On the Florida Turnpike it was always too expensive for many students when they traveled up and down the state.<p>It was bad enough having captive service stations and restaurants for overpriced products, but the toll was and still is ridiculous too, considering it was agreed there would be no toll after the construction was paid for, And it was well paid for decades ago.<p>Anyway there were only very few exits and they were mostly rural until you got to South Florida where you could get off and on every few miles. The captive service stations needeed to be built at the same time as the Turnpike or everybody would run out of gas back then.<p>Except Orlando which was a very small city before Disney came in, but their gas stations were still closed late at night and on Sunday.<p>Tickets were reverse engineered in a completely analog way.<p>The "main entrance" to the Turnpike coming south was out in the middle of nowhere where the I-75 freeway keeps going to Tampa but you smoothly get over to the main gates of the Turnpike if you want to head down to Miami instead. You would just breeze on through and pick up a ticket at the northernmost gate, and the further you traveled south, the more toll you would have to pay when you got off.<p>Students would get off of I-75 avoiding the Turnpike and drive on the rural roads about a half-hour until you get to the next Turnpike entrance and pick up a (very valuable) ticket there instead of at the main entrance to the north.<p>As you got down toward the Palm Beach area, where the northbounders and southbounders still shared the gas stations and restaurants in the central plazas, many northbound travelers would willingly trade tickets from wherever they got on in South Florida for one which will only cost them as much as if they got on at the very last chance before hitting the northernmost exit.<p>Northbounders would then get off right where they were going to anyway, one exit away from where we got on, and we would get off one exit away from where they got on, and everybody came out ahead, paying the minimum tolls possible.<p>It took a long time before any toll-takers started looking at the tickets and asking "why did it take 6 hours to only go one exit?"
During the COVID outbreak, my public transit provider began to neglect their fareboxes (partly because everyone was boarding in the rear and didn't bother to pay fares anyway.)<p>I noticed that the boxes were still broken and unmaintained. I put 2 and 2 together and realized that a mobile "upgrade" was coming soon, so I kept my eyes out. And sure enough, I got myself invited to participate in the pilot project with the upgraded app.<p>The deadlines slipped twice but the pilot began in mid-January. So far I have not had glitches with scanning or boarding. But let me tell you.<p>There are disclaimers in the FAQ. Since the mobile passes are QR-based and not NFC, they absolutely require WAN connectivity on both sides in order to activate a pass. My initial testing indicated that a loss of connectivity will not invalidate an active pass, because it's endowed with a built-in expiration countdown. But we shall see.<p>The FAQ also says straight out, of course, that the customer must keep the phone charged in order to use the pass. Of course it goes without saying that your phone must be functional in order to scan the thing. So that's a whole tech stack that could go awry and strand you if you don't take precautions.<p>Hey, this may reduce fraud and friction at the farebox. I don't know. Many people will love not having another thing to lose or the convenience of purchasing passes without going somewhere (they cost way more on board a bus.) But the Luddite in me doesn't want this. I'd much rather carry around an old reliable paper-based pass, and I will go back to that for as long as I can get away with it.<p>But I won't turn down a $75 gift card to play along with the pilot test.
> Nowadays, the industry would very much like you to ditch your paper ticket in favour of a fancy mobile barcode one (or an ITSO smartcard2); not only do they not have to spend money on printing tickets but they also gain the ability to more precisely track the ticket’s usage across the network and minimise fraud.<p>And unsurprisingly only a subset of tickets are available on the apps. Therefore the government gets its “fare simplification” it’s so badly wanted, through the back door, in a sense, the harder it pushes mobile tickets<p>Eg rover tickets are not on the ticketing apps. These can be excellent value.<p>Edit: also the government very recently announced [0] they are to scrap return fares. This will without a shadow of doubt increase prices for a great many journeys.<p>[0] <a href="https://www.railforums.co.uk/threads/end-of-the-line-for-return-rail-tickets.242970/" rel="nofollow">https://www.railforums.co.uk/threads/end-of-the-line-for-ret...</a>
They invented a clever decentralized system based on public key cryptography, but it seems like they actually need centralized features. So they bolted some on, leaving an end result worse off than if they'd started with something simple and centralized.<p>For example, you can ask any UK rail operator to book you a trip that includes sections run by other operators. So your purchase needs to be fed through a centralized revenue-splitting system (called LENNON iirc) anyway.<p>Then they got the feature request that you should be able to book specific seats and someone else shouldn't be able to book the same seat, and so on. This just can't be decentralized.<p>This setup does have the advantage that they can check tickets without needing a network connection, but I'd guess there would be simpler ways to add that to a centralized system.
