been spent on improving the service or executive bonuses ?

      2. Jason Bloomberg Silver badge

        Re: Why have the Plod become involved?

        A year of free bus travel is still several hundred pounds

        But First get the same revenue whether Buspiraten is riding Das Bus for free or not using it at all.

        I think I hear the Ethics Police kicking down my door.

  18. Anonymous Coward
    Anonymous Coward

    Just back from Manchester

    Public Transport is expensive.

    Cheaper to hire a car!

  19. Gordon861

    Obvious Mistake?

    So if I understand this right, they have done what game devs have realised years ago, if you let the user control their inventory on the client side there is a very good chance that they will change some settings and give themselves a gun with super damage or make them run faster.

    1. Sgt_Oddball

      Re: Obvious Mistake?

      No, more like they took a conscious decision to ensure customers could use their tickets rather than hammer their servers in the mornings causing them to lose actual money by having drivers wave people onto the bus rather that have them fuming and cursing the app because the servers' have fallen over (again).

      Having a few miscreants get some free rides is much better than thousands of free rides every week because of server timeouts during peak hours, or paying for suitable elastic hosting to cope.

  20. Anonymous Coward
    Anonymous Coward

    Shut it down

    Bus company can't manage their assets, people can't afford to ride, people stop paying cause they can, so there is less or the company to work with. Sounds like a lost cause, and it should just die. If people need a ride, and someone figures out how to keep a bus running at a price people can afford - the so be it.

    1. IGotOut Silver badge

      Re: Shut it down

      "Adjusted operating profit ahead of our expectations at £332.9m, led by growth and margin expansion in First Student and First Bus"

      Source: First group 2019

    2. Sgt_Oddball

      Re: Shut it down

      There are profitable routes (almost all of them using hub and spoke routes), its the suburb to suburb routes that don't make money and are dying. Usually because first know that the route won't earn a profit and thus don't contest them with smaller players (a local route recently closed and on the last day they ran 2 heritage buses for free that they'd privately owned for 40+ years. I hardly think I'd ever see that from the likes of first).

      Unfortunately just like with the trains in the 60's not ever route has enough passengers to justify it. That's why local subsidiaries exist from the local council but these are being squeezed beyond belief by Westminster in the name of austerity.

    3. Justthefacts Silver badge

      Re: Shut it down

      Contrasting two business models:

      #1: A really large vehicle ("bus"), sharing the cost of the journey between 20-50 people. It maximises sharing by scheduling on predefined routes, at predefined timings. It needs public subsidy.

      #2: A small vehicle ("Uber"), travelling from where you are, to where you want to go, when you want to do so. This is incompatible with ride-sharing, but has been named part of the "sharing economy". Apparently this is an economic miracle, so that even a company which only runs timetable and Payroll, is worth billions.

      Yes, #2 is just a scam, defrauding both investors and drivers.

      But it's strange that #1 can't be profit-making. The bus must be profitable when full, so the problem is likely that most buses run nearly empty. It's a Pareto paradox - 80% of the people want to use 20% of the buses, so 80% of the people see the buses as crowded, while actually 80% of the provided capacity runs nearly empty and un-profitably.

      But you would think that something like an Uber app for buses could be exactly the thing. When the bus is full, it sticks to route & time. But when it's nearly empty, it can easily divert a few streets to pick up randomers on request, while only delaying one or two passengers on board for a couple of minutes. Plus, many buses have really winding routes around town to pass stops that might have passengers at them but usually don't.

      Of course, you would have to explain to people that by doubling passenger numbers during quiet times, they could halve fares......

      Bus companies are clearly getting *something* badly wrong, and should consider whether there is some more flexible service they could provide than traditional- otherwise they will locally optimise themselves all the way to bankruptcy.

  21. rdhood

    "Duncan Brown, Chief Security Strategist EMEA at Forcepoint, told us:

    "Our view is that this is symptomatic of the deprofessionalisation of the development community over the last ten years, and the lack of emphasis on security and testing in today’s appdev world."

