Fake rail tickets are being sold at a fraction of their real price on the dark web and then used at UK rail stations.
Is this a one-off, or the start of a new form of fraud?
Late last year, a team at the BBC bought a first-class ticket from Hastings to Manchester and a monthly ticket between Gatwick Airport and London; nothing remarkable about that, at first glance.
However, these tickets were not purchased online, via an app, or in person at a ticket office. Rather, they were sourced on the dark web — the hidden part of the internet that flourishes with illegal trade of weapons, drugs and stolen credit cards, among other things.
These tickets were used up to 12 times by the BBC, although because of differences in the magnetic stripe they were unable to pass through ticket barriers and had to ask station staff to let them through.
After this revelation, the group selling the tickets said in a statement: “The train companies keep stuffing their pockets with public subsidies while treating the operation of rail services as an inconvenience.
“We wish one day everyone will be able to use an affordable public service. Until then, we will be providing it.”
This “public service” consisted of a discount on fares, with the first class ticket to Manchester sold at £111, rather than £285, and the monthly Gatwick ticket available for just £100, a large saving on the retail price of £308.
The dark web and rail
The dark web has long worried security officials and cybercrime specialists, but this diversification into new markets creates unwelcome questions for the rail sector.
It has long been accepted that fraud does take place on the railways. Take just one example from March 2015, when it was revealed a man had been travelling first-class with tickets he printed in his home.
However, the emergence of the dark web changes the game. Andres Baravalle is a researcher at the University of East London. He and colleague Sin Wee Lee have spent years investigating dark web retail and recently have found an increasing number of rail tickets on sale.
Says Dr Lee: “At the time of our first look, in 2015, they did not feature at all.”
Their research shows that, as of January, there was one seller on the dark web’s largest market place, with 36 transactions in 12 months.
This includes single tickets and travel passes — “it’s an escrow sale, meaning that the funds are held in a third party provider and released only if the goods are received,” explains Baravalle, who adds that the main currency is bitcoin.
For rail, there’s consensus that it is paper tickets that are most vulnerable. But just how common is fraud?
Fighting the crime
“Fare dodgers deprive the railway of about £200m every year,” says a spokesperson for the Rail Delivery Group, which represents train operating companies. “Being in possession of a forged ticket is a criminal offence and risks a hefty fine or prison sentence.”
When asked to comment, the Department for Transport said in a terse statement: “Train ticket fraud is illegal. People caught with forged tickets can be jailed.”
As online and mobile tickets grow, so does the importance of cyber-crime units. However, Simon Goodale, business development director at Tixserve, is critical of some of the mobile apps on offer.
“What has happened in the move to mobile so far?” he asks. “Well, they’ve taken the existing world of paper tickets – a barcode – and put it onto an app. These can be very un-sophisticated.
“The consumer demand… everything is on mobile and so people are designing mobile solutions but that opens up a broader area to be targeted by the fraudsters,” says Goodale.
Tixserve, which delivers secure digital tickets to customers on behalf of ticket sellers, has spent two and a half years developing new technology to combat fraud. As of the end of 2016, however, Tixserve is not actively working with any rail operators, although Goodale is keen to stress that they are working hard to change that.
Goodale describes their technology – first developed for live events before the company decided to try their hand at transport – as a “wallet” that stores the ticket.
“The ticket itself has a number of security features built in, for example a geo-fence, so the ticket can only become ‘live’ either time based or within a certain radius [to a station], say 100 metres.” he adds.
What Goodale and his colleagues have tried to create is something that can track a ticket, from its inception to point of use. On some levels, this is similar to how Oyster cards and contactless payments work.
Banking-level security for rail?
Since launching in 2003, Oyster has changed how people get around London. It has removed the need to buy paper tickets, instead giving passengers the choice to continuously top-up one card.
“Part of the motive [for Oyster] was to do with fares policy,” explains Mike Tuckett, Transport for London’s (TfL) head of transformation delivery. “But we were aware at the time that the security around magnetic stripe [paper] tickets was, frankly, extremely low. The cryptography you get on an Oyster card is in a different ballpark.”
Nonetheless, Oyster cards have been cloned. In 2008 researchers from Holland discovered a fault in the system whereby they were able to use a card reading unit to gather the cryptographic data stored on the card. Tuckett insists improvements have been made: “Since 2010, we’ve upgraded the technology behind the card, whereas the ones that were compromised used an older system.”
There’s also the fact that TfL, through its back-office monitoring, can see if a cloned card is being used. “As soon as our systems see two cards with the same number being used, we can close that down,” says Malcolm Woolston, payment operations manager at TfL.
As for contactless payments, TfL acts as any other merchant does when accepting bank cards. “Essentially… [you] piggyback with the high level of security that is demanded by the payments industry,” states Tuckett.
But, are Oyster cards available on the dark web? There’s no research to suggest they are, although Woolston believes “it’s not the sale of the card that is the issue”. He continues: “If someone is selling cards on the dark web… that’s fine, in a sense. But as soon as you put a product on it [money], our systems will see it.
“Paper tickets are an obvious product of choice to clone and counterfeit, [as] the only way of finding them is if it’s a poor copy and staff see it. With Oyster, the system does that for you.”
One does wonder if the rise of the dark web as a new market place for rail tickets is down to frustration with higher prices or simply the opportunities created by an ever-growing network of dubious ‘businessmen’ who use the backwaters of the internet to hide their illegality.