# fraudulent use of 10-ride ticket



## Will Orton (Oct 2, 2015)

Hello!

Has anyone ever experienced fraudulent use of a 10-ride pass?

I've been riding cascades trains 500 & 507 a couple times a week since February and just in the past month I've started having mysterious rides I didn't take appear on the "use history" when viewed online. This just happened for the second time yesterday.

The most recent was just yesterday 10/1 -- I worked from home all day and yet my ticket was used on cascades trains 503 & 508 (which I never ride, because it's the REVERSE from my commute).

I but the ticket online, print out from my email, and I've never lost the print-out.

Amtrak customer service put me on hold for 30 minutes then said there's nothing they can do because the conductor "looked up the reservation". Huh, really? So I'm out $25 every time this happens.

Just curious if this has happened to anyone else and if you were able to figure out the problem...


----------



## Bob Dylan (Oct 2, 2015)

Call Customer Relations, ( 1-800-USA-RAIL/ tell Julie Agent/ when Connected ask Agent for Customer REALTIONS, NOT Customer Service,!( sounds worthless in this situation!) This is Fraud!

I'm not a Techie, but you've been hacked somehow, whether by a Crooked or Lazy Conductor or a Crooked Passenger!


----------



## jis (Oct 2, 2015)

This exposes a fundamental weakness in the Amtrak E-Ticket system There is no mandatory authentication of use at the point of use. Looking up a reservation does no good to anyone. what needs to match is the identity of the traveler listed in the reservation with the person that is traveling using the reservation.

In case of airline e-tickets there is a mandatory check of ids. Yes it can be spoofed but at least there is a check. In case of Amtrak there is not. All that you need is a random PNR of a valid reservation obtained in any which way. Now for single use reservations this works fine because it is relatively unlikely that one would not cancel a reservation if they are not using it. but on ten trip tickets, that is a different issue.

Incidentally when using e-tickets on Indian Railways, AFAIR you have to provide proof of identity. Not sure how it is done, since I have only traveled on passes recently and for that you have to have an Id.


----------



## Will Orton (Oct 2, 2015)

I wonder if I got exposed somehow connecting to open wifi with my phone on the train?

I'd expect the amtrak app to use SSL/TLS for all its network communication.

I *AM* a techie and just want to figure out how to keep this from happening!

I'm checking my email setup to make sure my email (I use a private server with IMAP for email) isn't using plaintext loigin. I'm really amazed that someone would sit at a train station or in a train and spoof/hack/sniff open wifi... to get into email... to get a $12/ride train ticket for free, but would be limited to the same 80-mile corridor my multi-ride ticket is good for? It just seems like a lot of work for not much gain.


----------



## jis (Oct 2, 2015)

The other possibility is of Amtrak staff collusion at some point. Though hard to believe such things have been known to take place from time to time.


----------



## Train2104 (Oct 2, 2015)

Will Orton said:


> I wonder if I got exposed somehow connecting to open wifi with my phone on the train?
> 
> I'd expect the amtrak app to use SSL/TLS for all its network communication.
> 
> ...


I don't think it needs to be that complex. Can't one just look up a reservation/PNR just by giving their last name to the conductor? The conductor is supposed to check ID's, but some probably don't bother.


----------



## BCL (Oct 2, 2015)

It's certainly possible. It's especially possible if someone has a similar name and they just asked the conductor to look up the information. It may not be something fraudulent but just an honest mistake.

It might even be possible for someone who got a look at your reservation number to print up a copy at Quik-Trak. It would require a magnetic card to start the process, and then the reservation number can be retrieved and the ticket printed up. Maybe even a good enough picture of your QR code (or reconstructing it based on your reservation number and date) might be enough to reprint one at Quik-Trak using the scanner.