    What an ass. If you asked me, it is the utter contempt for security that everyone who ever has to deal with it has for it. Its ALWAYS "too hard" from a system management viewpoint or "too expensive" from a development standpoint. It has less to do with the "deprofessionalisation of the development community", and more to do with the fact that companies DONT WANT TO PAY for security development. Its an aspect of the product that you cant show anyone (see, my software is fending off attacks as we speak!), does not get customers to come out of their pocket for extra $$$. It is looked at as a "cost" of doing business, rather than the RIGHT way to do business. And when companies want to pay chickenshit for security, that is exactly what they get. Instead of slamming developers, how about slamming employers who put security about 100th on the list of things to accomplish in the product?

  22. dnicholas

    Apt quote

    "unable to comment further" as we haven't a fracking clue what's happened

    1. Ken Shabby

      Re: Apt quote

      They will probably get fueled again.

  23. JulieM Silver badge

    This is nothing new

    The "old skool" way of getting free bus transport involved a dot-matrix printer, a purple ribbon (wound by hand into the cartridge) and the hardest part: some cunningly-written software to emulate the font used by a Wayfarer mk2 or mk3. (The printer was a skip find, with no manual, and this was in the days before Google. I had to do a bit of reverse-engineering to get a handle on the control codes. Fortunately, the Amiga happened to have a driver for a similar enough printer; so I was able to create a specially contrived image in Deluxe Paint and use the hex dump mode of another printer to see what was going down the wires.)

    Every bus would display a "Know Your Ticket" poster explaining the meanings of each group of figures on the ticket (boarding stage, fare, single or return, vehicle number, route &c); making it easy to produce something that could be mistaken for a return ticket issued earlier that day at place you were going to. As for obtaining the blank paper with the bus company's logo up the middle, ends of rolls were easily scavenged from the "used tickets" bins -- or if you had access to a small and cute child, drivers would give away a full roll to encourage a future bus driver! Snap-off knife blades were easily modified to produce the correct cut pattern.

    Then the local bus company made it all even easier, by accepting returns after the date of issue and even in the "wrong" direction (e.g. if you got a lift home from town, you could use your return half for another journey back into town another day). Well, it would have been churlish not to.

    It all went great for our little "New Age Travel agency" -- until both the local bus companies swapped their dot-matrix ticket machines for thermal printing ones. They said officially that it was to do with Y2K, but we knew damn well that was not the full story.

    About this time, another bus company in a different city (that we sometimes visited) ran a "lucky serial number" promotion. The idea was, you handed in a ticket with the winning serial number in any shop that was a Travelcard agent, and it was worth £10. There were lots of little parades of shops all around the ring road, with a Travelcard agent among most of them; and all served by a frequent bus service in each direction.

    The plan would have been to print up a batch of "winning" tickets and a couple of Daysaver tickets valid for the day of the operation; then for a friend and me to catch the 11A (which went all the way around the ring road in an anticlockwise direction) and 11C (clockwise), getting off at every Travelcard agent around the route and redeeming one of the lucky tickets there; and eventually to meet up again exactly 180 degrees away from the starting point (or more probably, in the nearest pub. Clockwise is slightly further, of course, but traffic conditions and queues in shops would be the greatest confounding factor). At which point we could then head for home with the loot, in time -- maybe -- to catch our own exploits on the evening news. Or even head back into town and do a few more shops along the way, if we still had tickets left.

    I still wonder just how much we could have had out of that scam, if we had only had the stones to go through with it .....

  24. Anonymous Coward
    Anonymous Coward

    I’m curious to hear how Commentards would implement a mobile phone ticketing app.

    Would you require that the phone has a network connection at the point of use?

    Would you require that the bus ticket reader has a network connection?

    Would you require that tickets are pre-purchased? How soon would they expire?

    1. ElReg!comments!Pierre

      Pretty much like a real ticket; for single fare*, activation performed by external hardware containing the private key. Of course there's an associated cost, however small, so First had to try and dispense with the hardware.

      *for anything else, there's no real issue - besides the pervasive tracking of users, which companies insist is for our own good - because daily / monthly etc can be controlled by other means, for example a calendar.

    2. This post has been deleted by its author


      The main rule for cellphone apps is that you never store anything on the phone except a successful login token. So then yes, any transaction, like buying or using a ticket requires a connection. But that is no big deal because you are not going to do either of those often. Tickets can persist forever once stored on the server side.

