Northern Train's ticketing system out to lunch as ransomware attack shuts down servers Publicly owned rail operator Northern Trains has an excuse somewhat more technical than "leaves on the line" for its latest service disruption: a ransomware attack that has left its self-service ticketing booths out for the count. "Last week we experienced technical difficulties with our self-service ticket machines, which …
We see ransomware and related attacks everywhere - but before the internet existed they were completely non-existent. We can fix this by returning to the original systems that were very reliable ... e.g. a station-master and a couple of employees who sell you a ticket and check them when people get off the train. All the changes that have been made to the way the world works were claimed to improve service and save money but they have resulted in more people unemployed, ransomware becoming very efficient, and insecure systems everywhere.
Actually, you just walked up to the window and bought a ticket. You didn't have to 'plan a route', 'book in advance' or specify a train or all the other 101 things that people have to do to travel on non-suburban trains. Since the process was straightforward if there was a queue then it would move quickly. Ticket selling is also easy to automate -- I don't think I've bought an Underground ticket F2F, for example, because they have been sold from slot machines since at leas the 1950s.
The issues with malware stem from two fundamental causes. One is putting systems on the public Internet that don't belong there. The other is using an operating environment that's notorious for being hacked. Both are easily fixed.
You clearly missed those days when it took 20-30 minutes to get to the front of the ticket queue because you'd forgotten that it was Monday, so season ticket day, so you missed your train. And you'd get no sympathy from barrier staff if you tried to talk your way onto the platform without a ticket.
As to 'the process was straightforward', that's just bollocks. In every ticket queue there was someone who wanted to travel to Southampton via Maidstone and Reddich, returning two days later with an overnight stop in LlanfairPG, who wanted to take their dog and a box of racing pigeons with them. "Oh, that's expensive. What it I travelled on Thursday instead and returned via Luxulyan?"
These and the frequent far simpler enquiries ("what's the best train to get me to Reading by 11:30 tomorrow?") were all dealt with by good subject knowledge, if you had an expereinced booking clerk, and mounds of thick volumes (plus loose-leaf updates) containing times, routes, fares and restrictions.
Straitforward? Pah.
It can still be quicker and easier to buy a ticket at a window, certainly rather than at a machine. Build in a little time for queueing, but on more than one occasion I've had the bloke behind the counter (and it is usually a bloke at my local station) say, "oh, that doesn't look right, hang on, let me try some other options" when the automated system offers up its first choice - the same choice you'd get at the machine, and likely the same choice you would be offered on the website.
Then he'll remember to check if we have the family railcard (or whatever), offer to update it first if it's expired, all kinds of things like that, and (for certain routes) remind you to sit in the front two carriages as the train splits at Crewe (not done that kind of journey for some time though).
On the subject of railcards, the machine at our station (I've no idea about other ones) just takes it on trust that if you can find the little button that says "I have a railcard", you actually do. Of course, when they do check tickets on the train they expect to see a valid railcard too. Escaped this once because I went to a ticket window (not at our local station) and the lady behind the counter noticed the railcard was about three days out of date, so we bought a new one.
M.
Ahh, the old days. I remember season ticket days, particularly the first few days after new year, when you could pretty much guarantee that the queue for the one ticket window in my local station would snake to the other end of the station, then out the door and half way up the road outside. You could be queuing for a couple of hours.
On a related note, I remember when I was a student, I was just buying a ticket home from one of my lectures. There was, as always, a queue at the window. When I got near the window, the guy in front of me actually did ask the person to sell him a ticket that would get him from Lands end to John O' Groats,and to list every step of the journey. I was there for over half an hour while the Customer Service person was looking up various trains.
How important are Northern Trains to the UK's infrastructure to be targeted like this?
It doesn't have to be targeted at all. Could be a fully or semi-automated process, such as:
- Malware such as Cryptolocker is mass mailed to millions and someone at Flowbird/NT managed to execute the malware.
- All the public IP's are constantly scanned and a vulnerability in a (web)server / router / firewall has allowed the malware installation. Due to poor security practices the vulnerable machine has managed to infect other systems, the backend servers or even those ticket vending machines.
The railway infrastructure is not affected at all, NT just couldn't sell tickets.
Most tansomware isn't targeted, they simply hit any and all machines they can find a way into. Then data on the size of the target organisation probably based on both what the software says it sees and what google says about the identified org, is used to give them a price to pay.
Nothing much of value was lost. The flowbird machines are absolutely useless in direct sunlight as their giant screens become completely illegible. Many have been placed out in the open with no shade so are unusable for large parts of the day, especially in summer.
If you overcome that barrier you have to deal with the software, which is slow, crashes often, and is generally a huge downgrade from the previous system. I no longer attempt to buy a ticket from them if my train is arriving within the next 10 minutes as the risk of me missing it because I’m waiting for the machine is too high. Faults in the machines are so common I’ve never been challenged when I buy a ticket from a conductor or from a staffed kiosk at the other end.
99% of the time, I buy the same ticket.
If I was designing a ticket machine, I'd let it insert my payment card (or contactless) first, then have a big flashing button at the top that let me buy the same ticket again.
