Discussion:
Decoding a rail ticket barcode
(too old to reply)
Tweed
2023-02-06 19:13:39 UTC
Permalink
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.

“But what data is inside the barcode of a mobile ticket, and how do they
work? Could people who aren’t ticket inspectors get the data out of them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
Roland Perry
2023-02-07 08:36:25 UTC
Permalink
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and how do they
work? Could people who aren’t ticket inspectors get the data out of them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
Looks very promising (and a good example perhaps of a failed attempt at
security by obscurity).

However, I have such a barcode but isn't recognised as one by either the
camera-view, or a cropped photo.

So I tried the last resort "text" option, with a barcode scanner I
already had on the phone, and that worked :)

Several fragments of information I've not seen on tickets before (such
as Lennon code), but curiously it can't make its mind up if First or
Standard class.

Loading Image...

I wondered where the 3043 was listed (more obscurity, perhaps), and
found this image on a blogger site:

Loading Image...

... but can't find a matching field on any of the TOD I have laying
round here. Something to look for next time.
--
Roland Perry
Clive Page
2023-02-07 12:12:15 UTC
Permalink
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and how do they
work? Could people who aren’t ticket inspectors get the data out of them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
It was a very interesting talk. In summary: ITSO is a complete mess and it's probably never going to be possible to use a single ITSO card across a number of transport authorities. But Oyster, despite being designed some years earlier, looks good by comparison.
--
Clive Page
Recliner
2023-02-07 12:23:06 UTC
Permalink
Post by Clive Page
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and how do they
work? Could people who aren’t ticket inspectors get the data out of them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
It was a very interesting talk. In summary: ITSO is a complete mess and
it's probably never going to be possible to use a single ITSO card across
a number of transport authorities. But Oyster, despite being designed
some years earlier, looks good by comparison.
It looks like the DfT has implicitly chosen son-of-Oyster for its wider
rollout of PayGo ticketing across southeast England.
Roland Perry
2023-02-07 12:46:13 UTC
Permalink
Post by Recliner
Post by Clive Page
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and how do they
work? Could people who aren’t ticket inspectors get the data out of them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
It was a very interesting talk. In summary: ITSO is a complete mess and
it's probably never going to be possible to use a single ITSO card across
a number of transport authorities. But Oyster, despite being designed
some years earlier, looks good by comparison.
It looks like the DfT has implicitly chosen son-of-Oyster for its wider
rollout of PayGo ticketing across southeast England.
Does it have a website, and is the end of the GTR (the DfT's long
standing tame TOC after all) KeyGo scheme?
--
Roland Perry
Roland Perry
2023-02-07 12:44:36 UTC
Permalink
Post by Clive Page
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and how do they
work? Could people who aren’t ticket inspectors get the data out of them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
It was a very interesting talk. In summary: ITSO is a complete mess
and it's probably never going to be possible to use a single ITSO card
across a number of transport authorities.
That's despite that my bus-pass (which is an ITSO) probably does work
across a number of transport authorities.

And in theory (I haven't seen anyone disputing this) any ITSO card
issued by most TOCs [I'm going to park LNER for a moment, as they are
somewhat Travelcard deniers, but on the other hand there's
https://www.brfares.com/!faredetail?orig=PBO&dest=0035&tkt=ADT and its
friends] whose services end up in London can be loaded with a Travelcard
and be recognised not just by TfL but all the others.
Post by Clive Page
But Oyster, despite being designed some years earlier, looks good by
comparison.
How many zones will it need to cope with, once there's the whole country
to deal with?

I'm reasonably confident I could buy a ticket to be loaded onto ITSO at
my Greater Anglia operated station, and get off the EMR train in
Liverpool. But I suppose one day I'll need to try it just to see.
--
Roland Perry
Coffee
2023-02-07 13:30:20 UTC
Permalink
Post by Roland Perry
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
 “But what data is inside the barcode of a mobile ticket, and how do
they
work? Could people who aren’t ticket inspectors get the data out of them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
It was a very interesting talk.   In summary: ITSO is a complete mess
and it's probably never going to be possible to use a single ITSO card
across a number of transport authorities.
That's despite that my bus-pass (which is an ITSO) probably does work
across a number of transport authorities.
And in theory (I haven't seen anyone disputing this) any ITSO card
issued by most TOCs [I'm going to park LNER for a moment, as they are
somewhat Travelcard deniers, but on the other hand there's
https://www.brfares.com/!faredetail?orig=PBO&dest=0035&tkt=ADT and its
friends] whose services end up in London can be loaded with a Travelcard
and be recognised not just by TfL but all the others.
But Oyster, despite being designed some years earlier, looks good by
comparison.
t
How many zones will it need to cope with, once there's the whole country
to deal with?
I guess the scheme will operate by station rather that zone. We know
that the cards record the last few station check ins.
Post by Roland Perry
I'm reasonably confident I could buy a ticket to be loaded onto ITSO at
my Greater Anglia operated station, and get off the EMR train in
Liverpool. But I suppose one day I'll need to try it just to see.
If a nationwide scheme is introduced one thing is certain. An awful lot
of call centre operatives will be required to resolve all the charge
anomalies.
Clank
2023-02-07 13:38:29 UTC
Permalink
On 7 Feb 2023 at 3:30:20 PM EET, "Coffee"
Post by Coffee
Post by Roland Perry
I'm reasonably confident I could buy a ticket to be loaded onto ITSO at
my Greater Anglia operated station, and get off the EMR train in
Liverpool. But I suppose one day I'll need to try it just to see.
If a nationwide scheme is introduced one thing is certain. An awful lot
of call centre operatives will be required to resolve all the charge
anomalies.
Call-centre operatives, grandpa? I think you mean AI chatbots... 😬
Certes
2023-02-07 19:17:54 UTC
Permalink
Post by Clank
On 7 Feb 2023 at 3:30:20 PM EET, "Coffee"
Post by Coffee
Post by Roland Perry
I'm reasonably confident I could buy a ticket to be loaded onto ITSO at
my Greater Anglia operated station, and get off the EMR train in
Liverpool. But I suppose one day I'll need to try it just to see.
If a nationwide scheme is introduced one thing is certain. An awful lot
of call centre operatives will be required to resolve all the charge
anomalies.
Call-centre operatives, grandpa? I think you mean AI chatbots... 😬
I fear you're right. Has an AI chatbot ever actually helped anyone, or
do they essentially just say "we no longer do customer service"?
Recliner
2023-02-07 13:39:32 UTC
Permalink
Post by Coffee
Post by Roland Perry
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
 “But what data is inside the barcode of a mobile ticket, and how do
they
work? Could people who aren’t ticket inspectors get the data out of them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
It was a very interesting talk.   In summary: ITSO is a complete mess
and it's probably never going to be possible to use a single ITSO card
across a number of transport authorities.
That's despite that my bus-pass (which is an ITSO) probably does work
across a number of transport authorities.
And in theory (I haven't seen anyone disputing this) any ITSO card
issued by most TOCs [I'm going to park LNER for a moment, as they are
somewhat Travelcard deniers, but on the other hand there's
https://www.brfares.com/!faredetail?orig=PBO&dest=0035&tkt=ADT and its
friends] whose services end up in London can be loaded with a Travelcard
and be recognised not just by TfL but all the others.
But Oyster, despite being designed some years earlier, looks good by
comparison.
t
How many zones will it need to cope with, once there's the whole country
to deal with?
I guess the scheme will operate by station rather that zone. We know
that the cards record the last few station check ins.
Contactless cards don't, but a proprietary travel smart card should. There
will probably be the equivalent of the pink waypoint readers, too, to
establish the route taken.
Post by Coffee
Post by Roland Perry
I'm reasonably confident I could buy a ticket to be loaded onto ITSO at
my Greater Anglia operated station, and get off the EMR train in
Liverpool. But I suppose one day I'll need to try it just to see.
If a nationwide scheme is introduced one thing is certain. An awful lot
of call centre operatives will be required to resolve all the charge
anomalies.
Or maybe they'll try and use Bard or ChatGPT?
Bob
2023-02-07 19:58:11 UTC
Permalink
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and how do they
work? Could people who aren’t ticket inspectors get the data out of them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
It was a very interesting talk.   In summary: ITSO is a complete mess
and it's probably never going to be possible to use a single ITSO card
across a number of transport authorities.  But Oyster, despite being
designed some years earlier, looks good by comparison.
Followed the link to the video [1] of the talk about ITSO.

Highlights some major flaws in the ITSO concept, in particular the
ability to validate whether a ticket a card claims to contain is
actually a real ticket as opposed to false data fraudulently laoded on
the ticket can only be done with an active internet connection. Also it
suggests that a way to load an AP train-specific ticket onto an ITSO
card in a way that a ticket check of that ticket can actually identify
which train it is supposed to be valid for can't really be done with the
way ITSO is set up.

So if an ITSO ticket can't be checked without an active internet
connection, and it can't even store a basic ticket type commonly used on
the network, it seems basically a dead end. If you have to have an
internet connection active to check a ticket, you may as well use a
system of a token associated with an online database somewhere and
forget the idea of storing the actual ticket on a physical card.

[1]


Robin
Roland Perry
2023-02-07 20:53:49 UTC
Permalink
Post by Bob
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and how do they
work? Could people who aren’t ticket inspectors get the data out of them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
It was a very interesting talk.   In summary: ITSO is a complete
mess and it's probably never going to be possible to use a single
ITSO card across a number of transport authorities.  But Oyster,
despite being designed some years earlier, looks good by comparison.
Followed the link to the video [1] of the talk about ITSO.
Highlights some major flaws in the ITSO concept, in particular the
ability to validate whether a ticket a card claims to contain is
actually a real ticket as opposed to false data fraudulently laoded on
the ticket can only be done with an active internet connection.
That suggests the data isn't signed at all, which would be a bit of a
problem. But aren't all gate supposed to be online anyway (to support
the feature of loading a pre-purchased ticket as you touch the barrier).
Post by Bob
Also it suggests that a way to load an AP train-specific ticket onto an
ITSO card in a way that a ticket check of that ticket can actually
identify which train it is supposed to be valid for can't really be
done with the way ITSO is set up.
Again, that suggests an ITSO ticket has neither a time nor a train
number and sea number coded into it.
Post by Bob
So if an ITSO ticket can't be checked without an active internet
connection, and it can't even store a basic ticket type commonly used
on the network, it seems basically a dead end. If you have to have an
internet connection active to check a ticket, you may as well use a
system of a token associated with an online database somewhere and
forget the idea of storing the actual ticket on a physical card.
Up to a point. Having the data loaded onto the card allows the passenger
to read the information without an active Internet connection (ie simply
with an NFC card reader).
Post by Bob
[1] http://youtu.be/IcdARsqJhEI
What does it say about ITSO purses, and how would you implement that
using a token system, for example if boarding a bus that *doesn't* have
an active Internet connection at that instant.
--
Roland Perry
Bob
2023-02-07 21:54:58 UTC
Permalink
Post by Roland Perry
Post by Bob
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and how do they
work? Could people who aren’t ticket inspectors get the data out of them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
 It was a very interesting talk.   In summary: ITSO is a complete
mess  and it's probably never going to be possible to use a single
ITSO card  across a number of transport authorities.  But Oyster,
despite being  designed some years earlier, looks good by comparison.
Followed the link to the video [1] of the talk about ITSO.
Highlights some major flaws in the ITSO concept, in particular the
ability to validate whether a ticket a card claims to contain is
actually a real ticket as opposed to false data fraudulently laoded on
the ticket can only be done with an active internet connection.
That suggests the data isn't signed at all, which would be a bit of a
problem. But aren't all gate supposed to be online anyway (to support
the feature of loading a pre-purchased ticket as you touch the barrier).
The data is signed but the keys to validate the signature need to be
stored securely, so can not be conveyed locally on portable reading
machines. The reading machines can read the basic data, but can't verify
the signature unless they are online.
Post by Roland Perry
Post by Bob
Also it suggests that a way to load an AP train-specific ticket onto
an ITSO card in a way that a ticket check of that ticket can actually
identify which train it is supposed to be valid for can't really be
done with the way ITSO is set up.
Again, that suggests an ITSO ticket has neither a time nor a train
number and sea number coded into it.
Correct.
Post by Roland Perry
Post by Bob
So if an ITSO ticket can't be checked without an active internet
connection, and it can't even store a basic ticket type commonly used
on the network, it seems basically a dead end. If you have to have an
internet connection active to check a ticket, you may as well use a
system of a token associated with an online database somewhere and
forget the idea of storing the actual ticket on a physical card.
Up to a point. Having the data loaded onto the card allows the passenger
to read the information without an active Internet connection (ie simply
with an NFC card reader).
They are set up in such a way that anyone can read the basic data, but
the data can't be validated cryptographically, in which case anyone can
write a fake ticket with a simple PC, and unless the cryptographic
signature can be validated, it is relatively simple to load a fake
ticket onto the card.
Post by Roland Perry
Post by Bob
[1] http://youtu.be/IcdARsqJhEI
What does it say about ITSO purses, and how would you implement that
using a token system, for example if boarding a bus that *doesn't* have
an active Internet connection at that instant.
Using the system used in London, the Netherlands etc.

Robin
Certes
2023-02-07 23:03:08 UTC
Permalink
Post by Bob
Post by Roland Perry
Post by Bob
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and how do they
work? Could people who aren’t ticket inspectors get the data out of them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
 It was a very interesting talk.   In summary: ITSO is a complete
mess  and it's probably never going to be possible to use a single
ITSO card  across a number of transport authorities.  But Oyster,
despite being  designed some years earlier, looks good by comparison.
Followed the link to the video [1] of the talk about ITSO.
Highlights some major flaws in the ITSO concept, in particular the
ability to validate whether a ticket a card claims to contain is
actually a real ticket as opposed to false data fraudulently laoded
on the ticket can only be done with an active internet connection.
That suggests the data isn't signed at all, which would be a bit of a
problem. But aren't all gate supposed to be online anyway (to support
the feature of loading a pre-purchased ticket as you touch the barrier).
The data is signed but the keys to validate the signature need to be
stored securely, so can not be conveyed locally on portable reading
machines.
Really? Can't we sign with a private key and verify with a public key?

I do see other difficulties which could only be verified online, such as
whether the ticket has already been used or cancelled (lost season etc.)
Bob
2023-02-08 00:08:45 UTC
Permalink
Post by Bob
Post by Roland Perry
Post by Bob
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and how do they
work? Could people who aren’t ticket inspectors get the data out of them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
 It was a very interesting talk.   In summary: ITSO is a complete
mess  and it's probably never going to be possible to use a single
ITSO card  across a number of transport authorities.  But Oyster,
despite being  designed some years earlier, looks good by comparison.
Followed the link to the video [1] of the talk about ITSO.
Highlights some major flaws in the ITSO concept, in particular the
ability to validate whether a ticket a card claims to contain is
actually a real ticket as opposed to false data fraudulently laoded
on the ticket can only be done with an active internet connection.
That suggests the data isn't signed at all, which would be a bit of a
problem. But aren't all gate supposed to be online anyway (to support
the feature of loading a pre-purchased ticket as you touch the barrier).
The data is signed but the keys to validate the signature need to be
stored securely, so can not be conveyed locally on portable reading
machines.
Really?  Can't we sign with a private key and verify with a public key?
The system was designed to be usable as a stored-value card for PAYG
journeys (as is commonly used for things like buses or other local
public transport). If you could write to the card and sign it with a
public key, you could just write to the card that you have 500 quid of
credit on it any time you pleased.
I do see other difficulties which could only be verified online, such as
whether the ticket has already been used or cancelled (lost season etc.)
Right, and once you get to the "online only" paradigm, then all of the
benefits of having things stored cryptographically on the card, rather
than on a central database are gone.

Robin
Certes
2023-02-08 01:10:56 UTC
Permalink
Post by Bob
Post by Bob
Post by Roland Perry
Post by Bob
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and how do they
work? Could people who aren’t ticket inspectors get the data out of them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
 It was a very interesting talk.   In summary: ITSO is a complete
mess  and it's probably never going to be possible to use a single
ITSO card  across a number of transport authorities.  But Oyster,
despite being  designed some years earlier, looks good by comparison.
Followed the link to the video [1] of the talk about ITSO.
Highlights some major flaws in the ITSO concept, in particular the
ability to validate whether a ticket a card claims to contain is
actually a real ticket as opposed to false data fraudulently laoded
on the ticket can only be done with an active internet connection.
That suggests the data isn't signed at all, which would be a bit of
a problem. But aren't all gate supposed to be online anyway (to
support the feature of loading a pre-purchased ticket as you touch
the barrier).
The data is signed but the keys to validate the signature need to be
stored securely, so can not be conveyed locally on portable reading
machines.
Really?  Can't we sign with a private key and verify with a public key?
The system was designed to be usable as a stored-value card for PAYG
journeys (as is commonly used for things like buses or other local
public transport). If you could write to the card and sign it with a
public key, you could just write to the card that you have 500 quid of
credit on it any time you pleased.
Signing with a public key doesn't validate the ticket. The gripper or
barrier verifies that the stored-value is signed with one of the private
keys held only by authorised ticket sellers, not just any old key.
Post by Bob
I do see other difficulties which could only be verified online, such as
whether the ticket has already been used or cancelled (lost season etc.)
Right, and once you get to the "online only" paradigm, then all of the
benefits of having things stored cryptographically on the card, rather
than on a central database are gone.
Indeed.
Bob
2023-02-08 08:33:44 UTC
Permalink
Post by Bob
Post by Bob
Post by Roland Perry
Post by Bob
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and how do they
work? Could people who aren’t ticket inspectors get the data out of them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
 It was a very interesting talk.   In summary: ITSO is a complete
mess  and it's probably never going to be possible to use a
single ITSO card  across a number of transport authorities.  But
Oyster, despite being  designed some years earlier, looks good by
comparison.
Followed the link to the video [1] of the talk about ITSO.
Highlights some major flaws in the ITSO concept, in particular the
ability to validate whether a ticket a card claims to contain is
actually a real ticket as opposed to false data fraudulently
laoded on the ticket can only be done with an active internet
connection.
That suggests the data isn't signed at all, which would be a bit of
a problem. But aren't all gate supposed to be online anyway (to
support the feature of loading a pre-purchased ticket as you touch
the barrier).
The data is signed but the keys to validate the signature need to be
stored securely, so can not be conveyed locally on portable reading
machines.
Really?  Can't we sign with a private key and verify with a public key?
The system was designed to be usable as a stored-value card for PAYG
journeys (as is commonly used for things like buses or other local
public transport). If you could write to the card and sign it with a
public key, you could just write to the card that you have 500 quid of
credit on it any time you pleased.
Signing with a public key doesn't validate the ticket.  The gripper or
barrier verifies that the stored-value is signed with one of the private
keys held only by authorised ticket sellers, not just any old key.
That doesn't allow for PAYG stored value, which was a key feature
intended for ITSO. The desire was for a system where the passenger can
do like you do with Oyster and tap the card in (and where necessary
out), and the value stored on the card is debited for the trip made.
That requires both read (to check the ballance is sufficient) and write
(to record the journey and adjust the ballance) operations. By baking
that requirement into the system, it means that whatever machine is
interacting with the card has to have access to the full cryptographic
infomation to make the transaction happen. If that information falls
into the wrong hands, the entire ITSO system is compromised. Hence the
decision to store that part of it securely and have the machines that
interogate the card interact with it over the internet.