    4. Solviva

      In Gothenburg, Sweden they introduced their app a few years ago. At the time you could buy (rent with refundable deposit) a reloadable travel card. You had the option to top it up in a shop or have it auto refill. Worked great, you just pop your card against the machine when you go on for most journeys, travelling further afield you just needed to pop it on a machine to check out.

      Journeys by this card were discounted compared to buying a cash ticket as you might expect. What you might not expect is journeys purchased in the app were the same as a cash ticket (not sure but I think they were actually more than a cash ticket=. Hence very low uptake on the app - plus you needed an active network connection for your whole journey as the ticket magically hides itself after a couple of minutes without connection.

      Solution? Bring the price of the app down to the price of the prepaid cards! Oh no, that would be too sensible, they actually brought the prepaid card journeys up to the price of the app. And removed the auto-refill ability.

      Before the app you could get SMS tickets where the format was fairly simple to deduce and the drivers had no way to verify the code was genuine, so quite easy to forge those if you were so inclined.

      These days you can freely get on without showing a ticket and the random controls are so rare it's not difficult to be a freeloader. I take the bike if I need to go in to town, infinitely faster and cheaper anyway.

    5. JulieM Silver badge

      Implementing Ticketing

      If you can rely on both the mobile phone and the bus ticket machine having a good Internet connection at all times, it's simple enough for the ticket just to be a random number. The ticket machine validates it by querying the bus company's servers; every random number actually issued will be a key into a database, the rest of the record indicating the journey details or "already spent".

      The difficulty is that you cannot rely on an Internet connection at the time of boarding -- but you equally cannot rely on the contents of the mobile phone being secure. So you have to assume that the ticket is susceptible to cloning. As long as the ticket is booked for a specific date, though, the risks are somewhat mitigated. And the thing you really want to guard against, is giving away the instructions to create any valid ticket from scratch. That's the real keys to the kingdom.

      Now, there has to be an Internet connection from the phone at the time of payment; so it would be entirely possible to receive a secret token at that time. And we can assume there is a way to transfer data to and from the bus ticket machines at the bus depôt. What I would do is send all the relevant data -- time of validity, route, boarding stage, fare and so forth; i.e., all the stuff you would need to know to produce a bus ticket -- to the bus company's servers along with the payment request; and if payment is successful, I get a hash computed from all that information plus some secret, which is shared -- under the bus company's control -- by a separate channel with the ticket machines on buses. (It can be stored in RAM and erased in the event of tampering; only a bus driver can reset it). The actual ticket contains the "cleartext" and the hash which can only possibly have been calculated by the bus company, since nobody else knows the pre-shared secret.

      The mobile phone just has to send the hash and the cleartext to the ticket machine somehow (over NFC, or by displaying something optically readable like a QR code). The ticket machine recalculates the hash by combining the cleartext with its own copy of the key, and indicates acceptance or otherwise.

      A hacker cannot make a ticket from scratch without knowing the bus company's secret which is used to create the hash. The only places that secret is kept are the ticket machines -- which you have to assume have some physical security measures in place -- and the bus company's servers. The most you can do is clone another valid ticket. There are some measures that the bus company can take to guard against this: a ticket machine that has already seen a ticket before can refuse to accept it again, so a whole group of people can't all travel at the same time for just one person's fare. And at the end of each day, if an impossible situation is noticed (such as the same ticket being used to board two buses going in different directions, from different stops, at such times as there was no way for someone to have got off the first bus in time to catch the second) the ticket serial numbers involved can be flagged up. There isn't much you can do about ordinary one-way and return tickets being cloned, but multiple copies of a weekly or season ticket are easily spotted. Out of n tickets, at least n-1 must be forged; and the owner of the nth one is probably in on the scam.

      It might well be possible, by means of a distributed effort, to determine the format of the cleartext portion of the ticket. But the intrinsic many-to-one mapping of a hash function makes it computationally expensive to brute-force the secret needed to calculate the hash.

      That's just off the top of my head. I'm sure there are problems I have not thought of, and look forward to the opportunity to learn where I went wrong.

  25. cbars

    What a fucking moron

    The post is required, and must contain letters.

