Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
All my Deutschlandtickets gone: Fraud at an industrial scale [video](media.ccc.de)
86 points by Kyro38 4 days ago | 11 comments
jiehong 3 hours ago | parent | next [-]

Germany has missed the digitalisation train, but how long will it continue to miss it for?

At least, transparent issues like this one can only help.

chvid 2 hours ago | parent [-]

The problem is the lack of centralization - there should obviously only be one issuer of this ticket and thus just only one website / app to keep bug free.

lachiflippi 2 hours ago | parent [-]

Lack of centralization is one part of it (see also: communal digital services), yes, but the complete lack of standards and guidelines is also a massive issue. I tried buying a Deutschlandticket from the DB Navigator app a while back, and immediately ran into some issues:

- they only take credit card, probably because of the massive SEPA fraud they've had happen

- they require id verification with a third party(!), which then only supports the e-perso(!!) or video ident(!!!), which they could've just used the actual PostIdent service for, which would've provided an alternative for non-smartphone-havers / people who'd rather not have their ID and face recorded by some Eastern European company until the end of time

- their entire authentication system was down when it came to actually purchasing

buying from my local Verkehrsverbund was a single tap in their app instead, with no id verification whatsoever. If DB's offering were the only option it would be an absolute travesty.

kevin_thibedeau an hour ago | parent [-]

Hetzner does this invasive ID flow for credit cards now. Fortunately they don't bother with PayPal.

lxgr an hour ago | parent [-]

Airbnb wanted access to my bank account transaction details (via Plaid) a while ago, "to verify my credit card". Hotels have never looked so appealing.

WalterBright an hour ago | parent | prev | next [-]

Uh, I received a call from my credit card company saying that train tickets were bought using my card in Germany. I told them I haven't been in Germany for the last decade, and was issued a new card.

lysace 3 hours ago | parent | prev [-]

tl;dw please?

nottorp 2 hours ago | parent [-]

"Transcript" it's called :)

lysace 2 hours ago | parent [-]

ChatGPT managed the following given the submitted source URL and the prompt "summarize the key technical facts into two sentences suitable for a hacker news comment".

Deutschlandticket fraud stemmed from decentralization and weak controls: tickets were issued instantly on unverified SEPA debits, and a leaked or mismanaged signing key let attackers mint valid tickets at scale. Poor revocation and fragmented verification meant many fraudulent tickets still scanned as valid, enabling mass resale and huge losses.

akrauss 2 hours ago | parent | next [-]

This is a good concise summary, regardless of provenance.

striking an hour ago | parent | prev [-]

Instead of making a fuss, have you considered taking another look at the video page? It includes a summary that helps show why those technical facts are actually relevant in the context of German society, and hints at how those things came to happen. I would normally not bother with a comment, but this time I'm genuinely curious as to how someone might have missed scrolling down to see the summary.

(edit: the fussy bit, where the poster complains about downvotes, has been edited out. I'm leaving my comment the way it is.)