But once you have a "I need to phone home" requirement, the whole raison
d'etre of the concept of "store it on the card" rather than "store it on
the server with card as token" falls appart.

But not only is that lost, the decisions made about how to store data on
the card also is defficient for railway use, in that the decisions made
on how to store data does not permit a significant type of ticket,
namelly train-specific AP tickets, to actually be represented adequately
on the stored data. If the system did allow for AP tickets, I would
also think a method of writing to the card "earlier train delayed,
ignore the train-specific limitation" to the card would be an
appropriate function, again requiring both read and write access to the
card.

In light of this, I can see why TOCs are not exactly falling over
themselves to roll out this card, and are basically doing the bare
minimum required by their franchise agreements.

Robin
Roland Perry
2023-02-08 08:53:28 UTC
Permalink
Post by Bob
Post by Bob
Post by Bob
Post by Roland Perry
Post by Bob
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and
how do they
work? Could people who aren’t ticket inspectors get the data
out of them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
 It was a very interesting talk.   In summary: ITSO is a
complete mess  and it's probably never going to be possible to
use a single ITSO card  across a number of transport
authorities.  But Oyster, despite being  designed some years
earlier, looks good by comparison.
Followed the link to the video [1] of the talk about ITSO.
Highlights some major flaws in the ITSO concept, in particular
the ability to validate whether a ticket a card claims to
contain is actually a real ticket as opposed to false data
fraudulently laoded on the ticket can only be done with an
active internet connection.
That suggests the data isn't signed at all, which would be a bit
of a problem. But aren't all gate supposed to be online anyway
(to support the feature of loading a pre-purchased ticket as you
touch the barrier).
The data is signed but the keys to validate the signature need to
be stored securely, so can not be conveyed locally on portable
reading machines.
Really?  Can't we sign with a private key and verify with a public key?
The system was designed to be usable as a stored-value card for PAYG
journeys (as is commonly used for things like buses or other local
public transport). If you could write to the card and sign it with a
public key, you could just write to the card that you have 500 quid
of credit on it any time you pleased.
Signing with a public key doesn't validate the ticket.  The gripper or
barrier verifies that the stored-value is signed with one of the private
keys held only by authorised ticket sellers, not just any old key.
That doesn't allow for PAYG stored value, which was a key feature
intended for ITSO. The desire was for a system where the passenger can
do like you do with Oyster and tap the card in (and where necessary
out), and the value stored on the card is debited for the trip made.
That requires both read (to check the ballance is sufficient) and write
(to record the journey and adjust the ballance) operations.
Not just a "desire", it's been delivered (in pockets across the country,
anyway).
Post by Bob
By baking that requirement into the system, it means that whatever
machine is interacting with the card has to have access to the full
cryptographic infomation to make the transaction happen. If that
information falls into the wrong hands, the entire ITSO system is
compromised.
Why wouldn't the QR-ticket system be similarly compromised; or in fact
is it, and they don't care?
Post by Bob
Hence the decision to store that part of it securely and have the
machines that interogate the card interact with it over the internet.
But once you have a "I need to phone home" requirement, the whole
raison d'etre of the concept of "store it on the card" rather than
"store it on the server with card as token" falls appart.
Has every bus that accepts an ITSO PAYG card had connectivity (and we
just didn't notice?)
Post by Bob
But not only is that lost, the decisions made about how to store data
on the card also is defficient for railway use, in that the decisions
made on how to store data does not permit a significant type of ticket,
namelly train-specific AP tickets, to actually be represented
adequately on the stored data.
That does seem a bit of a problem with the current implementation, but I
understand ITSO cards can run many different "applications", and so a
new one could be deployed.
Post by Bob
If the system did allow for AP tickets, I would also think a method of
writing to the card "earlier train delayed, ignore the train-specific
limitation" to the card would be an appropriate function, again
requiring both read and write access to the card.
And for QR-tickets? [While we are at it, also m-tickets].
Post by Bob
In light of this, I can see why TOCs are not exactly falling over
themselves to roll out this card, and are basically doing the bare
minimum required by their franchise agreements.
Is the interoperability between EMR and Greater Anglia a franchise
commitment? Or was it something they'd actually have had to do work to
turn off.
--
Roland Perry
Bob
2023-02-08 09:30:44 UTC
Permalink
Post by Roland Perry
Post by Bob
Post by Bob
Post by Bob
Post by Roland Perry
Post by Bob
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and
how  do they
work? Could people who aren’t ticket inspectors get the data
out  of them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
 It was a very interesting talk.   In summary: ITSO is a
complete  mess  and it's probably never going to be possible to
use a  single ITSO card  across a number of transport
authorities.  But  Oyster, despite being  designed some years
earlier, looks good by  comparison.
Followed the link to the video [1] of the talk about ITSO.
Highlights some major flaws in the ITSO concept, in particular
the  ability to validate whether a ticket a card claims to
contain is  actually a real ticket as opposed to false data
fraudulently  laoded on the ticket can only be done with an
active internet  connection.
That suggests the data isn't signed at all, which would be a bit
of  a problem. But aren't all gate supposed to be online anyway
(to  support the feature of loading a pre-purchased ticket as you
touch  the barrier).
The data is signed but the keys to validate the signature need to
be  stored securely, so can not be conveyed locally on portable
reading  machines.
Really?  Can't we sign with a private key and verify with a public key?
The system was designed to be usable as a stored-value card for PAYG
journeys (as is commonly used for things like buses or other local
public transport). If you could write to the card and sign it with a
public key, you could just write to the card that you have 500 quid
of  credit on it any time you pleased.
 Signing with a public key doesn't validate the ticket.  The gripper or
barrier verifies that the stored-value is signed with one of the private
keys held only by authorised ticket sellers, not just any old key.
That doesn't allow for PAYG stored value, which was a key feature
intended for ITSO. The desire was for a system where the passenger can
do like you do with Oyster and tap the card in (and where necessary
out), and the value stored on the card is debited for the trip made.
That requires both read (to check the ballance is sufficient) and
write (to record the journey and adjust the ballance) operations.
Not just a "desire", it's been delivered (in pockets across the country,
anyway).
Post by Bob
By baking that requirement into the system, it means that whatever
machine is interacting with the card has to have access to the full
cryptographic infomation to make the transaction happen. If that
information falls into the wrong hands, the entire ITSO system is
compromised.
Why wouldn't the QR-ticket system be similarly compromised; or in fact
is it, and they don't care?
Change the keys, invalidate and re-issue new ones for any that are
issued-but-not-used, reject all that use the old keys. ITSO cards have
the problem of being used for stored value, so you can't just invalidate
all the ballances on all the cards up and down the country, and you have
no way of knowing how much money might be there, or how much fake money
might have been added using the stolen data.
Post by Roland Perry
Post by Bob
Hence the decision to store that part of it securely and have the
machines that interogate the card interact with it over the internet.
But once you have a "I need to phone home" requirement, the whole
raison d'etre of the concept of "store it on the card" rather than
"store it on the server with card as token" falls appart.
Has every bus that accepts an ITSO PAYG card had connectivity (and we
just didn't notice?)
One can only presume so, because that's how the sysem has to work.
Post by Roland Perry
Post by Bob
But not only is that lost, the decisions made about how to store data
on the card also is defficient for railway use, in that the decisions
made on how to store data does not permit a significant type of
ticket, namelly train-specific AP tickets, to actually be represented
adequately on the stored data.
That does seem a bit of a problem with the current implementation, but I
understand ITSO cards can run many different "applications", and so a
new one could be deployed.
It depends on how flexible things actually are, and how much is baked
into hardware deployed all across the country.
Post by Roland Perry
Post by Bob
If the system did allow for AP tickets, I would also think a method of
writing to the card "earlier train delayed, ignore the train-specific
limitation" to the card would be an appropriate function, again
requiring both read and write access to the card.
And for QR-tickets? [While we are at it, also m-tickets].
They do have the drawback of being a read-only format. One reason why a
token based e-ticket is a more flexible system than a bearer-bond
m-ticket concept. At least QR tickets can handle train-specific tickets
Post by Roland Perry
Post by Bob
In light of this, I can see why TOCs are not exactly falling over
themselves to roll out this card, and are basically doing the bare
minimum required by their franchise agreements.
Is the interoperability between EMR and Greater Anglia a franchise
commitment? Or was it something they'd actually have had to do work to
turn off.
You'd have to look up what commitments are written into the franchise to
find out.

Robin
Bob
2023-02-08 12:15:49 UTC
Permalink
Post by Roland Perry
Post by Bob
Post by Bob
Post by Bob
Post by Roland Perry
Post by Bob
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and
how  do they
work? Could people who aren’t ticket inspectors get the data
out  of them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
 It was a very interesting talk.   In summary: ITSO is a
complete  mess  and it's probably never going to be possible to
use a  single ITSO card  across a number of transport
authorities.  But  Oyster, despite being  designed some years
earlier, looks good by  comparison.
Followed the link to the video [1] of the talk about ITSO.
Highlights some major flaws in the ITSO concept, in particular
the  ability to validate whether a ticket a card claims to
contain is  actually a real ticket as opposed to false data
fraudulently  laoded on the ticket can only be done with an
active internet  connection.
That suggests the data isn't signed at all, which would be a bit
of  a problem. But aren't all gate supposed to be online anyway
(to  support the feature of loading a pre-purchased ticket as you
touch  the barrier).
The data is signed but the keys to validate the signature need to
be  stored securely, so can not be conveyed locally on portable
reading  machines.
Really?  Can't we sign with a private key and verify with a public key?
The system was designed to be usable as a stored-value card for PAYG
journeys (as is commonly used for things like buses or other local
public transport). If you could write to the card and sign it with a
public key, you could just write to the card that you have 500 quid
of  credit on it any time you pleased.
 Signing with a public key doesn't validate the ticket.  The gripper or
barrier verifies that the stored-value is signed with one of the private
keys held only by authorised ticket sellers, not just any old key.
That doesn't allow for PAYG stored value, which was a key feature
intended for ITSO. The desire was for a system where the passenger can
do like you do with Oyster and tap the card in (and where necessary
out), and the value stored on the card is debited for the trip made.
That requires both read (to check the ballance is sufficient) and
write (to record the journey and adjust the ballance) operations.
Not just a "desire", it's been delivered (in pockets across the country,
anyway).
Setting aside the technical specifics for a moment, I think it's worth
considering what problems need to be solved, what problems ITSO does
solve, and whether ITSO is a good solution.

When ITSO started, there was a basic concept to provide the following
things:

1 smart card for all public transport.
The ability to load all bus, rail tram etc ticket types onto the card
The ability to do the same kinds of ticket checks and inspections for
revenue protection as are done on paper tickets
The ability to support stored value PAYG type tickets to be rolled out
as operators adopt that method of ticketing.

Taking ITSO as it currently exists:

1 smart card for all public transport. That's a fail. There are no
operators who accept all other operators cards, and there are many that
support none issued by anyone but themselves.

Ability to laod all bus, rail, tram etc ticket types. That's a fail. AP
rail tickets are not compatible.

Revenue protection. That's a fail. Validating a ticket requires an
internet connection, not available in all places.

Ability to support PAYG as it gets rolled out. Yes, it seems to have
this one working.

1 out of 4 objectives met. One of the fails is an organisational rather
than technical fail, so it would be possible to meet that if the right
people were pushed into doing so.

Objectives 2 and 3 are already better served by QR code technology, that
can be issued on ticket stock, printed at home or stored on a phone,
because that does not have the limitations that ITSO has. Many places
have adopted CCC payments alongside or instead of dedicated smartcard
PAYG solutions, with the benefit that 1 card covers all operators,
something ITSO spectacularly fails at.

So, the questions I would ask is, after nearly 15 years of development,
is it not reasonable to say that ITSO has failed to achieve its
objectives, and second, would we be better served letting ITSO as it
currently exists die and put our efforts into finding a means of
non-cardboard ticketting that actually meets our needs.

Robin
Roland Perry
2023-02-08 08:23:57 UTC
Permalink
Post by Bob
Post by Bob
Post by Roland Perry
Post by Bob
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and
do they
work? Could people who aren’t ticket inspectors get the data
of them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
 It was a very interesting talk.   In summary: ITSO is a
complete mess  and it's probably never going to be possible to
use a single ITSO card  across a number of transport
authorities.  But Oyster, despite being  designed some years
earlier, looks good by comparison.
Followed the link to the video [1] of the talk about ITSO.
Highlights some major flaws in the ITSO concept, in particular the
ability to validate whether a ticket a card claims to contain is
actually a real ticket as opposed to false data fraudulently laoded
on the ticket can only be done with an active internet connection.
That suggests the data isn't signed at all, which would be a bit of
a problem. But aren't all gate supposed to be online anyway (to
support the feature of loading a pre-purchased ticket as you touch
the barrier).
The data is signed but the keys to validate the signature need to be
stored securely, so can not be conveyed locally on portable reading
machines.
Really?  Can't we sign with a private key and verify with a public key?
The system was designed to be usable as a stored-value card for PAYG
journeys (as is commonly used for things like buses or other local
public transport). If you could write to the card and sign it with a
public key,
Sign it with the private key! Read/verify it with the corresponding
public key.
Post by Bob
you could just write to the card that you have 500 quid of credit on
it any time you pleased.
I do see other difficulties which could only be verified online, such as
whether the ticket has already been used or cancelled (lost season etc.)
Right, and once you get to the "online only" paradigm, then all of the
benefits of having things stored cryptographically on the card, rather
than on a central database are gone.
Apart from when passengers want to examine what tickets they have in
their centrally-held 'wallet', and don't have connectivity.
--
Roland Perry
Bob
2023-02-08 08:38:26 UTC
Permalink
Post by Roland Perry
Post by Bob
Post by Bob
Post by Roland Perry
Post by Bob
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and do
they
work? Could people who aren’t ticket inspectors get the data of
them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
 It was a very interesting talk.   In summary: ITSO is a complete
mess  and it's probably never going to be possible to use a
single ITSO card  across a number of transport authorities.  But
Oyster, despite being  designed some years earlier, looks good by
comparison.
Followed the link to the video [1] of the talk about ITSO.
Highlights some major flaws in the ITSO concept, in particular the
ability to validate whether a ticket a card claims to contain is
actually a real ticket as opposed to false data fraudulently
laoded on the ticket can only be done with an active internet
connection.
That suggests the data isn't signed at all, which would be a bit of
a  problem. But aren't all gate supposed to be online anyway (to
support  the feature of loading a pre-purchased ticket as you touch
the barrier).
The data is signed but the keys to validate the signature need to be
stored securely, so can not be conveyed locally on portable reading
machines.
 Really?  Can't we sign with a private key and verify with a public key?
The system was designed to be usable as a stored-value card for PAYG
journeys (as is commonly used for things like buses or other local
public transport). If you could write to the card and sign it with a
public key,
Sign it with the private key! Read/verify it with the corresponding
public key.
And if I'm actually buying a ticket with a PAYG ballance on, eg a bus
with no data connectivity? That's supposed to be a core function of ITSO.
Post by Roland Perry
Post by Bob
you could just write to the card that you have 500 quid of credit on
it any time you pleased.
I do see other difficulties which could only be verified online, such as
whether the ticket has already been used or cancelled (lost season etc.)
Right, and once you get to the "online only" paradigm, then all of the
benefits of having things stored cryptographically on the card, rather
than on a central database are gone.
Apart from when passengers want to examine what tickets they have in
their centrally-held 'wallet', and don't have connectivity.
You can't do that with ITSO with certainty, because there is no way to
differentiate between a real ticket and some data that looks like a
ticket stored on the card that is actually fake, unless you verify the
data via the server.

