Timeline for What's the 2-minute timer on mobile Deutsche Bahn tickets?
Current License: CC BY-SA 4.0
23 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| May 7, 2019 at 23:33 | comment | added | cjs | "...are you really arguing that "beware of dog sign" without a dog is not security theatre?" @Voo Yes, that is precisely what I'm arguing (unless it's a really expensive "Beware of dog" sign).Please re-read this answer again carefully. To see how effective this DB security measure is, I suggest you actually perform the attack yourself (staying short of actually getting on a train without a ticket) on a standard Android install and carefully document everything you had to do, how long it took and what knowledge you needed to do it. | |
| May 7, 2019 at 16:32 | comment | added | Aaron F | @CurtJ.Sampson I cannot. My German is very basic, and also I wouldn't know where to even start looking (German hacking forums or IRC channels?) A quick search returns source code for such an app, though the less technically inclined might first try a generic overlay app from Play Store. | |
| May 7, 2019 at 15:18 | comment | added | Voo | @Curt Luckily I don't have to be an experienced developer to simply double click on an apk. Hell Fortnite which has millions of android users (which I'm going out on a limb and claim are not all experienced android developers) requires exactly the same steps. (also are you really arguing that "beware of dog sign" without a dog is not security theatre?) | |
| May 7, 2019 at 2:11 | comment | added | cjs | @JohnDvorak Actually, my arguments do not rest completely on DB doing an effective implementation of the apparent security measures. Even measures that just appear to exist can deter attackers, in the same way a "Beware of Dog" sign will prevent some attackers even if there is no dog. For all we know, even were the two minute timer always ignored by all conductors, that people can see it and know that it could be implemented properly will have some deterrent effect. | |
| May 7, 2019 at 2:07 | comment | added | cjs | @reirab If you read my analysis carefully, you'll note I don't limit consideration to people who aren't experienced app developers (and don't limit it to developers in Germany, either). But it makes a huge difference whether 50% of the passengers or 0.05% of the passengers have the technical capability to make that app. You don't leave your house unlocked just because there are some people out there capable of picking the locks, do you? | |
| May 6, 2019 at 18:27 | comment | added | reirab | @CurtJ.Sampson Why limit consideration to people who aren't experienced app developers? Surely Germany has thousands upon thousands of experienced app developers. | |
| May 6, 2019 at 16:46 | comment | added | John Dvorak | Your arguments towards difficulty assume that DB did a decent job building the app and that they care about frauds. However I do know that in China, there is a town that mandates their citizens have a certain app installed on their phones. An app that reports the complete state of the phone to the authorities. That app uses plain-text communication. Not a custom-built encryption, not HTTPS with baked-in certs, Not even self-signed HTTPS. Not even a binary file. Plain text. | |
| May 6, 2019 at 13:14 | comment | added | cjs | @AaronF I'm a developer who has even built a (very simple) Android app, and what you describe is decidedly not trivial for people who are not experienced mobile app developers. You may imagine that this was already done on day one, but do you have any evidence of this? (E.g., can you point to a a copy of a program that does this, along with installation instructions?) | |
| May 6, 2019 at 8:35 | comment | added | Aaron F | Creating and sharing a screen overlay app is trivial. 1. Search Stack Overflow. 2. Write a tiny little app which displays 02:00. 3. Build an APK and share it with your friends. I imagine this was done on day 1. | |
| May 6, 2019 at 1:13 | comment | added | cjs | It doesn't matter whether you've actually purchased the ticket through the app; if it was purchased via other means you still have the security problem of making sure that only the correct person/account using the app can display that ticket. If anybody using the app can display any ticket, someone who didn't purchase a ticket could simply display someone else's ticket, thus "stealing" it. | |
| May 5, 2019 at 23:26 | comment | added | Michael Homer | My original objection was to this passage, which still appears completely unjustified: "Writing such an app is significantly difficult; it involves not only having the skill to duplicate the app itself, but also overcoming any security measures protecting the original app (such as being able to extract any necessary keys from it necessary to instruct the DB servers to purchase a ticket).". It's just absurd to insist that this application would need to buy the ticket itself in order to imply that a passable fake is "significantly difficult". There are other actually valid points in the answer | |
| May 5, 2019 at 17:52 | comment | added | minseong | It's admittedly tricky to re-write the whole app. It's not tricky to put a graphical element on the screen showing "2:00". | |
| May 5, 2019 at 10:27 | comment | added | cjs | Do they always scan the barcode, or do conductors sometimes just glance at the screen because it's faster? If the latter, the timer still serves a verification purpose (though obviously not as strong as checking the bar code against sales records on the server). Also, even if they always do check the barcode when they check a ticket, simply making it more clear that certain security systems are in place may deter attackers, much like an audible alarm that may convince a burgler to leave immediately upon hearing it, whether or not anybody responds to it. | |
| May 5, 2019 at 10:24 | history | edited | cjs | CC BY-SA 4.0 |
Try a less heavy-handed clarification that I do understand that an attacker's app could be shared
|
| May 5, 2019 at 10:16 | history | edited | cjs | CC BY-SA 4.0 |
More emphasis on writing the fake app not being the only thing an attacker needs to do
|
| May 5, 2019 at 7:08 | comment | added | sweber | Finally, the Barcode reveals if a ticket is just a minute old, and no further information is necessary. Having no valid paper ticket already leads to long discussions. Now, imagine the discussion when the passenger has a technically valid ticket, and the conductor insists it was bought just a minute ago. The timer ends this immediately. I also guess that most passengers would not use any fraud app - but would try to buy a ticket when they spot the conductor. | |
| May 5, 2019 at 6:56 | comment | added | Zach Lipton | Pretty much every remotely competent transit ticket app has some kind of dynamic design element to defeat screenshots (since tickets are often checked visually without using a barcode scanner) including animations or something you tap to make the display change colors. It doesn't have to be perfect, just something that deters people from trying to trick the process with a screenshot. | |
| May 5, 2019 at 6:07 | comment | added | dunni | If the timer reached 2 minutes, it starts blinking. Forgot to mention this in my answer. So a screenshot will not work. | |
| May 5, 2019 at 6:03 | comment | added | Michael Homer | Isn’t all you need a screenshot of the ticket from the legitimate application, and to draw a new timer box over it? I don’t see why the application would need to talk to the DB servers at all, from what’s presented here. | |
| May 5, 2019 at 5:54 | comment | added | JonathanReez♦ | Or perhaps there is already a timestamp and the timer is just for the convenience of the user? | |
| May 5, 2019 at 5:51 | comment | added | JonathanReez♦ | "Writing such an app is significantly difficult" -> only 1 person has to do this, after which tens of thousands could use it. Is there a reason why they couldn't just encode a timestamp within the ticket itself? You would not be able to fake the timestamp, presuming the entire ticket is signed. | |
| May 5, 2019 at 5:30 | review | First posts | |||
| May 5, 2019 at 6:24 | |||||
| May 5, 2019 at 5:25 | history | answered | cjs | CC BY-SA 4.0 |