Bad Bus Security

Joseph Reeves has an interesting little story about how a badly designed e-commerce system results in both an obvious security flaw and a missed opportunity for better customer relations over in Oxford. This all started when the bus driver refused to accept the email displayed on a phone, but wanted a paper copy, even though he had no way of verifying either as being legit! Quite how the driver thinks that printing out a copy of an email you have makes it more legitimate than the electronic version is left as an exercise for the bemused.

Exploiting the hole in the Oxford Bus Company’s awful system is easy; print a genuine looking email that contains the details of any bus journey you want to take. The bus driver only wants to see an email and your ID, they have no access to any passenger lists; should anyone with a passenger list board the bus (some kind of ticket inspector, I guess), you can remind them that the customer is always right; furthermore, act mortified at the fact that they blame a failing of the booking processing system to register your journey as some sort of criminal action on your behalf.

Josephs suggestion of how this should work is straightforward:

Fixing this bus ticket problem would be very simple – the Oxford Bus Company just needs to generate a unique ID number that it includes in emails to customers and to provide drivers with access to a passenger database. Buses are already fitted with Internet connections to be used by passengers on the journey, so all that needs to be provided is a very simple device to the driver.

Leading to possible improvements in service, like:

A passenger boards the bus, hands over their ID and says “my number is 546672”, the driver taps this into the machine and replies “ah yes, hello Mr Reeves, I’ll let you know when we’re at Heathrow Central bus terminal”.

It may be that the Oxford Bus Company has done a risk assessment and believes that the loss due to the fraudulent use of the service is lower than the cost in equipment and time taken for the driver to validate a ticket, but I doubt it. In contrast the Melbourne SkyBus service (from memory) lets you buy online, you then have to print out a ticket which has a barcode on it which the driver scans to validate it. Of course that means that you can’t carry it around electronically (well, not easily on a phone I guess) but does have the advantage that the barcode scanners are pretty quick, much faster than having to have someone type it in (and maybe get it wrong).

Leave a Reply

Your email address will not be published. Required fields are marked *