Robin
Roland Perry
2023-02-08 08:55:16 UTC
Permalink
Post by Bob
Post by Roland Perry
Post by Bob
Post by Bob
Post by Roland Perry
Post by Bob
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and
work? Could people who aren’t ticket inspectors get the data
of them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
 It was a very interesting talk.   In summary: ITSO is a
complete mess  and it's probably never going to be possible to
use a single ITSO card  across a number of transport
authorities.  But Oyster, despite being  designed some years
earlier, looks good by comparison.
Followed the link to the video [1] of the talk about ITSO.
Highlights some major flaws in the ITSO concept, in particular
the ability to validate whether a ticket a card claims to
contain is actually a real ticket as opposed to false data
fraudulently laoded on the ticket can only be done with an
active internet connection.
That suggests the data isn't signed at all, which would be a bit
of a  problem. But aren't all gate supposed to be online anyway
(to support  the feature of loading a pre-purchased ticket as
you touch the barrier).
The data is signed but the keys to validate the signature need to
be stored securely, so can not be conveyed locally on portable
reading machines.
 Really?  Can't we sign with a private key and verify with a public key?
The system was designed to be usable as a stored-value card for PAYG
journeys (as is commonly used for things like buses or other local
public transport). If you could write to the card and sign it with a
public key,
Sign it with the private key! Read/verify it with the corresponding
public key.
And if I'm actually buying a ticket with a PAYG ballance on, eg a bus
with no data connectivity? That's supposed to be a core function of ITSO.
Post by Roland Perry
Post by Bob
you could just write to the card that you have 500 quid of credit on
it any time you pleased.
I do see other difficulties which could only be verified online, such as
whether the ticket has already been used or cancelled (lost season etc.)
Right, and once you get to the "online only" paradigm, then all of
the benefits of having things stored cryptographically on the card,
rather than on a central database are gone.
Apart from when passengers want to examine what tickets they have in
their centrally-held 'wallet', and don't have connectivity.
You can't do that with ITSO with certainty, because there is no way to
differentiate between a real ticket and some data that looks like a
ticket stored on the card that is actually fake, unless you verify the
data via the server.
How many passengers are going to find someone has loaded a fake ticket
without their knowledge. That's getting very obscure.
--
Roland Perry
Bob
2023-02-08 09:31:11 UTC
Permalink
Post by Roland Perry
Post by Bob
Post by Bob
Post by Bob
Post by Roland Perry
Post by Bob
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and
work? Could people who aren’t ticket inspectors get the data
of  them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
 It was a very interesting talk.   In summary: ITSO is a
complete  mess  and it's probably never going to be possible to
use a  single ITSO card  across a number of transport
authorities.  But  Oyster, despite being  designed some years
earlier, looks good by  comparison.
Followed the link to the video [1] of the talk about ITSO.
Highlights some major flaws in the ITSO concept, in particular
the  ability to validate whether a ticket a card claims to
contain is  actually a real ticket as opposed to false data
fraudulently  laoded on the ticket can only be done with an
active internet  connection.
That suggests the data isn't signed at all, which would be a bit
of  a  problem. But aren't all gate supposed to be online anyway
(to  support  the feature of loading a pre-purchased ticket as
you touch  the barrier).
The data is signed but the keys to validate the signature need to
be  stored securely, so can not be conveyed locally on portable
reading  machines.
 Really?  Can't we sign with a private key and verify with a public key?
The system was designed to be usable as a stored-value card for PAYG
journeys (as is commonly used for things like buses or other local
public transport). If you could write to the card and sign it with a
public key,
 Sign it with the private key! Read/verify it with the corresponding
public key.
And if I'm actually buying a ticket with a PAYG ballance on, eg a bus
with no data connectivity? That's supposed to be a core function of ITSO.
Post by Bob
you could just write to the card that you have 500 quid of credit on
it any time you pleased.
I do see other difficulties which could only be verified online, such as
whether the ticket has already been used or cancelled (lost season etc.)
Right, and once you get to the "online only" paradigm, then all of
the  benefits of having things stored cryptographically on the card,
rather  than on a central database are gone.
 Apart from when passengers want to examine what tickets they have in
their centrally-held 'wallet', and don't have connectivity.
You can't do that with ITSO with certainty, because there is no way to
differentiate between a real ticket and some data that looks like a
ticket stored on the card that is actually fake, unless you verify the
data via the server.
How many passengers are going to find someone has loaded a fake ticket
without their knowledge. That's getting very obscure.
Says the king of edge cases.

Robin
Roland Perry
2023-02-08 14:34:05 UTC
Permalink
Post by Bob
Post by Roland Perry
Post by Bob
Post by Bob
Post by Bob
Post by Roland Perry
Post by Bob
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for
an interesting
read.
“But what data is inside the barcode of a mobile ticket, and
work? Could people who aren’t ticket inspectors get the
of  them?
It turns out that the answer is a bit more interesting than
I initially
expected!” and lots more…
 It was a very interesting talk.   In summary: ITSO is a
complete  mess  and it's probably never going to be possible
to use a  single ITSO card  across a number of transport
authorities.  But  Oyster, despite being  designed some
years earlier, looks good by  comparison.
Followed the link to the video [1] of the talk about ITSO.
Highlights some major flaws in the ITSO concept, in particular
the  ability to validate whether a ticket a card claims to
contain is  actually a real ticket as opposed to false data
fraudulently  laoded on the ticket can only be done with an
active internet  connection.
That suggests the data isn't signed at all, which would be a
bit of  a  problem. But aren't all gate supposed to be online
anyway (to  support  the feature of loading a pre-purchased
ticket as you touch  the barrier).
The data is signed but the keys to validate the signature need
to be  stored securely, so can not be conveyed locally on
portable reading  machines.
 Really?  Can't we sign with a private key and verify with a
public key?
The system was designed to be usable as a stored-value card for
PAYG journeys (as is commonly used for things like buses or other
local public transport). If you could write to the card and sign
it with a public key,
 Sign it with the private key! Read/verify it with the
corresponding public key.
And if I'm actually buying a ticket with a PAYG ballance on, eg a
bus with no data connectivity? That's supposed to be a core function
of ITSO.
Post by Bob
you could just write to the card that you have 500 quid of credit
on it any time you pleased.
I do see other difficulties which could only be verified online, such as
whether the ticket has already been used or cancelled (lost
season etc.)
Right, and once you get to the "online only" paradigm, then all of
the  benefits of having things stored cryptographically on the
card, rather  than on a central database are gone.
 Apart from when passengers want to examine what tickets they have
in their centrally-held 'wallet', and don't have connectivity.
You can't do that with ITSO with certainty, because there is no way
to differentiate between a real ticket and some data that looks like
a ticket stored on the card that is actually fake, unless you verify
the data via the server.
How many passengers are going to find someone has loaded a fake
ticket without their knowledge. That's getting very obscure.
Says the king of edge cases.
What's that supposed to mean?

Identifying edge cases is important, even if only to say "we don't care
about them".

Where not-caring could be anything from throwing the consumer under the
bus, to not getting OCD about grasping every single penny of revenue.

But to make that kind of decision, you need to know the edge case
exists.

Anyway, *you* brought up the subject of fake data, please explain what
circumstances you think that would be discovered in the wild.
--
Roland Perry
Rolf Mantel
2023-02-08 10:14:08 UTC
Permalink
Post by Bob
Post by Roland Perry
Post by Bob
Post by Bob
Post by Roland Perry
Post by Bob
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and do
they
work? Could people who aren’t ticket inspectors get the data of
them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
 It was a very interesting talk.   In summary: ITSO is a
complete mess  and it's probably never going to be possible to
use a single ITSO card  across a number of transport
authorities.  But Oyster, despite being  designed some years
earlier, looks good by comparison.
Followed the link to the video [1] of the talk about ITSO.
Highlights some major flaws in the ITSO concept, in particular
the ability to validate whether a ticket a card claims to contain
is actually a real ticket as opposed to false data fraudulently
laoded on the ticket can only be done with an active internet
connection.
That suggests the data isn't signed at all, which would be a bit
of a  problem. But aren't all gate supposed to be online anyway
(to support  the feature of loading a pre-purchased ticket as you
touch the barrier).
The data is signed but the keys to validate the signature need to
be stored securely, so can not be conveyed locally on portable
reading machines.
 Really?  Can't we sign with a private key and verify with a public key?
The system was designed to be usable as a stored-value card for PAYG
journeys (as is commonly used for things like buses or other local
public transport). If you could write to the card and sign it with a
public key,
Sign it with the private key! Read/verify it with the corresponding
public key.
And if I'm actually buying a ticket with a PAYG ballance on, eg a bus
with no data connectivity? That's supposed to be a core function of ITSO.
One meaningfully secure scenario would be a hardware 'private key' card
'Currently this bus is running a TfL service' inserted into each
non-stationary (bus) terminal.

If the private key is corrupted, issue a new set of 'private key' cards.
Additionally, validate past transactions stored on the ticket via the
public keys whenever the ticket is inserted into a stationary terminal.

Rolf
Roland Perry
2023-02-08 10:29:11 UTC
Permalink
Post by Rolf Mantel
Post by Bob
Post by Roland Perry
Post by Bob
Post by Bob
Post by Roland Perry
Post by Bob
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket,
and do they
work? Could people who aren’t ticket inspectors get the
data of them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
 It was a very interesting talk.   In summary: ITSO is a
complete mess  and it's probably never going to be possible to
use a single ITSO card  across a number of transport
authorities.  But Oyster, despite being  designed some years
Followed the link to the video [1] of the talk about ITSO.
Highlights some major flaws in the ITSO concept, in particular
the ability to validate whether a ticket a card claims to
contain is actually a real ticket as opposed to false data
fraudulently laoded on the ticket can only be done with an active internet connection.
That suggests the data isn't signed at all, which would be a bit
of a  problem. But aren't all gate supposed to be online anyway
(to support  the feature of loading a pre-purchased ticket as
you touch the barrier).
The data is signed but the keys to validate the signature need to
be stored securely, so can not be conveyed locally on portable
reading machines.
 Really?  Can't we sign with a private key and verify with a
public key?
The system was designed to be usable as a stored-value card for
PAYG journeys (as is commonly used for things like buses or other
local public transport). If you could write to the card and sign it
with a public key,
Sign it with the private key! Read/verify it with the corresponding
public key.
And if I'm actually buying a ticket with a PAYG ballance on, eg a
bus with no data connectivity? That's supposed to be a core function
of ITSO.
Sorry missed that question earlier
Post by Rolf Mantel
One meaningfully secure scenario would be a hardware 'private key' card
'Currently this bus is running a TfL service' inserted into each
non-stationary (bus) terminal.
If the private key is corrupted, issue a new set of 'private key'
cards. Additionally, validate past transactions stored on the ticket
via the public keys whenever the ticket is inserted into a stationary
terminal.
Rather than overcomplicate things with extra equipment, why not trust
the card to be telling the truth, and when you get back to the depot at
night, if it turns out the card was loaded with counterfeit money, block
the card entirely from any further use.

That should be sufficient to make counterfeiting funds not worth the
candle. And being a bus ride, the £3 or whatever has no cost of sales,
so is just part of "doing business".
--
Roland Perry
Bob
2023-02-08 11:15:32 UTC
Permalink
Post by Roland Perry
Post by Rolf Mantel
Post by Roland Perry
Post by Bob
Post by Bob
Post by Roland Perry
Post by Bob
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an
interesting
read.
“But what data is inside the barcode of a mobile ticket, and
do  they
work? Could people who aren’t ticket inspectors get the data
of  them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
 It was a very interesting talk.   In summary: ITSO is a
complete mess  and it's probably never going to be possible to
use a single ITSO card  across a number of transport
authorities.  But Oyster, despite being  designed some years
Followed the link to the video [1] of the talk about ITSO.
Highlights some major flaws in the ITSO concept, in particular
the ability to validate whether a ticket a card claims to
contain  is actually a real ticket as opposed to false data
fraudulently  laoded on the ticket can only be done with an
active internet  connection.
That suggests the data isn't signed at all, which would be a bit
of a  problem. But aren't all gate supposed to be online anyway
(to support  the feature of loading a pre-purchased ticket as
you touch the barrier).
The data is signed but the keys to validate the signature need to
be stored securely, so can not be conveyed locally on portable
reading machines.
 Really?  Can't we sign with a private key and verify with a
public  key?
The system was designed to be usable as a stored-value card for
PAYG  journeys (as is commonly used for things like buses or other
local  public transport). If you could write to the card and sign
it with a  public key,
Sign it with the private key! Read/verify it with the corresponding
public key.
 And if I'm actually buying a ticket with a PAYG ballance on, eg a
bus  with no data connectivity? That's supposed to be a core function
of ITSO.
Sorry missed that question earlier
Post by Rolf Mantel
One meaningfully secure scenario would be a hardware 'private key'
card 'Currently this bus is running a TfL service' inserted into each
non-stationary (bus) terminal.
If the private key is corrupted, issue a new set of 'private key'
cards.  Additionally, validate past transactions stored on the ticket
via the public keys whenever the ticket is inserted into a stationary
terminal.
Rather than overcomplicate things with extra equipment, why not trust
the card to be telling the truth, and when you get back to the depot at
night, if it turns out the card was loaded with counterfeit money, block
the card entirely from any further use.
Funny how when this topic has come up in the past, and you insisted that
all ticket checks had to be online, and I suggested that just making a
record, reconciling them at the end of the day and fining/bannig people
found to be in violation, you insisted that was not an acceptable solution.

Robin
Roland Perry
2023-02-08 08:19:08 UTC
Permalink
Post by Certes
Post by Bob
Post by Roland Perry
Post by Bob
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and
how do they
work? Could people who aren’t ticket inspectors get the data
out of them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
 It was a very interesting talk.   In summary: ITSO is a
complete mess  and it's probably never going to be possible to use
ITSO card  across a number of transport authorities.  But Oyster,
despite being  designed some years earlier, looks good by comparison.
Followed the link to the video [1] of the talk about ITSO.
Highlights some major flaws in the ITSO concept, in particular the
ability to validate whether a ticket a card claims to contain is
actually a real ticket as opposed to false data fraudulently laoded
on the ticket can only be done with an active internet connection.
That suggests the data isn't signed at all, which would be a bit of
a problem. But aren't all gate supposed to be online anyway (to
support the feature of loading a pre-purchased ticket as you touch
the barrier).
The data is signed but the keys to validate the signature need to be
stored securely, so can not be conveyed locally on portable reading
machines.
Really? Can't we sign with a private key and verify with a public key?
I do see other difficulties which could only be verified online, such as
whether the ticket has already been used or cancelled (lost season etc.)
Wouldn't those things also apply to QR-coded tickets?
--
Roland Perry
Bob
2023-02-08 08:46:34 UTC
Permalink
Post by Roland Perry
Post by Roland Perry
Post by Bob
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and how
do  they
work? Could people who aren’t ticket inspectors get the data out
of  them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
 It was a very interesting talk.   In summary: ITSO is a complete
mess  and it's probably never going to be possible to use ITSO
card  across a number of transport authorities.  But Oyster,
despite being  designed some years earlier, looks good by comparison.
Followed the link to the video [1] of the talk about ITSO.
Highlights some major flaws in the ITSO concept, in particular the
ability to validate whether a ticket a card claims to contain is
actually a real ticket as opposed to false data fraudulently laoded
on the ticket can only be done with an active internet connection.
That suggests the data isn't signed at all, which would be a bit of
a  problem. But aren't all gate supposed to be online anyway (to
support  the feature of loading a pre-purchased ticket as you touch
the barrier).
 The data is signed but the keys to validate the signature need to be
stored securely, so can not be conveyed locally on portable reading
machines.
Really?  Can't we sign with a private key and verify with a public key?
I do see other difficulties which could only be verified online, such as
whether the ticket has already been used or cancelled (lost season etc.)
Wouldn't those things also apply to QR-coded tickets?
Yes, or any token-based system with the data stored on some server. The
thing is I already have things about my person that can serve these
functions perfectly well. My phone can display QR codes. My bank card
can serve as a token. What can an ITSO do that these things can't also
do? Why do I need another object to be lost, forgotten or stolen, in
addition to the ones I already have for other purposes?

Robin
Roland Perry
2023-02-08 10:06:11 UTC
Permalink
Post by Roland Perry
Post by Roland Perry
Post by Bob
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and
how do  they work? Could people who aren’t ticket
inspectors get the data out of  them? It turns out that the
answer is a bit more interesting than I initially expected!” and lots more…
 It was a very interesting talk.   In summary: ITSO is a
complete mess  and it's probably never going to be possible to
use ITSO card  across a number of transport authorities.  But
Oyster, despite being  designed some years earlier, looks good by comparison.
Followed the link to the video [1] of the talk about ITSO.
Highlights some major flaws in the ITSO concept, in particular
the ability to validate whether a ticket a card claims to contain
is actually a real ticket as opposed to false data fraudulently
laoded on the ticket can only be done with an active internet connection.
That suggests the data isn't signed at all, which would be a bit
of a  problem. But aren't all gate supposed to be online anyway
(to support  the feature of loading a pre-purchased ticket as you
touch the barrier).
 The data is signed but the keys to validate the signature need to
be stored securely, so can not be conveyed locally on portable
reading machines.
Really?  Can't we sign with a private key and verify with a public key?
I do see other difficulties which could only be verified online, such as
whether the ticket has already been used or cancelled (lost season etc.)
Wouldn't those things also apply to QR-coded tickets?
Yes, or any token-based system with the data stored on some server. The
thing is I already have things about my person that can serve these
functions perfectly well. My phone can display QR codes. My bank card
can serve as a token. What can an ITSO do that these things can't also
do?
I can be a purse for funds, or a wallet for a ticket, which you then
hand to a third party (maybe a child) to facilitate their journey.
Why do I need another object to be lost, forgotten or stolen, in
addition to the ones I already have for other purposes?
Carry the card next to your Debit Card (people haven't complained in
droves about having to carry an Oyster Card, or a photo driving licence,
or a photo season card ID, or a Railcard, or a concessionary Bus Pass),
and frankly the smartphone aspect is in danger of causing my
single-point-of-failure-o-meter to go off the scale.
--
Roland Perry
Bob
2023-02-08 10:55:13 UTC
Permalink
Post by Roland Perry
Post by Bob
Post by Roland Perry
Post by Bob
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and
how  do  they  work? Could people who aren’t ticket inspectors
get the data out  of  them?  It turns out that the answer is a
bit more interesting than I  initially  expected!” and lots more…
 It was a very interesting talk.   In summary: ITSO is a
complete  mess  and it's probably never going to be possible to
use ITSO  card  across a number of transport authorities.  But
Oyster,  despite being  designed some years earlier, looks good
by comparison.
Followed the link to the video [1] of the talk about ITSO.
Highlights some major flaws in the ITSO concept, in particular
the  ability to validate whether a ticket a card claims to
contain is  actually a real ticket as opposed to false data
fraudulently laoded  on the ticket can only be done with an
active internet connection.
That suggests the data isn't signed at all, which would be a bit
of  a  problem. But aren't all gate supposed to be online anyway
(to  support  the feature of loading a pre-purchased ticket as you
touch  the barrier).
 The data is signed but the keys to validate the signature need to
be  stored securely, so can not be conveyed locally on portable
reading  machines.
Really?  Can't we sign with a private key and verify with a public key?
I do see other difficulties which could only be verified online, such as
whether the ticket has already been used or cancelled (lost season etc.)
 Wouldn't those things also apply to QR-coded tickets?
Yes, or any token-based system with the data stored on some server.
The thing is I already have things about my person that can serve
these functions perfectly well. My phone can display QR codes.  My
bank card can serve as a token. What can an ITSO do that these things
can't also do?
I can be a purse for funds, or a wallet for a ticket, which you then
hand to a third party (maybe a child) to facilitate their journey.
Post by Bob
Why do I need another object to be lost, forgotten or stolen, in
addition to the ones I already have for other purposes?
Carry the card next to your Debit Card (people haven't complained in
droves about having to carry an Oyster Card
They have in that when CCC payments were enabled on TfL the use of
Oyster PAYG dropped quite significantly. All of those people who had
been useing Oyster PAYG decided it was, in fact, too much effort.

Robin
Roland Perry
2023-02-08 08:47:08 UTC
Permalink
Post by Bob
Post by Roland Perry
Post by Bob
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and how
do they
work? Could people who aren’t ticket inspectors get the data out
of them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
 It was a very interesting talk.   In summary: ITSO is a
complete mess  and it's probably never going to be possible to use
a single ITSO card  across a number of transport authorities.  But
Oyster, despite being  designed some years earlier, looks good by comparison.
Followed the link to the video [1] of the talk about ITSO.
Highlights some major flaws in the ITSO concept, in particular the
ability to validate whether a ticket a card claims to contain is
actually a real ticket as opposed to false data fraudulently laoded
on the ticket can only be done with an active internet connection.
That suggests the data isn't signed at all, which would be a bit of
a problem. But aren't all gate supposed to be online anyway (to
support the feature of loading a pre-purchased ticket as you touch
the barrier).
The data is signed but the keys to validate the signature need to be
stored securely, so can not be conveyed locally on portable reading
machines. The reading machines can read the basic data, but can't
verify the signature unless they are online.
Unlike the QR-code reading apparatus discussed yesterday. If they can do
it...
Post by Bob
Post by Roland Perry
Post by Bob
Also it suggests that a way to load an AP train-specific ticket onto
an ITSO card in a way that a ticket check of that ticket can actually
identify which train it is supposed to be valid for can't really be
done with the way ITSO is set up.
Again, that suggests an ITSO ticket has neither a time nor a train
number and seat number coded into it.
Correct.
I feel some mystery-shopping coming on :)

The ITSO card I have with a ticket on is an Open Single, so wouldn't
make sense to have a specific train burnt in (nor presumably if it were
a QR-ticket). Would the ITSO ticket not have that added if I also made a
seat reservation (either for an Open ticket, or an AP)?
Post by Bob
Post by Roland Perry
Post by Bob
So if an ITSO ticket can't be checked without an active internet
connection, and it can't even store a basic ticket type commonly used
on the network, it seems basically a dead end. If you have to have an
internet connection active to check a ticket, you may as well use a
system of a token associated with an online database somewhere and
forget the idea of storing the actual ticket on a physical card.
Up to a point. Having the data loaded onto the card allows the
passenger to read the information without an active Internet
connection (ie simply with an NFC card reader).
They are set up in such a way that anyone can read the basic data, but
the data can't be validated cryptographically, in which case anyone can
write a fake ticket with a simple PC, and unless the cryptographic
signature can be validated, it is relatively simple to load a fake
ticket onto the card.
Post by Roland Perry
Post by Bob
[1] http://youtu.be/IcdARsqJhEI
What does it say about ITSO purses, and how would you implement that
using a token system, for example if boarding a bus that *doesn't*
have an active Internet connection at that instant.
Using the system used in London, the Netherlands etc.
A tad too enigmatic. Oyster has a purse, but I don't think they use that
card technology in the Netherlands - or perhaps they do?

CCC isn't a purse [unless we want to stretch the definition to include a
pre-pay debit card, in which case maybe GBR needs to market one to make
it more obvious to the public as a possible modality], and KeyGo works
in London and is an ITSO purse [currently ring fenced to GTR heavy rail
but that's just a simple back-office issue because we know 'the Key' is
recognized all across London because of Travelcard season tickets loaded
onto it], but weren't we looking for a non-ITSO solution.
--
Roland Perry
Bob
2023-02-08 10:52:22 UTC
Permalink
Post by Roland Perry
Post by Bob
Post by Bob
Post by Tweed
This https://eta.st/2023/01/31/rail-tickets.html makes for an interesting
read.
“But what data is inside the barcode of a mobile ticket, and how
do  they
work? Could people who aren’t ticket inspectors get the data out
of  them?
It turns out that the answer is a bit more interesting than I initially
expected!” and lots more…
 It was a very interesting talk.   In summary: ITSO is a complete
mess  and it's probably never going to be possible to use a single
ITSO card  across a number of transport authorities.  But Oyster,
despite being  designed some years earlier, looks good by comparison.
Followed the link to the video [1] of the talk about ITSO.
Highlights some major flaws in the ITSO concept, in particular the
ability to validate whether a ticket a card claims to contain is
actually a real ticket as opposed to false data fraudulently laoded
on  the ticket can only be done with an active internet connection.
 That suggests the data isn't signed at all, which would be a bit of
a  problem. But aren't all gate supposed to be online anyway (to
support  the feature of loading a pre-purchased ticket as you touch
the barrier).
The data is signed but the keys to validate the signature need to be
stored securely, so can not be conveyed locally on portable reading
machines. The reading machines can read the basic data, but can't
verify the signature unless they are online.
Unlike the QR-code reading apparatus discussed yesterday. If they can do
it...
As QR is inherently a read-only technology, they can get away with a
public key for decryption, allowing an offline verification. For
whatever reason, ITSO decided that function shouldn't be part of their spec.
Post by Roland Perry
Post by Bob
Post by Bob
Also it suggests that a way to load an AP train-specific ticket onto
an ITSO card in a way that a ticket check of that ticket can
actually identify which train it is supposed to be valid for can't
really be done with the way ITSO is set up.
  Again, that suggests an ITSO ticket has neither a time nor a train
number and seat number coded into it.
Correct.
I feel some mystery-shopping coming on :)
The ITSO card I have with a ticket on is an Open Single, so wouldn't
make sense to have a specific train burnt in (nor presumably if it were
a QR-ticket). Would the ITSO ticket not have that added if I also made a
seat reservation (either for an Open ticket, or an AP)?
Post by Bob
Post by Bob
So if an ITSO ticket can't be checked without an active internet
connection, and it can't even store a basic ticket type commonly
used on the network, it seems basically a dead end. If you have to
have an internet connection active to check a ticket, you may as
well use a system of a token associated with an online database
somewhere and forget the idea of storing the actual ticket on a
physical card.
 Up to a point. Having the data loaded onto the card allows the
passenger  to read the information without an active Internet
connection (ie simply  with an NFC card reader).
They are set up in such a way that anyone can read the basic data, but
the data can't be validated cryptographically, in which case anyone
can write a fake ticket with a simple PC, and unless the cryptographic
signature can be validated, it is relatively simple to load a fake
ticket onto the card.
Post by Bob
[1] http://youtu.be/IcdARsqJhEI
 What does it say about ITSO purses, and how would you implement that
using a token system, for example if boarding a bus that *doesn't*
have  an active Internet connection at that instant.
Using the system used in London, the Netherlands etc.
A tad too enigmatic. Oyster has a purse, but I don't think they use that
card technology in the Netherlands - or perhaps they do?
CCC isn't a purse [unless we want to stretch the definition to include a
pre-pay debit card, in which case maybe GBR needs to market one to make
it more obvious to the public as a possible modality], and KeyGo works
in London and is an ITSO purse [currently ring fenced to GTR heavy rail
but that's just a simple back-office issue because we know 'the Key' is
recognized all across London because of Travelcard season tickets loaded
onto it], but weren't we looking for a non-ITSO solution.
CCC is a "purse", it's just the purse lives at your bank, rather than on
the card. I'm not sure exactly which technologies various other cities
and countries use, but I get the impression Cubic has sold the Oyster
technology to quite a few cities around the world which have had no
problems with it. I think the OV Chipkaart is basically a token based
system rather than a store-on-the-card based system.

Robin
Clive Page
2023-02-10 10:46:38 UTC
Permalink
CCC is a "purse", it's just the purse lives at your bank, rather than on the card. I'm not sure exactly which technologies various other cities and countries use, but I get the impression Cubic has sold the Oyster technology to quite a few cities around the world which have had no problems with it.  I think the OV Chipkaart is basically a token based system rather than a store-on-the-card based system.
I think the basic difference is that ITSO cards are a store of *tickets* issued by potentially a number of different train or even bus operating companies. You can't in general use one company's ticket on another's services. Whereas Oyster (and the credit/debit card equivalent) working in the London area is a store of value, which you can spend on the services of any rail/bus company operating in the area. The complexities of working out which rail/bus operator gets revenue for which journey are handled by the back office - whether that's now operated by TfL or Cubic I'm not sure.

Rolling that out nationally would be more difficult, especially because of the insistence of many operators of long-distance services of forcing passengers to buy tickets for specific services in advance. But apparently the OV ChipKaart in the NL seems to work all over the country, so maybe that's possible. The impression I've got is that the ChipKaart doesn't work on Inter-city of international services; in a fairly compact country like the Netherlands that might be good enough.

But the current Transport Secretary's recent remarks that he wants fares to be more demand-driven than they already are is very much at odds with the idea of rolling out a payment card system like Oyster to cover the whole country, as it is unreasonable to expect people to pay a whole range of different fares depending on how long in advance they booked (impossible with a stored-value card of course) and what time of day they travel. I don't know whether he has noticed the inherent conflict, but surely some transport officials must have done so.
--
Clive Page
Bob
2023-02-10 13:13:21 UTC
Permalink
Post by Clive Page
Post by Bob
CCC is a "purse", it's just the purse lives at your bank, rather than
on the card. I'm not sure exactly which technologies various other
cities and countries use, but I get the impression Cubic has sold the
Oyster technology to quite a few cities around the world which have
had no problems with it.  I think the OV Chipkaart is basically a
token based system rather than a store-on-the-card based system.
I think the basic difference is that ITSO cards are a store of *tickets*
issued by potentially a number of different train or even bus operating
companies.  You can't in general use one company's ticket on another's
services.
There are ITSO cards that can be used as stored value PAYG cards. The
concept behind ITSO is that any ITSO card should be able to be used by
any ITSO compatible system, so if I get a card from, say, Stagecoach
bus, I can use the same card for, say, the Glasgow subway. The way the
systems have been rolled out, though, means that with a very few
exceptions, the cards do not work with anyone other than the issuer.
This is the card itself, as distinct from the digital ticket stored
within it.
Post by Clive Page
Whereas Oyster (and the credit/debit card equivalent)
working in the London area is a store of value, which you can spend on
the services of any rail/bus company operating in the area.   The
complexities of working out which rail/bus operator gets revenue for
which journey are handled by the back office - whether that's now
operated by TfL or Cubic I'm not sure.
Rolling that out nationally would be more difficult, especially because
of the insistence of many operators of long-distance services of forcing
passengers to buy tickets for specific services in advance.  But
apparently the OV ChipKaart in the NL seems to work all over the
country, so maybe that's possible.  The impression I've got is that the
ChipKaart doesn't work on Inter-city of international services;  in a
fairly compact country like the Netherlands that might be good enough.
NL does have some issues. If you change from a train operated by a
non-NS company onto an NS train, you have to tap out and tap in again.
In the UK case, the method for revenue sharing already exists, in that
if I buy an "any permitted" ticket on paper from a conventional ticket
office, three is already a formula for splitting the revenue between
multiple potential operators, through ORCATS.
Post by Clive Page
But the current Transport Secretary's recent remarks that he wants fares
to be more demand-driven than they already are is very much at odds with
the idea of rolling out a payment card system like Oyster to cover the
whole country, as it is unreasonable to expect people to pay a whole
range of different fares depending on how long in advance they booked
(impossible with a stored-value card of course) and what time of day
they travel.  I don't know whether he has noticed the inherent conflict,
but surely some transport officials must have done so.
The two different concepts seem to be pulling in different directions.
Broadly it seems that for long distance one-off or infrequent trips,
demand driven pricing and train specific tickets are favoured, while for
local frequent urban and commuter type operations, flexible tap in tap
out is favoured. The problem comes where a single train provides both
types of service along different parts of its route.

Robin
Roland Perry
2023-02-10 16:26:32 UTC
Permalink
Post by Clive Page
Post by Bob
CCC is a "purse", it's just the purse lives at your bank, rather than
on the card. I'm not sure exactly which technologies various other
cities and countries use, but I get the impression Cubic has sold the
Oyster technology to quite a few cities around the world which have
had no problems with it.  I think the OV Chipkaart is basically a
token based system rather than a store-on-the-card based system.
I think the basic difference is that ITSO cards are a store of
*tickets* issued by potentially a number of different train or even bus
operating companies. You can't in general use one company's ticket on
another's services.
I'll stop you right there.

If I buy a ticket from where I live to "London Terminals", I could use
it interavailably on:

Any of XC, GA or GN to Cambridge; then either of XC and GA to the
Stansted area, then GA to Liverpool St.

Any of XC, GA or GN to Cambridge, then either of GN or Thameslink to
Kings Cross and St Pancras (yes, there are Thameslink services which
terminate at Kings Cross - go figure). For added diversity change at
Stevenage onto LNER, or even onto a different GN train to Moorgate.

Plus sundry interavailabilities between Tottenham Hale and Finsbury Park
on the tube.
Post by Clive Page
Whereas Oyster (and the credit/debit card equivalent) working in the
London area is a store of value, which you can spend on the services of
any rail/bus company operating in the area.
Aren't they still a bit grumpy about people using them on Javelin
services from S Pancras to Stratford?
Post by Clive Page
The complexities of working out which rail/bus operator gets revenue
for which journey are handled by the back office - whether that's now
operated by TfL or Cubic I'm not sure.
Cubic is who TfL outsource some of their stuff to. Unless Cubic is just
supplying the platform, and someone else is operating it. But these
nuances aren't of interest to most passengers.
Post by Clive Page
Rolling that out nationally would be more difficult, especially because
of the insistence of many operators of long-distance services of
forcing passengers to buy tickets for specific services in advance.
Can you name any which only accept advance bookings?
Post by Clive Page
But apparently the OV ChipKaart in the NL seems to work all over the
country, so maybe that's possible.
It's a small country with a relatively simple network.
Post by Clive Page
The impression I've got is that the ChipKaart doesn't work on
Inter-city of international services;
Yes, good luck on using it on Thalys even domestically.
Post by Clive Page
in a fairly compact country like the Netherlands that might be good
enough.
But the current Transport Secretary's recent remarks that he wants
fares to be more demand-driven than they already are is very much at
odds with the idea of rolling out a payment card system like Oyster to
cover the whole country, as it is unreasonable to expect people to pay
a whole range of different fares depending on how long in advance they
booked (impossible with a stored-value card of course) and what time of
day they travel.
I think some journalists are over-reading the "Uber analogy". The best
which could happen is for peak hours to be long term tweaked to be even
more different than now, on different flows.

But that's a distinct conflict with "simplification".
--
Roland Perry
Clive Page
2023-02-10 23:10:13 UTC
Permalink
Post by Roland Perry
CCC is a "purse", it's just the purse lives at your bank, rather than on the card. I'm not sure exactly which technologies various other cities and countries use, but I get the impression Cubic has sold the Oyster technology to quite a few cities around the world which have had no problems with it.  I think the OV Chipkaart is basically a token based system rather than a store-on-the-card based system.
I think the basic difference is that ITSO cards are a store of *tickets* issued by potentially a number of different train or even bus operating companies.  You can't in general use one company's ticket on another's services.
I'll stop you right there.
Any of XC, GA or GN to Cambridge; then either of XC and GA to the Stansted area, then GA to Liverpool St.
Any of XC, GA or GN to Cambridge, then either of GN or Thameslink to Kings Cross and St Pancras (yes, there are Thameslink services which terminate at Kings Cross - go figure). For added diversity change at Stevenage onto LNER, or even onto a different GN train to Moorgate.
Plus sundry interavailabilities between Tottenham Hale and Finsbury Park on the tube.
I agree that a paper ticket is (or should be) valid on all of these, but is an ITSO ticket bought from one of these companies similarly flexible? I didn't know that, and there's very little information about it that I could find.
Post by Roland Perry
Aren't they still a bit grumpy about people using them on Javelin services from S Pancras to Stratford?
Not just grumpy, I thought that they weren't valid on that route, but I've never tried it.
Post by Roland Perry
Can you name any which only accept advance bookings?
Some summer Saturday trains from London terminals used to be marked as available only to those with seat reservations which can (or could) only be bought in advance. I don't know if that's still true.
--
Clive Page
Roland Perry
2023-02-11 07:03:35 UTC
Permalink
Post by Clive Page
Post by Roland Perry
Post by Clive Page
Post by Bob
CCC is a "purse", it's just the purse lives at your bank, rather
than on the card. I'm not sure exactly which technologies various
other cities and countries use, but I get the impression Cubic has
sold the Oyster technology to quite a few cities around the world
which have had no problems with it.  I think the OV Chipkaart is
basically a token based system rather than a store-on-the-card based system.
I think the basic difference is that ITSO cards are a store of
*tickets* issued by potentially a number of different train or even
bus operating companies.  You can't in general use one company's
ticket on another's services.
I'll stop you right there.
If I buy a ticket from where I live to "London Terminals", I could
Any of XC, GA or GN to Cambridge; then either of XC and GA to the
Stansted area, then GA to Liverpool St.
Any of XC, GA or GN to Cambridge, then either of GN or Thameslink to
Kings Cross and St Pancras (yes, there are Thameslink services which
terminate at Kings Cross - go figure). For added diversity change at
Stevenage onto LNER, or even onto a different GN train to Moorgate.
Plus sundry interavailabilities between Tottenham Hale and Finsbury Park on the tube.
I agree that a paper ticket is (or should be) valid on all of these,
but is an ITSO ticket bought from one of these companies similarly
flexible? I didn't know that, and there's very little information
about it that I could find.
If it's an open ticket (or season), rather than an AP [which GTR doesn't
issue anyway], why on earth not?
Post by Clive Page
Post by Roland Perry
Aren't they still a bit grumpy about people using them on Javelin
services from S Pancras to Stratford?
Not just grumpy, I thought that they weren't valid on that route, but I've never tried it.
Exactly; "grumpy" means "not valid mate".
Post by Clive Page
Post by Roland Perry
Can you name any which only accept advance bookings?
Some summer Saturday trains from London terminals used to be marked as
available only to those with seat reservations which can (or could)
only be bought in advance. I don't know if that's still true.
That's a very specific handful of trains, and in the past, not a TOC's
whole ticket policy, all day every day.
--
Roland Perry
Anna Noyd-Dryver
2023-02-14 12:11:49 UTC
Permalink
Post by Clive Page
Post by Roland Perry
Post by Clive Page
Post by Bob
CCC is a "purse", it's just the purse lives at your bank, rather than
on the card. I'm not sure exactly which technologies various other
cities and countries use, but I get the impression Cubic has sold the
Oyster technology to quite a few cities around the world which have
had no problems with it.  I think the OV Chipkaart is basically a
token based system rather than a store-on-the-card based system.
I think the basic difference is that ITSO cards are a store of
*tickets* issued by potentially a number of different train or even bus
operating companies.  You can't in general use one company's ticket on
another's services.
I'll stop you right there.
If I buy a ticket from where I live to "London Terminals", I could use
Any of XC, GA or GN to Cambridge; then either of XC and GA to the
Stansted area, then GA to Liverpool St.
Any of XC, GA or GN to Cambridge, then either of GN or Thameslink to
Kings Cross and St Pancras (yes, there are Thameslink services which
terminate at Kings Cross - go figure). For added diversity change at
Stevenage onto LNER, or even onto a different GN train to Moorgate.
Plus sundry interavailabilities between Tottenham Hale and Finsbury Park on the tube.
I agree that a paper ticket is (or should be) valid on all of these, but
is an ITSO ticket bought from one of these companies similarly flexible?
I didn't know that, and there's very little information about it that I could find.
Post by Roland Perry
Aren't they still a bit grumpy about people using them on Javelin
services from S Pancras to Stratford?
Not just grumpy, I thought that they weren't valid on that route, but I've never tried it.
Oyster and contactless are valid on Southeastern Highspeed services for
Stratford to St Pancras, but at a higher fare than travelling between those
two places by tube/EL/NR/whatever. The fare you pay for that journey is
outside any capping, though, rather like using Oyster/contactless for the
cable car, or river services. Or HEx.

<https://www.southeasternrailway.co.uk/tickets/more-ways-to-travel/high-speed>,
scroll down and click on "Using Oyster PAYG and Contactless".


Anna Noyd-Dryver
Recliner
2023-02-14 12:20:13 UTC
Permalink
Post by Anna Noyd-Dryver
Post by Clive Page
Post by Roland Perry
Post by Clive Page
Post by Bob
CCC is a "purse", it's just the purse lives at your bank, rather than
on the card. I'm not sure exactly which technologies various other
cities and countries use, but I get the impression Cubic has sold the
Oyster technology to quite a few cities around the world which have
had no problems with it.  I think the OV Chipkaart is basically a
token based system rather than a store-on-the-card based system.
I think the basic difference is that ITSO cards are a store of
*tickets* issued by potentially a number of different train or even bus
operating companies.  You can't in general use one company's ticket on
another's services.
I'll stop you right there.
If I buy a ticket from where I live to "London Terminals", I could use
Any of XC, GA or GN to Cambridge; then either of XC and GA to the
Stansted area, then GA to Liverpool St.
Any of XC, GA or GN to Cambridge, then either of GN or Thameslink to
Kings Cross and St Pancras (yes, there are Thameslink services which
terminate at Kings Cross - go figure). For added diversity change at
Stevenage onto LNER, or even onto a different GN train to Moorgate.
Plus sundry interavailabilities between Tottenham Hale and Finsbury Park on the tube.
I agree that a paper ticket is (or should be) valid on all of these, but
is an ITSO ticket bought from one of these companies similarly flexible?
I didn't know that, and there's very little information about it that I could find.
Post by Roland Perry
Aren't they still a bit grumpy about people using them on Javelin
services from S Pancras to Stratford?
Not just grumpy, I thought that they weren't valid on that route, but I've never tried it.
Oyster and contactless are valid on Southeastern Highspeed services for
Stratford to St Pancras, but at a higher fare than travelling between those
two places by tube/EL/NR/whatever. The fare you pay for that journey is
outside any capping, though, rather like using Oyster/contactless for the
cable car, or river services. Or HEx.
Yes, and Freedom Passes are also not allowed on that route.
Post by Anna Noyd-Dryver
<https://www.southeasternrailway.co.uk/tickets/more-ways-to-travel/high-speed>,
scroll down and click on "Using Oyster PAYG and Contactless".
Roland Perry
2023-02-14 13:10:55 UTC
Permalink
Post by Anna Noyd-Dryver
Post by Clive Page
Post by Roland Perry
Post by Clive Page
Post by Bob
CCC is a "purse", it's just the purse lives at your bank, rather than
on the card. I'm not sure exactly which technologies various other
cities and countries use, but I get the impression Cubic has sold the
Oyster technology to quite a few cities around the world which have
had no problems with it.  I think the OV Chipkaart is basically a
token based system rather than a store-on-the-card based system.
I think the basic difference is that ITSO cards are a store of
*tickets* issued by potentially a number of different train or even bus
operating companies.  You can't in general use one company's ticket on
another's services.
I'll stop you right there.
If I buy a ticket from where I live to "London Terminals", I could use
Any of XC, GA or GN to Cambridge; then either of XC and GA to the
Stansted area, then GA to Liverpool St.
Any of XC, GA or GN to Cambridge, then either of GN or Thameslink to
Kings Cross and St Pancras (yes, there are Thameslink services which
terminate at Kings Cross - go figure). For added diversity change at
Stevenage onto LNER, or even onto a different GN train to Moorgate.
Plus sundry interavailabilities between Tottenham Hale and Finsbury Park on the tube.
I agree that a paper ticket is (or should be) valid on all of these, but
is an ITSO ticket bought from one of these companies similarly flexible?
I didn't know that, and there's very little information about it that I could find.
Post by Roland Perry
Aren't they still a bit grumpy about people using them on Javelin
services from S Pancras to Stratford?
Not just grumpy, I thought that they weren't valid on that route, but I've never tried it.
Oyster and contactless are valid on Southeastern Highspeed services for
Stratford to St Pancras, but at a higher fare than travelling between those
two places by tube/EL/NR/whatever. The fare you pay for that journey is
outside any capping, though, rather like using Oyster/contactless for the
cable car, or river services. Or HEx.
<https://www.southeasternrailway.co.uk/tickets/more-ways-to-travel/high-speed>,
scroll down and click on "Using Oyster PAYG and Contactless".
If you have a Travelcard on your Oyster/ITSO, presumably that's not
accepted, just like a paper Travelcard wouldn't be?

There's a complex scheme for buying daily Hi-Speed upgrades, but there's
all kinds of if's and but's.
--
Roland Perry
Clive Page
2023-02-10 23:30:01 UTC
Permalink
Post by Roland Perry
Any of XC, GA or GN to Cambridge; then either of XC and GA to the Stansted area, then GA to Liverpool St.
Any of XC, GA or GN to Cambridge, then either of GN or Thameslink to Kings Cross and St Pancras (yes, there are Thameslink services which terminate at Kings Cross - go figure). For added diversity change at Stevenage onto LNER, or even onto a different GN train to Moorgate.
Yes, but that is still a specific ticket which is valid on various routes and services because of the influence of the National Routeing Guide among other things.

Can you just load money on your rail operators smart card and then use it on a whim on some other route on which they operate, say going up towards Norwich or Bury St. Edmunds without specifying which at the time of loading? I didn't think you could in general on an ITSO-based card.

The flexibility of the Oyster card is that I can load it with money weeks or months ahead and then use on just about any routes in the greater London area (with some tiny number of exceptions like St.Pancras to Statford). I don't have to buy any ticket in advance or plan anything in advance.
--
Clive Page
Roland Perry
2023-02-11 07:15:24 UTC
Permalink
Post by Clive Page
Post by Roland Perry
If I buy a ticket from where I live to "London Terminals", I could
Any of XC, GA or GN to Cambridge; then either of XC and GA to the
Stansted area, then GA to Liverpool St.
Any of XC, GA or GN to Cambridge, then either of GN or Thameslink to
Kings Cross and St Pancras (yes, there are Thameslink services which
terminate at Kings Cross - go figure). For added diversity change at
Stevenage onto LNER, or even onto a different GN train to Moorgate.
Yes, but that is still a specific ticket which is valid on various
routes and services because of the influence of the National Routeing
Guide among other things.
What's with this "specific ticket" lark. Are you looking for an
all-England rover ticket, or something?
Post by Clive Page
Can you just load money on your rail operators smart card and then use
it on a whim on some other route on which they operate, say going up
towards Norwich or Bury St. Edmunds without specifying which at the
time of loading? I didn't think you could in general on an ITSO-based
card.
You can on the routes where KeyGo is accepted[1]. So the technology is
proven, all it needs is for other TOCs to adopt it (which is a marketing
decision).
Post by Clive Page
The flexibility of the Oyster card is that I can load it with money
weeks or months ahead and then use on just about any routes in the
greater London area (with some tiny number of exceptions like
St.Pancras to Statford). I don't have to buy any ticket in advance or
plan anything in advance.
To that extent Oyster (and contactless credit card) are valid wherever
they are *accepted*. Which, to use an earlier phrase is TO A FIRST
APPROXIMATION inside the M25. You can't use them to Norwich or Bury St
Edmunds.

[1] GTR from Havant* to Bexhill in the south; to Watford Junction*,
Bedford, Huntingdon and Cambridge* in the north; to Dartford in the
East.

* means actually one station, too small for people to instantly
recognise, closer to central London. To mop these big stations
up just requires some co-operation between techies in the back
office.
--
Roland Perry
Clive Page
2023-02-11 15:22:02 UTC
Permalink
Post by Roland Perry
You can on the routes where KeyGo is accepted[1]. So the technology is
proven, all it needs is for other TOCs to adopt it (which is a marketing
decision).
OK, I didn't know that. Their publicity is awfully bad at explaining the flexibility of the system, perhaps because they have at present crippled it by having it usable on so few routes.

At present it would be of no use to most people using Thameslink stations north of St.Pancras as it doesn't seem to be valid on East Midlands trains, for example which are generally the fastest from London to Luton/Parkway and Bedford. Nor on any TfL services. So if I understand it you are claiming that ITSO cards could, in principle, cover the country, if only the DfT could knock enough heads together and force them all to sign up?

One wonders whether that, or the completion of HS2 will come first.

The same head-knocking would obviously be needed if Oyster is to be expanded outside the greater London area. And probably that would simply not cope with the number of zones that would be needed.

Actually I suspect that most of the passengers that one sees breezing through ticket barriers around London, simply waving either the smartphones or their contactless bank cards at the gate-line readers would think that both of these technologies are ripe for retirement.
--
Clive Page
Recliner
2023-02-11 16:22:52 UTC
Permalink
Post by Clive Page
Post by Roland Perry
You can on the routes where KeyGo is accepted[1]. So the technology is
proven, all it needs is for other TOCs to adopt it (which is a marketing
decision).
OK, I didn't know that. Their publicity is awfully bad at explaining the
flexibility of the system, perhaps because they have at present crippled
it by having it usable on so few routes.
At present it would be of no use to most people using Thameslink stations
north of St.Pancras as it doesn't seem to be valid on East Midlands
trains, for example which are generally the fastest from London to
Luton/Parkway and Bedford. Nor on any TfL services. So if I understand
it you are claiming that ITSO cards could, in principle, cover the
country, if only the DfT could knock enough heads together and force them all to sign up?
One wonders whether that, or the completion of HS2 will come first.
The same head-knocking would obviously be needed if Oyster is to be
expanded outside the greater London area. And probably that would simply
not cope with the number of zones that would be needed.
Son-of-Oyster (ie, cc cards) can already be used outside the Greater London
area, and are being expanded to many more stations.
Post by Clive Page
Actually I suspect that most of the passengers that one sees breezing
through ticket barriers around London, simply waving either the
smartphones or their contactless bank cards at the gate-line readers
would think that both of these technologies are ripe for retirement.
They're using son-of-Oyster. Next year, you'll be able to do that from
Guildford to Southend, Aylesbury to Tunbridge Wells, Dorking to Stansted,
Maidstone to Maidenhead…

And, yes, discounted PAYG travel for National Rail concessionary customers
is coming.
M***@dastardlyhq.com
2023-02-11 16:41:32 UTC
Permalink
On Sat, 11 Feb 2023 16:22:52 -0000 (UTC)
Post by Clive Page
Post by Clive Page
Post by Roland Perry
You can on the routes where KeyGo is accepted[1]. So the technology is
proven, all it needs is for other TOCs to adopt it (which is a marketing
decision).
OK, I didn't know that. Their publicity is awfully bad at explaining the
flexibility of the system, perhaps because they have at present crippled
it by having it usable on so few routes.
At present it would be of no use to most people using Thameslink stations
north of St.Pancras as it doesn't seem to be valid on East Midlands
trains, for example which are generally the fastest from London to
Luton/Parkway and Bedford. Nor on any TfL services. So if I understand
it you are claiming that ITSO cards could, in principle, cover the
country, if only the DfT could knock enough heads together and force them
all to sign up?
Post by Clive Page
One wonders whether that, or the completion of HS2 will come first.
The same head-knocking would obviously be needed if Oyster is to be
expanded outside the greater London area. And probably that would simply
not cope with the number of zones that would be needed.
Son-of-Oyster (ie, cc cards) can already be used outside the Greater London
area, and are being expanded to many more stations.
Post by Clive Page
Actually I suspect that most of the passengers that one sees breezing
through ticket barriers around London, simply waving either the
smartphones or their contactless bank cards at the gate-line readers
would think that both of these technologies are ripe for retirement.
I've yet to see anyone get away with just waving their smartphone. Usually
its tap - wait - wait a bit more - open. A right PITA if you're behind them
waiting to get out.
Recliner
2023-02-11 17:26:28 UTC
Permalink
Post by M***@dastardlyhq.com
On Sat, 11 Feb 2023 16:22:52 -0000 (UTC)
Post by Clive Page
Post by Clive Page
Post by Roland Perry
You can on the routes where KeyGo is accepted[1]. So the technology is
proven, all it needs is for other TOCs to adopt it (which is a marketing
decision).
OK, I didn't know that. Their publicity is awfully bad at explaining the
flexibility of the system, perhaps because they have at present crippled
it by having it usable on so few routes.
At present it would be of no use to most people using Thameslink stations
north of St.Pancras as it doesn't seem to be valid on East Midlands
trains, for example which are generally the fastest from London to
Luton/Parkway and Bedford. Nor on any TfL services. So if I understand
it you are claiming that ITSO cards could, in principle, cover the
country, if only the DfT could knock enough heads together and force them
all to sign up?
Post by Clive Page
One wonders whether that, or the completion of HS2 will come first.
The same head-knocking would obviously be needed if Oyster is to be
expanded outside the greater London area. And probably that would simply
not cope with the number of zones that would be needed.
Son-of-Oyster (ie, cc cards) can already be used outside the Greater London
area, and are being expanded to many more stations.
Post by Clive Page
Actually I suspect that most of the passengers that one sees breezing
through ticket barriers around London, simply waving either the
smartphones or their contactless bank cards at the gate-line readers
would think that both of these technologies are ripe for retirement.
I've yet to see anyone get away with just waving their smartphone. Usually
its tap - wait - wait a bit more - open. A right PITA if you're behind them
waiting to get out.
Is physical contact actually needed? I'm pretty sure my phone can pay
bills without actually touching the reader (NFC is, after all, *Near* Field
Communication). So, waving it a couple of cm away should be OK.
Roland Perry
2023-02-11 17:53:03 UTC
Permalink
Post by Recliner
Post by M***@dastardlyhq.com
On Sat, 11 Feb 2023 16:22:52 -0000 (UTC)
Post by Clive Page
Post by Clive Page
Post by Roland Perry
You can on the routes where KeyGo is accepted[1]. So the technology is
proven, all it needs is for other TOCs to adopt it (which is a marketing
decision).
OK, I didn't know that. Their publicity is awfully bad at explaining the
flexibility of the system, perhaps because they have at present crippled
it by having it usable on so few routes.
At present it would be of no use to most people using Thameslink stations
north of St.Pancras as it doesn't seem to be valid on East Midlands
trains, for example which are generally the fastest from London to
Luton/Parkway and Bedford. Nor on any TfL services. So if I understand
it you are claiming that ITSO cards could, in principle, cover the
country, if only the DfT could knock enough heads together and force them
all to sign up?
Post by Clive Page
One wonders whether that, or the completion of HS2 will come first.
The same head-knocking would obviously be needed if Oyster is to be
expanded outside the greater London area. And probably that would simply
not cope with the number of zones that would be needed.
Son-of-Oyster (ie, cc cards) can already be used outside the Greater London
area, and are being expanded to many more stations.
Post by Clive Page
Actually I suspect that most of the passengers that one sees breezing
through ticket barriers around London, simply waving either the
smartphones or their contactless bank cards at the gate-line readers
would think that both of these technologies are ripe for retirement.
I've yet to see anyone get away with just waving their smartphone. Usually
its tap - wait - wait a bit more - open. A right PITA if you're behind them
waiting to get out.
Is physical contact actually needed?
No, but signage often uses the word "tap", as if that was necessary.
Post by Recliner
I'm pretty sure my phone can pay bills without actually touching the
reader (NFC is, after all, *Near* Field Communication). So, waving it a
couple of cm away should be OK.
The issue here is "wave - wait - wait a bit more..."
--
Roland Perry
Clive Page
2023-02-11 18:40:54 UTC
Permalink
Post by Recliner
Is physical contact actually needed? I'm pretty sure my phone can pay
bills without actually touching the reader (NFC is, after all, *Near* Field
Communication). So, waving it a couple of cm away should be OK.
The ones that annoy me are those who discover that waving or tapping their phone doesn't work because e.g. they have forgotten to enable NFC or something like that, so they have to pause for several seconds to re-enable it. A cardboard ticket seems faster all round.
--
Clive Page
Graeme Wall
2023-02-11 20:45:00 UTC
Permalink
Post by Clive Page
Is physical contact actually needed?  I'm pretty sure my phone can pay
bills without actually touching the reader (NFC is, after all, *Near* Field
Communication). So, waving it a couple of cm away should be OK.
The ones that annoy me are those who discover that waving or tapping
their phone doesn't work because e.g. they have forgotten to enable NFC
or something like that, so they have to pause for several seconds to
re-enable it.   A cardboard ticket seems faster all round.
You mean getting stuck behind the person who doesn't think to get their
ticket out before they get to the barrier, then can't remember which
pocket the put their wallet in, then can't find the slot to insert it in
the barrier? Got behind one of those last Thursday!
--
Graeme Wall
This account not read.
Ken
2023-02-12 11:44:56 UTC
Permalink
On Sat, 11 Feb 2023 20:45:00 +0000, Graeme Wall
Post by Graeme Wall
Post by Clive Page
Is physical contact actually needed?  I'm pretty sure my phone can pay
bills without actually touching the reader (NFC is, after all, *Near* Field
Communication). So, waving it a couple of cm away should be OK.
The ones that annoy me are those who discover that waving or tapping
their phone doesn't work because e.g. they have forgotten to enable NFC
or something like that, so they have to pause for several seconds to
re-enable it.   A cardboard ticket seems faster all round.
You mean getting stuck behind the person who doesn't think to get their
ticket out before they get to the barrier, then can't remember which
pocket the put their wallet in, then can't find the slot to insert it in
the barrier? Got behind one of those last Thursday!
The main problem with paper is that its declining popularity means
that gates often fail to read it. Sometimes there's a hand-written
sign to that effect, but often not.
M***@dastardlyhq.com
2023-02-12 09:59:59 UTC
Permalink
On Sat, 11 Feb 2023 17:26:28 -0000 (UTC)
Post by Recliner
Post by M***@dastardlyhq.com
On Sat, 11 Feb 2023 16:22:52 -0000 (UTC)
I've yet to see anyone get away with just waving their smartphone. Usually
its tap - wait - wait a bit more - open. A right PITA if you're behind them
waiting to get out.
Is physical contact actually needed? I'm pretty sure my phone can pay
bills without actually touching the reader (NFC is, after all, *Near* Field
Communication). So, waving it a couple of cm away should be OK.
Thats what my wife does with her contactless cards annoyingly. It just slows the
reader down even more.
Graeme Wall
2023-02-12 10:07:49 UTC
Permalink
Post by M***@dastardlyhq.com
On Sat, 11 Feb 2023 17:26:28 -0000 (UTC)
Post by Recliner
Post by M***@dastardlyhq.com
On Sat, 11 Feb 2023 16:22:52 -0000 (UTC)
I've yet to see anyone get away with just waving their smartphone. Usually
its tap - wait - wait a bit more - open. A right PITA if you're behind them
waiting to get out.
Is physical contact actually needed? I'm pretty sure my phone can pay
bills without actually touching the reader (NFC is, after all, *Near* Field
Communication). So, waving it a couple of cm away should be OK.
Thats what my wife does with her contactless cards annoyingly. It just slows the
reader down even more.
IIRC the original idea was you just waved the card somewhere near the
reader, or even left it in your pocket, remember Pay-Wave? Fell apart
the moment someone had two P-W cards or were close to someone else with
one. So they had to reduce the acceptance area drastically.
--
Graeme Wall
This account not read.
M***@dastardlyhq.com
2023-02-12 15:57:25 UTC
Permalink
On Sun, 12 Feb 2023 10:07:49 +0000
Post by Graeme Wall
Post by M***@dastardlyhq.com
On Sat, 11 Feb 2023 17:26:28 -0000 (UTC)
Post by Recliner
Post by M***@dastardlyhq.com
On Sat, 11 Feb 2023 16:22:52 -0000 (UTC)
I've yet to see anyone get away with just waving their smartphone. Usually
its tap - wait - wait a bit more - open. A right PITA if you're behind them
waiting to get out.
Is physical contact actually needed? I'm pretty sure my phone can pay
bills without actually touching the reader (NFC is, after all, *Near* Field
Communication). So, waving it a couple of cm away should be OK.
Thats what my wife does with her contactless cards annoyingly. It just slows
the
Post by M***@dastardlyhq.com
reader down even more.
IIRC the original idea was you just waved the card somewhere near the
reader, or even left it in your pocket, remember Pay-Wave? Fell apart
the moment someone had two P-W cards or were close to someone else with
one. So they had to reduce the acceptance area drastically.
Which is a Good Thing. Otherwise no card in a wallet would be safe from
someone with a rogue reader in a crowded enviroment such as the tube.
Tweed
2023-02-12 16:39:10 UTC
Permalink
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 10:07:49 +0000
Post by Graeme Wall
Post by M***@dastardlyhq.com
On Sat, 11 Feb 2023 17:26:28 -0000 (UTC)
Post by Recliner
Post by M***@dastardlyhq.com
On Sat, 11 Feb 2023 16:22:52 -0000 (UTC)
I've yet to see anyone get away with just waving their smartphone. Usually
its tap - wait - wait a bit more - open. A right PITA if you're behind them
waiting to get out.
Is physical contact actually needed? I'm pretty sure my phone can pay
bills without actually touching the reader (NFC is, after all, *Near* Field
Communication). So, waving it a couple of cm away should be OK.
Thats what my wife does with her contactless cards annoyingly. It just slows
the
Post by M***@dastardlyhq.com
reader down even more.
IIRC the original idea was you just waved the card somewhere near the
reader, or even left it in your pocket, remember Pay-Wave? Fell apart
the moment someone had two P-W cards or were close to someone else with
one. So they had to reduce the acceptance area drastically.
Which is a Good Thing. Otherwise no card in a wallet would be safe from
someone with a rogue reader in a crowded enviroment such as the tube.
Even if someone had a rogue reader how would they obtain payment without
being traceable?
M***@dastardlyhq.com
2023-02-12 19:38:45 UTC
Permalink
On Sun, 12 Feb 2023 16:39:10 -0000 (UTC)
Post by Tweed
Post by M***@dastardlyhq.com
Post by Graeme Wall
IIRC the original idea was you just waved the card somewhere near the
reader, or even left it in your pocket, remember Pay-Wave? Fell apart
the moment someone had two P-W cards or were close to someone else with
one. So they had to reduce the acceptance area drastically.
Which is a Good Thing. Otherwise no card in a wallet would be safe from
someone with a rogue reader in a crowded enviroment such as the tube.
Even if someone had a rogue reader how would they obtain payment without
being traceable?
Don't know, I'm not a criminal. But how do any scammers get a bank account?
Roland Perry
2023-02-12 19:49:35 UTC
Permalink
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 16:39:10 -0000 (UTC)
Post by Tweed
Post by M***@dastardlyhq.com
Post by Graeme Wall
IIRC the original idea was you just waved the card somewhere near the
reader, or even left it in your pocket, remember Pay-Wave? Fell apart
the moment someone had two P-W cards or were close to someone else with
one. So they had to reduce the acceptance area drastically.
Which is a Good Thing. Otherwise no card in a wallet would be safe from
someone with a rogue reader in a crowded enviroment such as the tube.
Even if someone had a rogue reader how would they obtain payment without
being traceable?
Don't know, I'm not a criminal. But how do any scammers get a bank account?
These hypothetical scammers need to get a merchant account.
--
Roland Perry
M***@dastardlyhq.com
2023-02-12 19:59:38 UTC
Permalink
On Sun, 12 Feb 2023 19:49:35 +0000
Post by Roland Perry
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 16:39:10 -0000 (UTC)
Post by Tweed
Post by M***@dastardlyhq.com
Post by Graeme Wall
IIRC the original idea was you just waved the card somewhere near the
reader, or even left it in your pocket, remember Pay-Wave? Fell apart
the moment someone had two P-W cards or were close to someone else with
one. So they had to reduce the acceptance area drastically.
Which is a Good Thing. Otherwise no card in a wallet would be safe from
someone with a rogue reader in a crowded enviroment such as the tube.
Even if someone had a rogue reader how would they obtain payment without
being traceable?
Don't know, I'm not a criminal. But how do any scammers get a bank account?
These hypothetical scammers need to get a merchant account.
Are you seriously suggesting that its hard for criminals to rip people off via
bank cards? It happens all the damn time.
Charles Ellson
2023-02-12 20:37:05 UTC
Permalink
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 19:49:35 +0000
Post by Roland Perry
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 16:39:10 -0000 (UTC)
Post by Tweed
Post by M***@dastardlyhq.com
Post by Graeme Wall
IIRC the original idea was you just waved the card somewhere near the
reader, or even left it in your pocket, remember Pay-Wave? Fell apart
the moment someone had two P-W cards or were close to someone else with
one. So they had to reduce the acceptance area drastically.
Which is a Good Thing. Otherwise no card in a wallet would be safe from
someone with a rogue reader in a crowded enviroment such as the tube.
Even if someone had a rogue reader how would they obtain payment without
being traceable?
Don't know, I'm not a criminal. But how do any scammers get a bank account?
These hypothetical scammers need to get a merchant account.
Are you seriously suggesting that its hard for criminals to rip people off via
bank cards? It happens all the damn time.
IIRC it used to be possible to set up bogus direct debits or standing
orders using the details off a debit card. These could work until
someone noticed the mystery transactions but banks have gradually
introduced more double-checking with customers for many transactions.
Tweed
2023-02-12 20:52:29 UTC
Permalink
Post by Charles Ellson
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 19:49:35 +0000
Post by Roland Perry
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 16:39:10 -0000 (UTC)
Post by Tweed
Post by M***@dastardlyhq.com
Post by Graeme Wall
IIRC the original idea was you just waved the card somewhere near the
reader, or even left it in your pocket, remember Pay-Wave? Fell apart
the moment someone had two P-W cards or were close to someone else with
one. So they had to reduce the acceptance area drastically.
Which is a Good Thing. Otherwise no card in a wallet would be safe from
someone with a rogue reader in a crowded enviroment such as the tube.
Even if someone had a rogue reader how would they obtain payment without
being traceable?
Don't know, I'm not a criminal. But how do any scammers get a bank account?
These hypothetical scammers need to get a merchant account.
Are you seriously suggesting that its hard for criminals to rip people off via
bank cards? It happens all the damn time.
IIRC it used to be possible to set up bogus direct debits or standing
orders using the details off a debit card. These could work until
someone noticed the mystery transactions but banks have gradually
introduced more double-checking with customers for many transactions.
Does a near field communication with a bank card transmit account details
unencrypted?
Charles Ellson
2023-02-12 21:16:38 UTC
Permalink
On Sun, 12 Feb 2023 20:52:29 -0000 (UTC), Tweed
Post by Tweed
Post by Charles Ellson
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 19:49:35 +0000
Post by Roland Perry
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 16:39:10 -0000 (UTC)
Post by Tweed
Post by M***@dastardlyhq.com
Post by Graeme Wall
IIRC the original idea was you just waved the card somewhere near the
reader, or even left it in your pocket, remember Pay-Wave? Fell apart
the moment someone had two P-W cards or were close to someone else with
one. So they had to reduce the acceptance area drastically.
Which is a Good Thing. Otherwise no card in a wallet would be safe from
someone with a rogue reader in a crowded enviroment such as the tube.
Even if someone had a rogue reader how would they obtain payment without
being traceable?
Don't know, I'm not a criminal. But how do any scammers get a bank account?
These hypothetical scammers need to get a merchant account.
Are you seriously suggesting that its hard for criminals to rip people off via
bank cards? It happens all the damn time.
IIRC it used to be possible to set up bogus direct debits or standing
orders using the details off a debit card. These could work until
someone noticed the mystery transactions but banks have gradually
introduced more double-checking with customers for many transactions.
Does a near field communication with a bank card transmit account details
unencrypted?
I don't know (I get a couple of lines in hex) but scanning the card
(or anything else showing the sort code, account number and name) with
the Mk1 eyeball doesn't involve encryption.
Roland Perry
2023-02-13 12:35:56 UTC
Permalink
Post by Charles Ellson
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 19:49:35 +0000
Post by Roland Perry
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 16:39:10 -0000 (UTC)
Post by Tweed
Post by M***@dastardlyhq.com
Post by Graeme Wall
IIRC the original idea was you just waved the card somewhere near the
reader, or even left it in your pocket, remember Pay-Wave? Fell apart
the moment someone had two P-W cards or were close to someone else with
one. So they had to reduce the acceptance area drastically.
Which is a Good Thing. Otherwise no card in a wallet would be safe from
someone with a rogue reader in a crowded enviroment such as the tube.
Even if someone had a rogue reader how would they obtain payment without
being traceable?
Don't know, I'm not a criminal. But how do any scammers get a bank account?
These hypothetical scammers need to get a merchant account.
Are you seriously suggesting that its hard for criminals to rip people off via
bank cards? It happens all the damn time.
IIRC it used to be possible to set up bogus direct debits or standing
orders using the details off a debit card. These could work until
someone noticed the mystery transactions but banks have gradually
introduced more double-checking with customers for many transactions.
Nothing to do with skimming contactless cards. And of course the DD
Guarantee kicks in, unlike someone who sets up a scam merchant account
and pretends you've bought something off them.

Although UK banks do have a form of guarantee for that as well.
--
Roland Perry
Roland Perry
2023-02-13 12:34:30 UTC
Permalink
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 19:49:35 +0000
Post by Roland Perry
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 16:39:10 -0000 (UTC)
Post by Tweed
Post by M***@dastardlyhq.com
Post by Graeme Wall
IIRC the original idea was you just waved the card somewhere near the
reader, or even left it in your pocket, remember Pay-Wave? Fell apart
the moment someone had two P-W cards or were close to someone else with
one. So they had to reduce the acceptance area drastically.
Which is a Good Thing. Otherwise no card in a wallet would be safe from
someone with a rogue reader in a crowded enviroment such as the tube.
Even if someone had a rogue reader how would they obtain payment without
being traceable?
Don't know, I'm not a criminal. But how do any scammers get a bank account?
These hypothetical scammers need to get a merchant account.
Are you seriously suggesting that its hard for criminals to rip people off via
bank cards? It happens all the damn time.
By skimming contactless cards?
--
Roland Perry
M***@dastardlyhq.com
2023-02-13 12:55:01 UTC
Permalink
On Mon, 13 Feb 2023 12:34:30 +0000
Post by Roland Perry
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 19:49:35 +0000
Post by Roland Perry
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 16:39:10 -0000 (UTC)
Post by Tweed
Post by M***@dastardlyhq.com
Post by Graeme Wall
IIRC the original idea was you just waved the card somewhere near the
reader, or even left it in your pocket, remember Pay-Wave? Fell apart
the moment someone had two P-W cards or were close to someone else with
one. So they had to reduce the acceptance area drastically.
Which is a Good Thing. Otherwise no card in a wallet would be safe from
someone with a rogue reader in a crowded enviroment such as the tube.
Even if someone had a rogue reader how would they obtain payment without
being traceable?
Don't know, I'm not a criminal. But how do any scammers get a bank account?
These hypothetical scammers need to get a merchant account.
Are you seriously suggesting that its hard for criminals to rip people off via
bank cards? It happens all the damn time.
By skimming contactless cards?
You think its hard? Happened to someone I know in a dodgy restaurant. He
gave them his card and the waitress did the transaction again on the card
machine while he wasn't looking. Couldn't have happened if the PIN had been
required.
Recliner
2023-02-13 13:42:33 UTC
Permalink
Post by M***@dastardlyhq.com
On Mon, 13 Feb 2023 12:34:30 +0000
Post by Roland Perry
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 19:49:35 +0000
Post by Roland Perry
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 16:39:10 -0000 (UTC)
Post by Tweed
Post by M***@dastardlyhq.com
Post by Graeme Wall
IIRC the original idea was you just waved the card somewhere near the
reader, or even left it in your pocket, remember Pay-Wave? Fell apart
the moment someone had two P-W cards or were close to someone else with
one. So they had to reduce the acceptance area drastically.
Which is a Good Thing. Otherwise no card in a wallet would be safe from
someone with a rogue reader in a crowded enviroment such as the tube.
Even if someone had a rogue reader how would they obtain payment without
being traceable?
Don't know, I'm not a criminal. But how do any scammers get a bank account?
These hypothetical scammers need to get a merchant account.
Are you seriously suggesting that its hard for criminals to rip people off via
bank cards? It happens all the damn time.
By skimming contactless cards?
You think its hard? Happened to someone I know in a dodgy restaurant. He
gave them his card and the waitress did the transaction again on the card
machine while he wasn't looking. Couldn't have happened if the PIN had been
required.
Or if he'd used his phone.
Roland Perry
2023-02-14 13:12:59 UTC
Permalink
Post by Recliner
Post by M***@dastardlyhq.com
On Mon, 13 Feb 2023 12:34:30 +0000
Post by Roland Perry
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 19:49:35 +0000
Post by Roland Perry
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 16:39:10 -0000 (UTC)
Post by Tweed
Post by M***@dastardlyhq.com
Post by Graeme Wall
IIRC the original idea was you just waved the card somewhere near the
reader, or even left it in your pocket, remember Pay-Wave? Fell apart
the moment someone had two P-W cards or were close to someone else with
one. So they had to reduce the acceptance area drastically.
Which is a Good Thing. Otherwise no card in a wallet would be safe from
someone with a rogue reader in a crowded enviroment such as the tube.
Even if someone had a rogue reader how would they obtain payment without
being traceable?
Don't know, I'm not a criminal. But how do any scammers get a bank account?
These hypothetical scammers need to get a merchant account.
Are you seriously suggesting that its hard for criminals to rip people off via
bank cards? It happens all the damn time.
By skimming contactless cards?
You think its hard? Happened to someone I know in a dodgy restaurant. He
gave them his card and the waitress did the transaction again on the card
machine while he wasn't looking. Couldn't have happened if the PIN had been
required.
Or if he'd used his phone.
Presumably you mean "if he'd used his phone and not let go of it"?

Don't let go of the contactless card either. Simples!!
--
Roland Perry
Roland Perry
2023-02-14 13:11:48 UTC
Permalink
Post by M***@dastardlyhq.com
On Mon, 13 Feb 2023 12:34:30 +0000
Post by Roland Perry
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 19:49:35 +0000
Post by Roland Perry
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 16:39:10 -0000 (UTC)
Post by Tweed
Post by M***@dastardlyhq.com
Post by Graeme Wall
IIRC the original idea was you just waved the card somewhere near the
reader, or even left it in your pocket, remember Pay-Wave? Fell apart
the moment someone had two P-W cards or were close to someone else with
one. So they had to reduce the acceptance area drastically.
Which is a Good Thing. Otherwise no card in a wallet would be safe from
someone with a rogue reader in a crowded enviroment such as the tube.
Even if someone had a rogue reader how would they obtain payment without
being traceable?
Don't know, I'm not a criminal. But how do any scammers get a bank account?
These hypothetical scammers need to get a merchant account.
Are you seriously suggesting that its hard for criminals to rip people off via
bank cards? It happens all the damn time.
By skimming contactless cards?
You think its hard? Happened to someone I know in a dodgy restaurant. He
gave them his card and the waitress did the transaction again on the card
machine while he wasn't looking. Couldn't have happened if the PIN had been
required.
That's not skimming, it's plain and simple double-dipping fraud.
--
Roland Perry
Ken
2023-02-13 09:26:25 UTC
Permalink
Post by Roland Perry
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 16:39:10 -0000 (UTC)
Post by Tweed
Post by M***@dastardlyhq.com
Post by Graeme Wall
IIRC the original idea was you just waved the card somewhere near the
reader, or even left it in your pocket, remember Pay-Wave? Fell apart
the moment someone had two P-W cards or were close to someone else with
one. So they had to reduce the acceptance area drastically.
Which is a Good Thing. Otherwise no card in a wallet would be safe from
someone with a rogue reader in a crowded enviroment such as the tube.
Even if someone had a rogue reader how would they obtain payment without
being traceable?
Don't know, I'm not a criminal. But how do any scammers get a bank account?
These hypothetical scammers need to get a merchant account.
Really? You can buy third-party card readers from about £30 and I
thought it was just a case of arranging for payments to go to any bank
account.
You may be right, but I thought it was more lax these days.
Clank
2023-02-13 10:00:27 UTC
Permalink
Post by Ken
Post by Roland Perry
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 16:39:10 -0000 (UTC)
Post by Tweed
Post by M***@dastardlyhq.com
Post by Graeme Wall
IIRC the original idea was you just waved the card somewhere near the
reader, or even left it in your pocket, remember Pay-Wave? Fell apart
the moment someone had two P-W cards or were close to someone else with
one. So they had to reduce the acceptance area drastically.
Which is a Good Thing. Otherwise no card in a wallet would be safe from
someone with a rogue reader in a crowded enviroment such as the tube.
Even if someone had a rogue reader how would they obtain payment without
being traceable?
Don't know, I'm not a criminal. But how do any scammers get a bank account?
These hypothetical scammers need to get a merchant account.
Really? You can buy third-party card readers from about £30 and I
thought it was just a case of arranging for payments to go to any bank
account.
You may be right, but I thought it was more lax these days.
Indeed, these days you don't need your own Merchant Account or Acquiring Bank
to accept card payments - you can get a Payment Service Provider (PSP) who
will do all the complicated bank shit for you, and you just tell them where to
pay your takings. In exchange for this service of course you pay a percentage
of every transaction to the PSP.

If you are a massive retailer, the cost/benefit falls in favour of doing it
yourself - although I would say given the increasing complexity and sysiphean
task of keeping up with regulatory (e.g. PSD2) and technological (EMV
specifications are constantly updated) changes, the bar where it makes sense
to do processing yourself is moving higher and higher. Then again, as CTO of a
PSP, I would say that, wouldn't I?

(The other advantage of a PSP is that they can easily integrate payment
providers other than just cards for you easily - my co. has literally hundreds
of payment solutions integrated, the majority of which you've almost certainly
never heard of, but each of which is absolutely criticial for someone
somewhere - usually in local markets; if you want to take money from
customers in Latin America, for example, you probably want to integrate Monnet
Payments so people in Peru or Ecuador can easily pay you from their bank
account or from a local shop voucher purchase. Routing the transaction through
a local intermediary can also cut transaction costs (and increase acceptance
rates), even where the user is using a 'global' payment method like Mastercard
of Visa.)


I wouldn't describe it as 'more lax' though; PSPs are subject to the same kind
of Know Your Customer and Anti Money-Laundering regulations that the banks
are.
Ken
2023-02-13 10:06:57 UTC
Permalink
On Mon, 13 Feb 2023 10:00:27 -0000 (UTC), Clank
Post by Clank
I wouldn't describe it as 'more lax' though; PSPs are subject to the same kind
of Know Your Customer and Anti Money-Laundering regulations that the banks
are.
I merely meant that criminals attempting to scan cards in people's
pockets do not themselves require a merchant account, after Roland
suggested they did.
Graeme Wall
2023-02-12 17:46:13 UTC
Permalink
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 10:07:49 +0000
Post by Graeme Wall
Post by M***@dastardlyhq.com
On Sat, 11 Feb 2023 17:26:28 -0000 (UTC)
Post by Recliner
Post by M***@dastardlyhq.com
On Sat, 11 Feb 2023 16:22:52 -0000 (UTC)
I've yet to see anyone get away with just waving their smartphone. Usually
its tap - wait - wait a bit more - open. A right PITA if you're behind them
waiting to get out.
Is physical contact actually needed? I'm pretty sure my phone can pay
bills without actually touching the reader (NFC is, after all, *Near* Field
Communication). So, waving it a couple of cm away should be OK.
Thats what my wife does with her contactless cards annoyingly. It just slows
the
Post by M***@dastardlyhq.com
reader down even more.
IIRC the original idea was you just waved the card somewhere near the
reader, or even left it in your pocket, remember Pay-Wave? Fell apart
the moment someone had two P-W cards or were close to someone else with
one. So they had to reduce the acceptance area drastically.
Which is a Good Thing. Otherwise no card in a wallet would be safe from
someone with a rogue reader in a crowded enviroment such as the tube.
That was a worry with people buying special screened wallets to keep
their cards in.
--
Graeme Wall
This account not read.
M***@dastardlyhq.com
2023-02-12 19:45:31 UTC
Permalink
On Sun, 12 Feb 2023 17:46:13 +0000
Post by Graeme Wall
Post by M***@dastardlyhq.com
Which is a Good Thing. Otherwise no card in a wallet would be safe from
someone with a rogue reader in a crowded enviroment such as the tube.
That was a worry with people buying special screened wallets to keep
their cards in.
Maybe a few, not many.
Ken
2023-02-12 11:43:07 UTC
Permalink
Post by M***@dastardlyhq.com
On Sat, 11 Feb 2023 16:22:52 -0000 (UTC)
Post by Clive Page
Post by Clive Page
Post by Roland Perry
You can on the routes where KeyGo is accepted[1]. So the technology is
proven, all it needs is for other TOCs to adopt it (which is a marketing
decision).
OK, I didn't know that. Their publicity is awfully bad at explaining the
flexibility of the system, perhaps because they have at present crippled
it by having it usable on so few routes.
At present it would be of no use to most people using Thameslink stations
north of St.Pancras as it doesn't seem to be valid on East Midlands
trains, for example which are generally the fastest from London to
Luton/Parkway and Bedford. Nor on any TfL services. So if I understand
it you are claiming that ITSO cards could, in principle, cover the
country, if only the DfT could knock enough heads together and force them
all to sign up?
Post by Clive Page
One wonders whether that, or the completion of HS2 will come first.
The same head-knocking would obviously be needed if Oyster is to be
expanded outside the greater London area. And probably that would simply
not cope with the number of zones that would be needed.
Son-of-Oyster (ie, cc cards) can already be used outside the Greater London
area, and are being expanded to many more stations.
Post by Clive Page
Actually I suspect that most of the passengers that one sees breezing
through ticket barriers around London, simply waving either the
smartphones or their contactless bank cards at the gate-line readers
would think that both of these technologies are ripe for retirement.
I've yet to see anyone get away with just waving their smartphone. Usually
its tap - wait - wait a bit more - open. A right PITA if you're behind them
waiting to get out.
Balls. The phone is as fast as an Oyster so long as you're using it as
a contactless card. What can take a while is using the phone to show a
QR to the reader on a gate (so not TfL?). But even that's much better
than the paper version. It can take tens of seconds and several
attempts if the QR is printed onto dead trees.
M***@dastardlyhq.com
2023-02-12 16:04:09 UTC
Permalink
On Sun, 12 Feb 2023 11:43:07 +0000
Post by Ken
Post by M***@dastardlyhq.com
I've yet to see anyone get away with just waving their smartphone. Usually
its tap - wait - wait a bit more - open. A right PITA if you're behind them
waiting to get out.
Balls. The phone is as fast as an Oyster so long as you're using it as
a contactless card. What can take a while is using the phone to show a
Bollocks it is. When I commuted before Covid I got utterly sick of gormless
hipsters trying to tap out with their iToys which seemed to never take less
than 2 seconds to register at the gate compared to Oyster or a card which
are virtually instantanious.