----------



## Will Orton (Oct 2, 2015)

Okay this makes sense. I have been lazy about leaving my ticket out on the seat next to me and dozing off during my morning trip. Someone could easily have snapped a cell phone pic while walking by. Maybe I'll get creative and start leaving an EXPIRED ticket out after the conductor scans my real ticket, and seeing if I can spot anyone acting weird as they walk down the aisle.

I never considered before the need to keep the code on the ticket physically secure.


----------



## Guest (Oct 8, 2015)

jis said:


> This exposes a fundamental weakness in the Amtrak E-Ticket system There is no mandatory authentication of use at the point of use. Looking up a reservation does no good to anyone. what needs to match is the identity of the traveler listed in the reservation with the person that is traveling using the reservation.
> 
> In case of airline e-tickets there is a mandatory check of ids. Yes it can be spoofed but at least there is a check. In case of Amtrak there is not. All that you need is a random PNR of a valid reservation obtained in any which way. Now for single use reservations this works fine because it is relatively unlikely that one would not cancel a reservation if they are not using it. but on ten trip tickets, that is a different issue.
> 
> Incidentally when using e-tickets on Indian Railways, AFAIR you have to provide proof of identity. Not sure how it is done, since I have only traveled on passes recently and for that you have to have an Id.


There are legitimate privacy reasons where people need to travel using an assumed name and cannot provide IDs (avoid tracking by LE, for example).


----------



## jis (Oct 8, 2015)

Those would be few and far between and there are well established ways of handling those.


----------



## MikefromCrete (Oct 8, 2015)

None of this stuff happened with tickets that were just punched by the conductor.

Is avoiding law enforcement a "legitimate" privacy issue?


----------



## BCL (Oct 8, 2015)

MikefromCrete said:


> None of this stuff happened with tickets that were just punched by the conductor.
> 
> Is avoiding law enforcement a "legitimate" privacy issue?


But you were out of luck if you lost your ticket. Heck - I posted once about the partially printed ticket without a bar code, but with my name. I kind of got luck there. If it hadn't printed at all I would have had nothing to show for it.

There is a certain convenience to multi-ride E-tickets. I like how AGR points post quickly after the first use, as opposed to posting when they're completely used up and sent to AGR for processing. I'm thinking that if you didn't manage to use one up the points wouldn't post at all.


----------



## Anderson (Oct 8, 2015)

BCL said:


> MikefromCrete said:
> 
> 
> > None of this stuff happened with tickets that were just punched by the conductor.
> ...


Given the issue, and presuming that this isn't the only time it has happened somewhere, it raises the question/desirability of being able to _request_ a paper ticket for certain purposes. I don't have a problem with e-tickets being the default option, but there are a few cases where there's a weakness to them and a hard-copy alternative should be available if someone thinks they're having issues. ID checks are almost entirely a hypothetical exercise with the exception of border-crossing trains. Not that I'm opposed to this, but combining it with e-tickets is a bad mix.

One option for dealing with this would be to allow you to get a new _number_ (not a new ten-ride ticket) between each ride if you so desired (either when you get on or off the train or anytime in between) that would alter the bar code/QR code as well, or to _request_ a "must check ID" tag be put onto a multi-ride ticket (e.g. it would bar the Conductor from lifting the ticket in a "bulk lift" and flag them to check your ID).


----------



## neroden (Oct 19, 2015)

MikefromCrete said:


> None of this stuff happened with tickets that were just punched by the conductor.
> 
> Is avoiding law enforcement a "legitimate" privacy issue?


Depends whether the law enforcement is legitimate (it isn't always legitimate).

Avoiding harrassment by stalkers would be one example of a need to travel without publishing your name,

and stalkers sometimes use law enforcement to do their dirty work (by filing false reports, etc.)


----------



## jis (Oct 19, 2015)

All that needs to be established is that the ticket's intended user is the one that is using it. This can be established anonymously using some kind of a token. This technique was invented by the Templars to process letters of credit way back when. It is not something that needs to be invented. You just need to associate an authenticatable digital signature to the instrument, something that can be done with a little effort.


----------

