OK, folks, I don't have an English-language source for this, but it's a funny story, so I'm going to tell it anyway.
You see, the last month the public transport company in Sofia (the capital of my country) introduced special "electronic tickets".
You see, the last month the public transport company in Sofia (the capital of my country) introduced special "electronic tickets".
For 4 leva (about $2) you get an electronic ticked on your smart phone (a QR code) that lets you travel anywhere within the city during the day. (It's half the price for night travels.) For comparison, a regular monthly pass costs about $25.
Except the "smart" people in my city have figured out a way to use this scheme to travel a whole month for $2.
The system works like this. You log into their site with an app, after registering with an e-mail address and a password, pay either with a credit card or get the price charged to your phone account.
In exchange, you receive a QR code which you could either print or keep on your smart phone and use as a proof that you have a valid ticket.
Do you see where this is going yet? Yep, you can make as many copies of the print as you want - and give them to your group of friends. Each of them travels for free (well, with you paying 2 bucks). The next day one of them pays 2 bucks and gives everybody the ticket and so on.
With a group of 30 friends, it costs you $2 per month instead of $25. But you don't even need a smart phone of a physical copy of the printout. Your friend can simply give you the e-mail address and password used for registration. Then you log in and print the ticket yourself.
The organizers claim that they can detect when different devices access the same account and the account will be terminated. But they can't terminate the already issued tickets.
(Except when 2 people enter the subway with the same ticket within 5 min - then the subway system blocks the ticket.)
The organizers can't issue sanctions, either.
The organizers can't issue sanctions, either.
And to think that, after a referendum and a court order, we have to implement electronic voting in our country within 6 months. /me *headdesk*
OK, this is a truly ridiculous system, folks.
I just visited the site over Tor and registered an account with a phony name and a disposable e-mail address. There wasn't even any registration e-mail I had to click in order to confirm the registration.
I just visited the site over Tor and registered an account with a phony name and a disposable e-mail address. There wasn't even any registration e-mail I had to click in order to confirm the registration.
Presumably, the e-mail address has to be valid (e.g., because you get a link to the printable ticket sent there) but I didn't check that. I only registered; didn't buy a ticket.
Practically no authentication whatsoever.
Practically no authentication whatsoever.
Apparently, the only authentication is the payment method, which is either a credit card number or a phone number to bill.
I don't know whether they check credit card validity or whether the name on the card/phone matches the name you have registered.
I don't know whether they check credit card validity or whether the name on the card/phone matches the name you have registered.
I can't actually check this, because it would be a crime, but I wouldn't be surprised if a credit card generator works. Worst case, you can just bill somebody whose phone you happen to know and yipee, free travel.
Presumably, they don't think the 2 bucks is worth more rigorous checks, but according to them, 5000+ people have registered and if they all start scamming the system, just dealing with complains of people whose phone have been misused would exceed the cost of the tickets.