  26. David Given

    British buses are embarrassing

    I live in Switzerland. Going back to the UK and trying to use public transport there always comes as a bit of a shock.

    In Switzerland, there are two big things which makes city public transport work (rural is different): firstly, tickets are valid for any form of transport in an entire zone for a particular duration, allowing unlimited travel within that zone, with a standard 'single' typically being valid for an hour, and 24-hour tickets costing exactly twice what a single does; and secondly, every single bus stop has a ticket vending machine.

    The first point means that in can get from point A to point B on a single ticket even if there isn't a direct bus there. I can choose any route I like, provided it's in the same zone, and I can mix and match buses, trams, trains or boats (Zurich has river buses). In the UK I need to buy individual tickets for every leg of the journey, which adds up very quickly. Plus, as a 24h ticket costs two singles, if I'm doing anything even slightly complicated I just get a 24h ticket, giving me unlimited travel, and then _never have to think about it_. That's surprisingly important (as anyone who's had to juggle return legs of multiple bus tickets in the UK knows).

    The second point means that I can buy my ticket before I travel rather than having to get them from the driver, with exact change, in the middle of a stressed queue in the rain. It allows the buses to move more quickly as they don't need to wait at the stop for as long. Swiss people are also pretty honest, and they don't bother to routinely check tickets, which also allows them to have multiple doors for rapid entry and exit.

    Every time I try to use UK public transport it just makes me feel like they're trying to actively discourage travellers...

    (The UK exception is London, where the Oystercard actually works pretty well. Do any other big UK cities have something similar? The only one I go to these days in Glasgow, which doesn't.)

    1. DontFeedTheTrolls

      Re: British buses are embarrassing

      Lothian Buses in Edinburgh are "getting there". They've just released Tap Tap Cap which allows you to buy a single adult ticket (£1.70) with a contactless card (or Apple/Android Pay), but is also capped at the DayTicket (£4.00) rate if you take three or more journeys in a day.

      As I say, it has just been released and it has teething problems. Can't buy anything other than an adult single (so don't bring your kids), and doesn't work with the Tram (which a paper DayTicket does). And some of the buses aren't always connected so the driver has to just wave you on.

    2. John Brown (no body) Silver badge

      Re: British buses are embarrassing

      "(The UK exception is London, where the Oystercard actually works pretty well. Do any other big UK cities have something similar? The only one I go to these days in Glasgow, which doesn't.)"

      Back when I was a kid, the new county of Tyne & Wear was invented. Part of that was the creation of the Tyne & Wear Passenger Transport Executive. All the local council bus services were transferred to it's control. Then the Tyne & Wear Metro system was built. Everything was intergrated, including the cross-Tyne Ferry. You could buy a ticket from anywhere to anywhere and change as required between bus, metro and ferry and the price was based on the zone boundaries crossed. Buses were generally timed to match with the Metro light rail system, especially at the main interchanges. It worked really well and prices were pretty reasonable. Then they privatised the buses and over a period of a few years, the buses no longer matched the Metro station arrival/departure times, the buses were dirty, the prices went up and the bus tickets and Metro tickets were no longer interchangeable.

      In recent years, they have come up with the new and wonderful idea of inventing integrated combination tickets which let you travel on the buses and the the Metro. Whoop-de-doo.

  27. Crisp

    Why isn't public transport free?

    It's subsidised anyway, so why not subsidise it all the way?

    It's ridiculous to have a public transport system that's as expensive to use as a car.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why isn't public transport free?

      Was well subsidised, not so much anymore with councils being starved of central funds.

    2. Ken Shabby

      Re: Why isn't public transport free?

      They are working on that, they'll make cars more expensive.

    3. James Hughes 1

      Re: Why isn't public transport free?

      Our Parish Council of a very rural village looked in to this. Would cost about £5000 year to put on a bus service to take villagers in to the nearest town, once a week. Given the PC's total income is £8000/year, it's simply not cost effective for the 10 people who would use it. The money would need to come from taxation at a countrywide level, not precept at a local level.


    The only way to seriously reduce global warming is with free mass transit. Pay for it will carbon taxes on gasoline. But anyone writing an app that puts its security on the client side, is totally incompetent. Only the server side is secure and persistent.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon