Fake ticket scam using stolen machine

[47421]

Interesting case...

http://www.newsshopper.co.uk/news/1...d_for_part_in___1_million_train_ticket_fraud/

A Greenwich man has been jailed for his part in an “elaborate” £1 million train ticket fraud in which a stolen machine was used to forge tickets.

Robertas Vaitkevicius, of Uplands Close, was one member of a five-person gang who sold around 15,000 fake weekly zone 1-6 travelcards between January 2012 and October 2013 when they were arrested.

The 36-year-old was sentenced at Blackfriars’ Crown Court on May 9 to two years in prison after previously admitting conspiracy to defraud.

The fraud was first discovered after a vigilant inspector seized two tickets when passengers could not answer basic questions about how they were bought.

Detective Inspector Chris Neeson, from British Transport Police’s (BTP) ticket fraud squad, said: “This was an elaborate and complex fraud.

“The use of a real ticket machine meant these fake tickets appeared completely genuine and would even open automatic ticket barriers.

“Ticket fraud is very damaging to the railway network. It’s not just profoundly unfair to the millions of people who pay to travel every day, it also means less revenue available for vital improvement works.

"The sentence sends a clear message that ticket fraud is a serious offence that will not be tolerated.”

The sentencing followed a lengthy joint investigation between BTP, Abellio Greater Anglia and London Underground.

 

[tony6499]

I presume it was an Avantix as they only do weeklies but I wonder how they got around the security on it ?

 

[island]

Yes. I understood that Avantix machines would shut off after a certain period unless they were docked. Plus there would be the question of how they got hold of the blank stock, given that an Avantix holds around 400 tickets. Perhaps it was an inside job.

 

[Tracky]

If it was a real ticket machine, it would issue real tickets. They would not be paid for but they would not be fake. Obviously the article doesn't want to give the game away but I wonder what the detail was.

 

[tony6499]

Yes. I understood that Avantix machines would shut off after a certain period unless they were docked. Plus there would be the question of how they got hold of the blank stock, given that an Avantix holds around 400 tickets. Perhaps it was an inside job.

They would go into enquiry only mode if they weren't docked within time, either an inside job or they built their own computer programme

 

[bigdelboy]

More on it here: http://www.btp.police.uk/latest_news/local_news_london_underground/gang_jailed_for_ticket_fraud.aspx

 

[jon0844]

It surely can't be that hard to rip off the software, hack it, and then be able to obtain a printer and magstrip encoder?

So, you might not need the original hardware.

And, yes, that would suggest an inside job. If true, it would also suggest that there could be many people doing this very thing.

 

[krus_aragon]

More on it here: http://www.btp.police.uk/latest_news/local_news_london_underground/gang_jailed_for_ticket_fraud.aspx

I note from that article that:

Mr Volkavicius was found to be flying into the country on a weekly basis for the sole purpose of committing the fraud. ..... [he] was seen over a number of months regularly buying genuine tickets from stations. These tickets were being cloned to create multiple tickets with different photocard numbers allowing distribution to hundreds of individual buyers.

Are photocard numbers encoded on the magstrip? If not, it could be a case of cloning this week's magstrip onto blank cards, then using a thermal printer to print the face of the ticket with the desired numbers on. As the printed details of a ticket are in full view (and well documented) I expect that it would be the encoding of the magnetic strip that would be the greater technical challenge.

All this could be done with alternative (non-railway) equipment given the time and motivation. Magnetic strip readers/encoders are ten-a-penny on Ebay (physical modification neccessary so it reads the strip in its unusul position), and thermal printing is a well-established technology too. It's getting hold of genuine ticket stock that'd be the key issue.

 

[dtaylor84]

The BTP page doesn't make much sense.

It says a real ticket machine was used so the tickets were "genuine", but the fraudster was buying real tickets every week to clone them with different photo card numbers'?

 

[krus_aragon]

The BTP page doesn't make much sense.

It says a real ticket machine was used so the tickets were "genuine", but the fraudster was buying real tickets every week to clone them with different photo card numbers'?

As I vaguely suggested above, buy one from a real ticket machine to get the correct magstripe info, and then clone it at home?

 

[jon0844]

I do wonder why you'd need an original machine when the key thing is original ticket stock. I can't imagine it being hard to encode a magnetic strip - especially if you can read off a valid ticket and clone it. And it can't be hard to write software to print on a ticket!

I nearly had the chance to walk off with a roll of tickets, which were delivered to Hatfield and left on the (closed) ticket office window. Rather than nick it to produce tickets, I took it over to a member of staff at the gateline and suggested it might not be a good idea to leave it lying around for anyone to take.

I don't know how many tickets on a roll, but there looked to be hundreds.

All the more reason for smartcards as paper tickets must be an easy target, and always getting easier.

 

[Tracky]

Ticket stock probably isn't an issue. Lots of avantix stock is kept very insecurely around the network. Not all guards and revenue staff are conscientious. The fraudsters may even have had somebody on the inside, a cleaner maybe, able to pinch stock from a ticket office or guards bag.

 

[Mojo]

None of the fake weekly Travelcards that I or my colleagues ever came across in early 2013 were from Avantix machines. The majority were printed in the style as if they had come out of S&B TVMs.

Certainly counterfeit Travelcards is nothing new; I remember coming across very bad copies (with typos on both sides) in winter 2010, but these didn't work the gates. There's still a long way to go - having a pinches ticket machine won't stop a legit ticket being bought and being cloned. I've come across many different styles that all work the gates; can't just be this one gang. Having a consistent print style, layout and format has to assist though; with so many types it's hard to know whether you have a fake or a design not seen before. Nonetheless I, and colleagues, got used to what to look out for!

 

[cjmillsnun]

Probably the Advantix was stolen to use the printer/strip encoder module (mainly because the magstrip on a railway ticket is in an unsual position (the centre of the card rather than at the top edge like on a credit card). I'm guessing the thing was hacked to hook it up to a PC (relatively easy to work out the power and data connections to the dock and emulate them in a home brew usb dock) Hack the operating system on it to accept details from a PC regarding the details of the mag strip and ticket type including origin station and just add a routine to ask for the photocard number.

 

[jon0844]

Probably the Advantix was stolen to use the printer/strip encoder module (mainly because the magstrip on a railway ticket is in an unsual position (the centre of the card rather than at the top edge like on a credit card). I'm guessing the thing was hacked to hook it up to a PC (relatively easy to work out the power and data connections to the dock and emulate them in a home brew usb dock) Hack the operating system on it to accept details from a PC regarding the details of the mag strip and ticket type including origin station and just add a routine to ask for the photocard number.

Yes, that's how I'd imagine it's done too. And if that information is easy to obtain on the 'Darknet' then you can be pretty sure there are going to be people doing it all over the place. Some more organised than others.

 

[JB_B]

15,000 weeklies over a twenty-one month period implies that they had hundreds of punters willing to buy these tickets - does anyone know what they were charging end-users?

( Or did the gang pose as legitimate ticket sellers and sell at face value? )

 

[Tim R-T-C]

That makes about 180 sales per week, so I'm guessing it was more likely a network rather than open resale.

I'm sure those found using the tickets will say they just thought they were getting a good deal from a friend, possibly claiming to get a bulk purchase discount, would be hard to prove either way.

Since the tickets are £47, could sell them for less than this and still make a pretty decent turn-over.

 

[Clip]

15,000 weeklies over a twenty-one month period implies that they had hundreds of punters willing to buy these tickets - does anyone know what they were charging end-users?

( Or did the gang pose as legitimate ticket sellers and sell at face value? )

Generally counterfeit or stolen goods go for about a 3rd of the retail price.

 

[mattdickinson]

I note from that article that:



Are photocard numbers encoded on the magstrip? If not, it could be a case of cloning this week's magstrip onto blank cards, then using a thermal printer to print the face of the ticket with the desired numbers on. As the printed details of a ticket are in full view (and well documented) I expect that it would be the encoding of the magnetic strip that would be the greater technical challenge.
.

Photocard numbers aren't encoded.

 

[bb21]

Good possibility that they were shifting them in bulk within the East European community. Happens amongst several ethnic communities, although not always in such large quantities.

 

[ainsworth74]

Yes, that's how I'd imagine it's done too.