Although I'd miss the sighing from the queue building up behind me as I stab randomly at buttons to type the first few characters of my destination without getting the alignment of my finger and the soft buttons on the screen wrong, finding the backspace, selecting a train, selecting the right ticket, forgetting to add the appropriate railcard, going back to the ticket type screen again, and then paying and wondering if I should wash my hands afterwards.
Or the thrill of wondering if I'll miss my train when I'm stuck in the queue behind the rare someone with even less of a clue than me!
why is it that when i travel to Taiwan and take a local train, I can get a ticket out of the decades-old low-tech machine in under 30 seconds but Northern's fancy touchscreen machines take about a minute and a half if you're lucky?
Hint: the machine in Taiwan has lots of physical buttons. a few are blinking: adult single, return, .... so i push "adult single".
A grid of buttons illuminates with the destinations. Even though the names are sorted by their Chinese names and not alphabetically, I find my destination (Xinzhuang) with a brief systematic search.
The coin slot blinks and a 7-segment display tells me how much cash to insert (not a lot of course).
A tiny ticket is issued, replete with magnetic strip, about 1/5 of the area of a credit card.
BLISS.
Coming home to Manchester Airport. 5 touchscreen machines, 4 out of order, about 10 people queuing. Ah well, i guess I'll miss the next train.
"Customer and payment data has not been compromised." Yet!
How can you know those systems have not been compromised prior to a further attack?
Okay, I don't know their network infrastructure (as in data, not rail!). But I'd not be surprised if it was possible move laterally between them (Flowbird/NT) somehow. Do they (Flowbird) email Finance (NT) with accounting details? Unlikely.
Malicious Actor: Softly, softly, catchee monkey...
Yes, we know there are good and bad infrastructure practices. Which were deployed?
Northern trains, over a few trips done, simply bought tickets from ticket offices
Many many years for me. WCML 87 and Mark 3s, then push pull 47 to Edinburgh, and a Deltic to London. HST home.
Other trips were railtours over the S&C.
I see they did have those 4w railbuses.
| think I prefer the 60s 70s 80s trains.
Any one of the usual commentards here would have come up with an arrangement that involved the ticket machines being on a VPN connecting them to the central server, with a separate link to the web front-end and the account management. So the actual ticket machine network would have been nowhere near the internet (even though the data is carried over it). So that means that either this isn't the case - they were relying on secure authentication of machines to server over the open internet, or the web front-end in is on the same network as the machines. Ouch.
However, it could be worse. The network could be secure, but Network Railway's network has been compromised, and the ticket machines are the visible part of a wider infection.
I love the way that El Reg commentards (not just Missing) can fill in the blanks and tell us exactly how a compromise occured, diagnose the root cause then advise on ways to stop it happening again in just a few seconds.
You realise you're wasted in your current jobs?
You say that, but across the various massive SNAFUs reported in this august publication, failing to do the bloomin' obvious seems to feature highly. Doing things badly/cheaply/dangerously is often caused by management pressure to get stuff out the door. Sometimes it's inexperience of the developers. Only occasionally is it "advanced nation-state actors deploying highly specialised tools".
Northern Rail reported this on Saturday evening as system down. I envisage this as no secure backups and no fallback position also known as DRP. As of Tuesday the all the screens where blank. I travelled on Tuesday and every station had a blank screen. When they were implementing these kiosk it filled me with dread. It seems they just papered over the cracks and carried on. Hewlett Packard says it takes at least 3 day for a full take down and rebuild to restore a system. I know this because I have done this, twice. I would not hold your breath as this will rumble for a lot longer than 3 days.
Planned one-way from London to Derby during last trip to blighty. Looked on internet the night before, and there were almost *two dozen* ticket options, ranging (IIRC) from anytime/refundable/reserved-seat 1st Class at £Loads to off-hours/no dog/refunds/etc at ~£Loads/4 (about £50 IIRC). Unsure what time I'd be leaving, I decided to buy at KK/St Pancras the following day.
There I was told that the £50 option could no longer be bought - that was an internet-only previous-day special deal, so I'd have to pay £70+(!).
The return ticket was only £3 extra (WTF?), so I bought that, later leaving the return half on the ticket machine at Derby station for someone else. Petty I know but £3 well spent, just for the spite.
Here at home (in CH), returns are twice the price of singles, reduced prices (kids/OAPs/etc) are 50%; you can get at 50% card (about £250 for two years) that applies to pretty much everything (trains, tubes, boats, buses, even some cable cars). Trains are clean, have toilets, mostly run on time, etc.
What you'd expect, basically.
Funnily, the trains here drive on the left; I'm told (unconfirmed) that's because the first lines were UK designed and equipped with British-built signalling and other gear.
No, CFF has not been privatised, silly!
Yeah, the UK is home of the railway - and the operators couldn't organise a piss-up in a buffet car.
I miss living in Belgium. Fares here (UK) are easily 10x more than BE for comparable journeys.
There was talk of NMBS/SNBC (BE rail) being privatised, and most people I spoke to thought it was a good idea. They have no idea how shite that would be for them. (AFAIK it's still a public service.)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