This reminds me of the time when I was a college student in Massachusetts and would always try to reverse-engineer the Massachusetts Bay Transportation Authority tickets, powered by JustRide (oh! Just noticed it's the same company as in the article)<p>Unfortunately, my skills weren't quite there at that point in my life, and I no longer live in Massachusetts, but this was an incredible read regardless and I feel at least a bit of closure now :)<p>The MBTA tickets had an option of color bars (so the conductors could just visually check if all of them match throughout all the passengers) and a QR option, so I would always try to figure out how it generates those colors, as the tickets had to be able to function offline, and as the tickets all showed the same colors regardless of passenger, they certainly weren't unique per-purchase nor used any user-unique info (though they may have been unique per-train-route).<p>I should take another look at it with this article as a resource.
Last Covid, I did the same reverse engineering our government's Covid app and found out that the API keys (public and private) were hardcoded in the source code. Never got any response.<p>Edit: Emphasized public and private keys
The photo of a UK train ticket is very interesting. Reading Green Park station isn't yet open, AFAIK: <a href="https://www.nationalrail.co.uk/stations/RGP/details.html" rel="nofollow">https://www.nationalrail.co.uk/stations/RGP/details.html</a>
Coincidentally I started scanning Sao Paulo metro ticket QR codes (if someone feels like reversing it)<p><q:01> s:196;u:296101284;i:14;c:JP4igg/YIyk03lYqnVcjFCQjDldUc7Th82Gjppb89S8I0vlCNIAYpzBgUESmeKmaaf2BHvlkuyd3opXXwEWsujuGqqakb09xrYWVlBeqY97qfwE1bynzs9FbGmG6HxnVmpM6AHROTBZa08ti/0KiR1oyKpZkrucBE9dJsJtz0qg=;x:49;<p><q:01> s:196;u:297172367;i:14;c:pirqKynzF6wa7ttQJRtw8B5SfcQiWL5psEwju5OVjxLwG7hZKgJsii381A0l9hzcxsebxUJrK6Z1ZX22ILd/AMYOSx2DuQ2OHqrP5r8sNuVfMATrYOTbcioISrn/dBLN1vaQxEmZkTxLkE9837NGvsrlP7mF+BWYps3jqA/MfG0=;x:25;
The bit at the end regarding the unauthenticated anti-fraud database of trips reminds me of bus tickets in a couple of australian states, which (locally on the 13MHz MFC cards) store a short rolling log of your most recent trips.<p>Not as bad as a public API, but probably some degree of a personal safety risk given the security around MFC cards and the ability to ascertain pattern-of-life from the data
They seem to have removed the device "abc" from being allowed to download keys, or that was an "obviously fake" device id for the article:<p><pre><code> > $ curl -s 'https://device.theticketkeeper.com/download_keys?device_name=abc' | jq
> {
> "return_code": "error",
> "message": "Device not registered."
> }</code></pre>
I highly recommend Harley Watsons talk (_unlobito) about ITSO and footnotes on Oyster card. <a href="https://lobi.to/talks/papertickets/" rel="nofollow">https://lobi.to/talks/papertickets/</a> that talk is also referenced in this article, a truly wonderful presenter.
Very nicely written, it made it very accessible to those who aren't super familiar with reverse engineering.<p>I'm fascinated by "transport billing" - it's such a complex problem, owing to the different infrastructure providers, different operators, fares, holidays, special events, and weird edge-case situations.
<i>> they also gain the ability to more precisely track the ticket’s usage across the network and minimise fraud.</i><p>Except mobile tickets make fraud trivial - getting off the train without a ticket, at a station with a ticket barrier? Just show them your powered off phone and say 'my phone died' and they'll let you out, no questions asked.
Nobody who cheers "mobile tickets" has ever watched a guard or ticket
inspector do their job.<p>In the UK, a guard with good eyesight and a sprightly, cheerful manner
can almost run through the carriages shouting "tickets please!" and
see, with a single glance, all s/he needs.<p>Then she gets to the muppets with phones. They faff, fumble and
fuss. They scowl at being interrupted watching videos, browsing social
media and listening to music. They can't load their app. They huff and
sigh disrespectfully. The guard can't get focus. For a moment they
point phones at each other like cowboys in a gunfight standoff. She
doesn't have a wifi signal, so now there's a long and embarrassing
delay while passenger and guard stare at each others feet.<p>Finally a joyful <i>beep</i> releases them from technological tension.
Everyone in the car sighs with relief and she moves on to the next
grinning smombie.<p>The whole technology is a festering shitshow foisted on people by
over-zealous tech peddlers.<p>Paper tickets rule.
> (“But wait,” I hear you cry, “isn’t getting a persistent device ID exactly what Apple don’t want you to do?” And you’d be right! Technically, I believe the device UUID actually does change between installs, but they store a copy in the device keychain, which doesn’t get wiped when you remove the app. This is stupid, and almost certainly a contravention of App Store policy.)<p>More proof that Apple's walled garden is a scam: it fails to protect against the thing that its alleged purpose of existence is to protect against.