And that, of course, would explain the need for a ticket to clone each week as they'd have all the equipment but not the information to be encoded.

 

[jon0844]

And that, of course, would explain the need for a ticket to clone each week as they'd have all the equipment but not the information to be encoded.

I'm surprised there's a need to clone a ticket, as it can't surely be hard to encode the right data to make a working ticket? They don't hold that much data do they, and it's not encrypted either?

Perhaps it's purely so the ticket can be printed with a valid serial number, which would check out if someone was stopped and the ticket inspected a bit more thoroughly?

 

[b0b]

I'm surprised there's a need to clone a ticket, as it can't surely be hard to encode the right data to make a working ticket? They don't hold that much data do they, and it's not encrypted either?

Perhaps it's purely so the ticket can be printed with a valid serial number, which would check out if someone was stopped and the ticket inspected a bit more thoroughly?

Probably the simplest explanation is its easier to copy the data off a magstripe than it is to interpret and re-encode, and the cost of 1 travelcard every week doesn't seem to have been worth circumventing - in addition to the fact that the "front" of the ticket is also valid on its face. (they might not realize what all the things on the ticket mean).

 

[Tim R-T-C]

Often these sort of scams are caught out by changing something like the serial numbers on tickets to a slightly new format - maybe with a letter at the end. By buying a new ticket each week they can avoid this.

 

[b0b]

Often these sort of scams are caught out by changing something like the serial numbers on tickets to a slightly new format - maybe with a letter at the end. By buying a new ticket each week they can avoid this.

Also, if they were smart, they used their 1-6 travelcard to go to different stations each week to make them harder to track down ...

 

[PermitToTravel]

I'm surprised there's a need to clone a ticket, as it can't surely be hard to encode the right data to make a working ticket? They don't hold that much data do they, and it's not encrypted either?

Perhaps it's purely so the ticket can be printed with a valid serial number, which would check out if someone was stopped and the ticket inspected a bit more thoroughly?

The data on a ticket magnetic strip is not encrypted or digitally signed. The ticket number is not meant to be unique, and they could have got away with randomising it.

I would guess that they were using the Avantix hardware but with their own software, as they won't have been able to get into the operating system they come with. This would be consistent with them buying tickets to clone the magnetic strip wholesale, rather than attempting to reverse engineer it.

Would I be correct in saying that an Avantix-issued ticket longer than a weekly would attract suspicion? Do Avantix-issued tickets look noticeably different from those from booking offices?

 

[bb21]

Avantix should not issue seasons for longer than 7 days, so yes would cause suspicion.

 

[b0b]

Would I be correct in saying that an Avantix-issued ticket longer than a weekly would attract suspicion? Do Avantix-issued tickets look noticeably different from those from booking offices?

Isnt the owner of a longer than 1 week ticket recorded? possibly why. Or maybe they just wanted the weekly income!

 

[Paul Kelly]

My guess it wasn't a stolen ticket machine they had but a thermal printer together with a magnetic stripe reader/encoder. I suspect, but am not sure, that if you scanned a ticket and did a bit of image processing you could make a fairly good clone of it on any thermal printer; it wouldn't necessarily need to be a printer designed for printing rail tickets. Magnetic stripe writers are also easily commerically available; the only thing that would need to be stolen would be the blank ticket stock.

 

[cjmillsnun]

would guess that they were using the Avantix hardware but with their own software, as they won't have been able to get into the operating system they come with. This would be consistent with them buying tickets to clone the magnetic strip wholesale, rather than attempting to reverse engineer it.

You do realise that it's just a Windows Mobile 5 device under the skin don't you?

They're very hackable. Maybe the advantix ticketing software itself isn't, but they can access the operating system with the right hacks. And as WM5 has been around but not updated for a long time, they're around and known.

They would even be able to access the flash memory of the device itself.

These things aren't as secure as you think because underneath they are using off the shelf hardware (chipsets) and firmware that are old and well known.

Think about the cat and mouse game played by people working out how to get into an iPhone to jailbreak it only to have Apple patch that at the next release of the firmware. The difference is, the last MS release of WM5 was in 2007 with the release of AKU 3.5... It's still in extended support, but that doesn't mean patches (this isn't something like Windows for desktops) and that extended support runs out next year.