Why would you use a phone instead of contactless anyway? I just don't get it.
Ken
2023-02-13 09:30:38 UTC
Permalink
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 11:43:07 +0000
Post by Ken
Post by M***@dastardlyhq.com
I've yet to see anyone get away with just waving their smartphone. Usually
its tap - wait - wait a bit more - open. A right PITA if you're behind them
waiting to get out.
Balls. The phone is as fast as an Oyster so long as you're using it as
a contactless card. What can take a while is using the phone to show a
Bollocks it is. When I commuted before Covid I got utterly sick of gormless
hipsters trying to tap out with their iToys which seemed to never take less
than 2 seconds to register at the gate compared to Oyster or a card which
are virtually instantanious.
Why would you use a phone instead of contactless anyway? I just don't get it.
This argument has been well rehearsed here several times. Until a
couple of years ago I had no real opinion but tended to agree with
your position. But my phone is far easier to access quickly than my
wallet and the act of removing it from my pocket and unlocking it as I
do so has become automatic.
Another reason is that it seems much faster than a card on retail
terminals. I can't say I've noticed a difference either way at
gatelines.
M***@dastardlyhq.com
2023-02-13 09:34:42 UTC
Permalink
On Mon, 13 Feb 2023 09:30:38 +0000
Post by Ken
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 11:43:07 +0000
Post by Ken
Post by M***@dastardlyhq.com
I've yet to see anyone get away with just waving their smartphone. Usually
its tap - wait - wait a bit more - open. A right PITA if you're behind them
waiting to get out.
Balls. The phone is as fast as an Oyster so long as you're using it as
a contactless card. What can take a while is using the phone to show a
Bollocks it is. When I commuted before Covid I got utterly sick of gormless
hipsters trying to tap out with their iToys which seemed to never take less
than 2 seconds to register at the gate compared to Oyster or a card which
are virtually instantanious.
Why would you use a phone instead of contactless anyway? I just don't get it.
This argument has been well rehearsed here several times. Until a
couple of years ago I had no real opinion but tended to agree with
your position. But my phone is far easier to access quickly than my
wallet and the act of removing it from my pocket and unlocking it as I
do so has become automatic.
Take wallet from pocket, put on pad, gate opens. Not sure how using a phone
could be any quicker or simpler.
Ken
2023-02-13 10:09:15 UTC
Permalink
Post by M***@dastardlyhq.com
On Mon, 13 Feb 2023 09:30:38 +0000
Post by Ken
Post by M***@dastardlyhq.com
On Sun, 12 Feb 2023 11:43:07 +0000
Post by Ken
Post by M***@dastardlyhq.com
I've yet to see anyone get away with just waving their smartphone. Usually
its tap - wait - wait a bit more - open. A right PITA if you're behind them
waiting to get out.
Balls. The phone is as fast as an Oyster so long as you're using it as
a contactless card. What can take a while is using the phone to show a
Bollocks it is. When I commuted before Covid I got utterly sick of gormless
hipsters trying to tap out with their iToys which seemed to never take less
than 2 seconds to register at the gate compared to Oyster or a card which
are virtually instantanious.
Why would you use a phone instead of contactless anyway? I just don't get it.
This argument has been well rehearsed here several times. Until a
couple of years ago I had no real opinion but tended to agree with
your position. But my phone is far easier to access quickly than my
wallet and the act of removing it from my pocket and unlocking it as I
do so has become automatic.
Take wallet from pocket, put on pad, gate opens. Not sure how using a phone
could be any quicker or simpler.
Wallet contains Oyster, bus pass,credit and debit card, at least. I'll
need at least three of them on a journey (including my coffee and pain
au chocolat breakfast on the platform of my local station).
M***@dastardlyhq.com
2023-02-13 12:45:29 UTC
Permalink
On Mon, 13 Feb 2023 10:09:15 +0000
Post by Ken
Post by M***@dastardlyhq.com
Post by Ken
This argument has been well rehearsed here several times. Until a
couple of years ago I had no real opinion but tended to agree with
your position. But my phone is far easier to access quickly than my
wallet and the act of removing it from my pocket and unlocking it as I
do so has become automatic.
Take wallet from pocket, put on pad, gate opens. Not sure how using a phone
could be any quicker or simpler.
Wallet contains Oyster, bus pass,credit and debit card, at least. I'll
need at least three of them on a journey (including my coffee and pain
au chocolat breakfast on the platform of my local station).
I only have 1 contactless card. That way if I lose my wallet I only
have to worry about 1 account getting ripped off with the associated arguing
with the bank, not all of them. Plus it means there's no contention at
tube gates.
Ken
2023-02-13 14:59:20 UTC
Permalink
Post by M***@dastardlyhq.com
On Mon, 13 Feb 2023 10:09:15 +0000
Post by Ken
Post by M***@dastardlyhq.com
Post by Ken
This argument has been well rehearsed here several times. Until a
couple of years ago I had no real opinion but tended to agree with
your position. But my phone is far easier to access quickly than my
wallet and the act of removing it from my pocket and unlocking it as I
do so has become automatic.
Take wallet from pocket, put on pad, gate opens. Not sure how using a phone
could be any quicker or simpler.
Wallet contains Oyster, bus pass,credit and debit card, at least. I'll
need at least three of them on a journey (including my coffee and pain
au chocolat breakfast on the platform of my local station).
I only have 1 contactless card. That way if I lose my wallet I only
have to worry about 1 account getting ripped off with the associated arguing
with the bank, not all of them. Plus it means there's no contention at
tube gates.
Handy. I need three cards to get from my house to a Z1 TfL station.
Roland Perry
2023-02-11 17:51:30 UTC
Permalink
Post by Recliner
Post by Clive Page
Post by Roland Perry
You can on the routes where KeyGo is accepted[1]. So the technology is
proven, all it needs is for other TOCs to adopt it (which is a marketing
decision).
OK, I didn't know that. Their publicity is awfully bad at explaining the
flexibility of the system, perhaps because they have at present crippled
it by having it usable on so few routes.
At present it would be of no use to most people using Thameslink stations
north of St.Pancras as it doesn't seem to be valid on East Midlands
trains, for example which are generally the fastest from London to
Luton/Parkway and Bedford. Nor on any TfL services. So if I understand
it you are claiming that ITSO cards could, in principle, cover the
country, if only the DfT could knock enough heads together and force them all to sign up?
One wonders whether that, or the completion of HS2 will come first.
The same head-knocking would obviously be needed if Oyster is to be
expanded outside the greater London area. And probably that would simply
not cope with the number of zones that would be needed.
Son-of-Oyster (ie, cc cards) can already be used outside the Greater London
area, and are being expanded to many more stations.
Define "many". There are about 2,500 stations on the network.
Post by Recliner
Post by Clive Page
Actually I suspect that most of the passengers that one sees breezing
through ticket barriers around London, simply waving either the
smartphones or their contactless bank cards at the gate-line readers
would think that both of these technologies are ripe for retirement.
They're using son-of-Oyster. Next year, you'll be able to do that from
Guildford to Southend, Aylesbury to Tunbridge Wells, Dorking to Stansted,
Maidstone to Maidenhead…
And, yes, discounted PAYG travel for National Rail concessionary customers
is coming.
WTF is a NR concessionary customer?
--
Roland Perry
Clive Page
2023-02-11 18:39:22 UTC
Permalink
Post by Recliner
And, yes, discounted PAYG travel for National Rail concessionary customers
is coming.
And HS2 is coming too... :-)
--
Clive Page
Roland Perry
2023-02-11 17:36:51 UTC
Permalink
Post by Clive Page
Post by Roland Perry
You can on the routes where KeyGo is accepted[1]. So the technology is
proven, all it needs is for other TOCs to adopt it (which is a marketing
decision).
OK, I didn't know that. Their publicity is awfully bad at explaining
the flexibility of the system, perhaps because they have at present
crippled it by having it usable on so few routes.
Who is "they", mindful that KeyGo covers a huge amount of the GTR
network.
Post by Clive Page
At present it would be of no use to most people using Thameslink
stations north of St.Pancras as it doesn't seem to be valid on East
Midlands trains, for example which are generally the fastest from
London to Luton/Parkway and Bedford.
Very few EMR trains serve Bedford any more, and there has only ever been
1tph to Luton Parkway (and none to Luton) for the 20yrs I used that
line.
Post by Clive Page
Nor on any TfL services.
If you want TfL services, buy a Travelcard. Whch you can load on an
ITSO.
Post by Clive Page
So if I understand it you are claiming that ITSO cards could, in
principle, cover the country, if only the DfT could knock enough heads
together and force them all to sign up?
That's right. But the main issue with PAYG on ITSO - or any other
card(s) - is about fare evasion by unresolved journeys. ITSO walk-up
tickets are available over very many TOC territories.
Post by Clive Page
One wonders whether that, or the completion of HS2 will come first.
Needs political will, and currently the politicians are once again
saying they have the will, although it's been a long time dripping
through.
Post by Clive Page
The same head-knocking would obviously be needed if Oyster is to be
expanded outside the greater London area.
No, head-knocking would *not* be enough. Because the readers outside the
current user area simply won't read the cards - they are designed to
read ITSO.
Post by Clive Page
And probably that would simply not cope with the number of zones that
would be needed.
You wouldn't expand Oyster by adding more zones in the London sense. It
would have to be merely a token for reverse engineering some
point-to-point fares.
Post by Clive Page
Actually I suspect that most of the passengers that one sees breezing
through ticket barriers around London, simply waving either the
smartphones or their contactless bank cards at the gate-line readers
would think that both of these technologies are ripe for retirement.
They are successfully boiling frogs, like not allowing the CCC to load
Railcards, and not fully implementing capping. Thankfully it's only
Londoners who are being taken advantage of.
--
Roland Perry
Clive Page
2023-02-11 18:45:47 UTC
Permalink
OK, I didn't know that.  Their publicity is awfully bad at explaining the flexibility of the system, perhaps because they have at present crippled it by having it usable on so few routes.
Who is "they", mindful that KeyGo covers a huge amount of the GTR network.
There are posters at most of the stations I use, e.g. Luton, extolling its virtues, and even machines which disgorge them (I think).
At present it would be of no use to most people using Thameslink stations north of St.Pancras as it doesn't seem to be valid on East Midlands trains, for example which are generally the fastest from London to Luton/Parkway and Bedford.
Very few EMR trains serve Bedford any more, and there has only ever been 1tph to Luton Parkway (and none to Luton) for the 20yrs I used that line.
Times have changed, Roland. Now there are 2 tph "EMR Connect" stopping at Bedford and both Lutons, and as they only take 22 mins to reach London and are much more reliable than these new-fangled Thameslink things (which are always being held up by points failures in the Gatwick Area and similar) are the now the trains of choice for most people going from Bedford or the Luton area to London. Except for those who bought their tickets from easyJet, who only sell Thameslink-specific tickets I think.
--
Clive Page
Roland Perry
2023-02-12 10:22:57 UTC
Permalink
Post by Clive Page
OK, I didn't know that.  Their publicity is awfully bad at
explaining the flexibility of the system, perhaps because they have
at present crippled it by having it usable on so few routes.
Who is "they", mindful that KeyGo covers a huge amount of the GTR network.
There are posters at most of the stations I use, e.g. Luton, extolling
its virtues, and even machines which disgorge them (I think).
At present it would be of no use to most people using Thameslink
stations north of St.Pancras as it doesn't seem to be valid on East
Midlands trains, for example which are generally the fastest from
London to Luton/Parkway and Bedford.
Very few EMR trains serve Bedford any more, and there has only ever
been 1tph to Luton Parkway (and none to Luton) for the 20yrs I used
that line.
Times have changed, Roland. Now there are 2 tph "EMR Connect" stopping
at Bedford and both Lutons,
Ah yes, must be the Corby trains.
Post by Clive Page
and as they only take 22 mins to reach London and are much more
reliable than these new-fangled Thameslink things (which are always
being held up by points failures in the Gatwick Area and similar) are
the now the trains of choice for most people going from Bedford or the
Luton area to London. Except for those who bought their tickets from
easyJet, who only sell Thameslink-specific tickets I think.
Yes I have a photo of the signage at Luton Parkway from back when
EasyJet sold "FCC Only" tickets.
--
Roland Perry
Ken
2023-02-12 11:50:04 UTC
Permalink
Post by Roland Perry
Post by Clive Page
Post by Roland Perry
You can on the routes where KeyGo is accepted[1]. So the technology is
proven, all it needs is for other TOCs to adopt it (which is a marketing
decision).
OK, I didn't know that. Their publicity is awfully bad at explaining
the flexibility of the system, perhaps because they have at present
crippled it by having it usable on so few routes.
Who is "they", mindful that KeyGo covers a huge amount of the GTR
network.
Post by Clive Page
At present it would be of no use to most people using Thameslink
stations north of St.Pancras as it doesn't seem to be valid on East
Midlands trains, for example which are generally the fastest from
London to Luton/Parkway and Bedford.
Very few EMR trains serve Bedford any more, and there has only ever been
1tph to Luton Parkway (and none to Luton) for the 20yrs I used that
line.
Post by Clive Page
Nor on any TfL services.
If you want TfL services, buy a Travelcard. Whch you can load on an
ITSO.
I didn't know TfL gates could read ITSO. Their buses can't, the
readers displaying a message that actually uses the acronym and
telling you to show the card to the driver. If it's an English bus
pass, fair enough, but how will the driver know that a Travelcard is
loaded? So,are you sure TfL are happy with T/Cs on ITSO?
Roland Perry
2023-02-12 12:58:13 UTC
Permalink
Post by Ken
Post by Roland Perry
Post by Clive Page
Post by Roland Perry
You can on the routes where KeyGo is accepted[1]. So the technology is
proven, all it needs is for other TOCs to adopt it (which is a marketing
decision).
OK, I didn't know that. Their publicity is awfully bad at explaining
the flexibility of the system, perhaps because they have at present
crippled it by having it usable on so few routes.
Who is "they", mindful that KeyGo covers a huge amount of the GTR
network.
Post by Clive Page
At present it would be of no use to most people using Thameslink
stations north of St.Pancras as it doesn't seem to be valid on East
Midlands trains, for example which are generally the fastest from
London to Luton/Parkway and Bedford.
Very few EMR trains serve Bedford any more, and there has only ever been
1tph to Luton Parkway (and none to Luton) for the 20yrs I used that
line.
Post by Clive Page
Nor on any TfL services.
If you want TfL services, buy a Travelcard. Whch you can load on an
ITSO.
I didn't know TfL gates could read ITSO. Their buses can't, the
readers displaying a message that actually uses the acronym and
telling you to show the card to the driver. If it's an English bus
pass, fair enough, but how will the driver know that a Travelcard is
loaded? So,are you sure TfL are happy with T/Cs on ITSO?
Yes, a season ticket to Z1-6 is definitely OK on an ITSO card.

As for the buses, perhaps someone with a Freedom Card (which is ITSO)
can tell us if the readers accept it, or do the just show it to the
driver.

The other side of the coin is that the FP *has* to be ITSO, to be
acceptable on buses outside London.
--
Roland Perry
Recliner
2023-02-12 13:10:54 UTC
Permalink
Post by Roland Perry
Post by Ken
Post by Roland Perry
Post by Clive Page
Post by Roland Perry
You can on the routes where KeyGo is accepted[1]. So the technology is
proven, all it needs is for other TOCs to adopt it (which is a marketing
decision).
OK, I didn't know that. Their publicity is awfully bad at explaining
the flexibility of the system, perhaps because they have at present
crippled it by having it usable on so few routes.
Who is "they", mindful that KeyGo covers a huge amount of the GTR
network.
Post by Clive Page
At present it would be of no use to most people using Thameslink
stations north of St.Pancras as it doesn't seem to be valid on East
Midlands trains, for example which are generally the fastest from
London to Luton/Parkway and Bedford.
Very few EMR trains serve Bedford any more, and there has only ever been
1tph to Luton Parkway (and none to Luton) for the 20yrs I used that
line.
Post by Clive Page
Nor on any TfL services.
If you want TfL services, buy a Travelcard. Whch you can load on an
ITSO.
I didn't know TfL gates could read ITSO. Their buses can't, the
readers displaying a message that actually uses the acronym and
telling you to show the card to the driver. If it's an English bus
pass, fair enough, but how will the driver know that a Travelcard is
loaded? So,are you sure TfL are happy with T/Cs on ITSO?
Yes, a season ticket to Z1-6 is definitely OK on an ITSO card.
As for the buses, perhaps someone with a Freedom Card (which is ITSO)
can tell us if the readers accept it, or do the just show it to the
driver.
The London bus readers accept it, and know that it's a Freedom Pass, not just a generic English bus pass. But I think
people with such the latter just show their passes to the driver.
Post by Roland Perry
The other side of the coin is that the FP *has* to be ITSO, to be
acceptable on buses outside London.
It's both an Oyster card and an ITSO bus pass.
Graeme Wall
2023-02-12 14:14:04 UTC
Permalink
Post by Recliner
Post by Roland Perry
As for the buses, perhaps someone with a Freedom Card (which is ITSO)
can tell us if the readers accept it, or do the just show it to the
driver.
The London bus readers accept it, and know that it's a Freedom Pass, not just a generic English bus pass. But I think
people with such the latter just show their passes to the driver.
That's right, just show it to the driver. Not sure if they press a
button to register the fare, I suspect not as they won't know which
council to charge.
--
Graeme Wall
This account not read.
Recliner
2023-02-12 14:29:41 UTC
Permalink
Post by Graeme Wall
Post by Recliner
Post by Roland Perry
As for the buses, perhaps someone with a Freedom Card (which is ITSO)
can tell us if the readers accept it, or do the just show it to the
driver.
The London bus readers accept it, and know that it's a Freedom Pass, not just a generic English bus pass. But I think
people with such the latter just show their passes to the driver.
That's right, just show it to the driver. Not sure if they press a
button to register the fare, I suspect not as they won't know which
council to charge.
No, but they do want to know how many were carried, so they do press a button. The charge is to TfL, not to the council
that supplied the pass.
Charles Ellson
2023-02-12 20:16:39 UTC
Permalink
On Sun, 12 Feb 2023 14:29:41 +0000, Recliner
Post by Recliner
Post by Graeme Wall
Post by Recliner
Post by Roland Perry
As for the buses, perhaps someone with a Freedom Card (which is ITSO)
can tell us if the readers accept it, or do the just show it to the
driver.
The London bus readers accept it, and know that it's a Freedom Pass, not just a generic English bus pass. But I think
people with such the latter just show their passes to the driver.
That's right, just show it to the driver. Not sure if they press a
button to register the fare, I suspect not as they won't know which
council to charge.
I used my London Councils Freedom Pass in Ipswich a few days ago. The
card had to be held under a reader (which appeared to be the same type
as used on Reading buses) although whether it did any more than just
matching the image to a button press is a mystery. The immediately
readable/OCRable information would have been my name, the card number
and the expiry date.
Post by Recliner
No, but they do want to know how many were carried, so they do press a button. The charge is to TfL, not to the council
that supplied the pass.
AFAIAA there is no per occasion charging within Greater London rather
than a periodic accounting exercise. IIRC the same button is used for
"foreign" cards, unreadable cards and any other form of non-Oyster
travel authority.
Recliner
2023-02-12 21:40:07 UTC
Permalink
Post by Charles Ellson
On Sun, 12 Feb 2023 14:29:41 +0000, Recliner
Post by Recliner
Post by Graeme Wall
Post by Recliner
Post by Roland Perry
As for the buses, perhaps someone with a Freedom Card (which is ITSO)
can tell us if the readers accept it, or do the just show it to the
driver.
The London bus readers accept it, and know that it's a Freedom Pass,
not just a generic English bus pass. But I think
people with such the latter just show their passes to the driver.
That's right, just show it to the driver. Not sure if they press a
button to register the fare, I suspect not as they won't know which
council to charge.
I used my London Councils Freedom Pass in Ipswich a few days ago. The
card had to be held under a reader (which appeared to be the same type
as used on Reading buses) although whether it did any more than just
matching the image to a button press is a mystery. The immediately
readable/OCRable information would have been my name, the card number
and the expiry date.
How do you know it didn't read the ITSO data? Were locals holding their
passes in the same way?
Post by Charles Ellson
Post by Recliner
No, but they do want to know how many were carried, so they do press a
button. The charge is to TfL, not to the council
that supplied the pass.
AFAIAA there is no per occasion charging within Greater London rather
than a periodic accounting exercise. IIRC the same button is used for
"foreign" cards, unreadable cards and any other form of non-Oyster
travel authority.
Yes, there's no cross-charge to the council that issued the bus pass.
Charles Ellson
2023-02-13 00:47:25 UTC
Permalink
On Sun, 12 Feb 2023 21:40:07 -0000 (UTC), Recliner
Post by Recliner
Post by Charles Ellson
On Sun, 12 Feb 2023 14:29:41 +0000, Recliner
Post by Recliner
Post by Graeme Wall
Post by Recliner
Post by Roland Perry
As for the buses, perhaps someone with a Freedom Card (which is ITSO)
can tell us if the readers accept it, or do the just show it to the
driver.
The London bus readers accept it, and know that it's a Freedom Pass,
not just a generic English bus pass. But I think
people with such the latter just show their passes to the driver.
That's right, just show it to the driver. Not sure if they press a
button to register the fare, I suspect not as they won't know which
council to charge.
I used my London Councils Freedom Pass in Ipswich a few days ago. The
card had to be held under a reader (which appeared to be the same type
as used on Reading buses) although whether it did any more than just
matching the image to a button press is a mystery. The immediately
readable/OCRable information would have been my name, the card number
and the expiry date.
How do you know it didn't read the ITSO data? Were locals holding their
passes in the same way?
The red light shining on the card from above suggests an optical
rather than an RF interface. The card was held under the light rather
than being placed on a pad. Not necessarily definitive but the web
page dealing with bus passes uses the words "If your pass isn't
scanning on buses it isn't the pass that's faulty, it is more likely
that the reader on the bus has not been programmed to read your pass".
Also, any time I have watched someone having their pass scanned, it
has always been face up and not hidden in a wallet, something that
makes no different with a Freedom Pass on its home territory. There
also seems to often be a delay, something not usual with RF cards
touched on a pad. The use of QR codes further suggests an optical
interface :-
https://www.ipswichbuses.co.uk/app/ticket-purchasing-notes/
and maybe explains the delay if the scanner has to decide if it is
being presented with the central printed portion of an ENCTS card or a
QR code.
Post by Recliner
Post by Charles Ellson
Post by Recliner
No, but they do want to know how many were carried, so they do press a
button. The charge is to TfL, not to the council
that supplied the pass.
AFAIAA there is no per occasion charging within Greater London rather
than a periodic accounting exercise. IIRC the same button is used for
"foreign" cards, unreadable cards and any other form of non-Oyster
travel authority.
Yes, there's no cross-charge to the council that issued the bus pass.
Ken
2023-02-13 09:39:25 UTC
Permalink
On Mon, 13 Feb 2023 00:47:25 +0000, Charles Ellson
Post by Charles Ellson
On Sun, 12 Feb 2023 21:40:07 -0000 (UTC), Recliner
The red light shining on the card from above suggests an optical
rather than an RF interface. The card was held under the light rather
than being placed on a pad. Not necessarily definitive but the web
page dealing with bus passes uses the words "If your pass isn't
scanning on buses it isn't the pass that's faulty, it is more likely
that the reader on the bus has not been programmed to read your pass".
Also, any time I have watched someone having their pass scanned, it
has always been face up and not hidden in a wallet, something that
makes no different with a Freedom Pass on its home territory. There
also seems to often be a delay, something not usual with RF cards
touched on a pad. The use of QR codes further suggests an optical
interface :-
https://www.ipswichbuses.co.uk/app/ticket-purchasing-notes/
and maybe explains the delay if the scanner has to decide if it is
being presented with the central printed portion of an ENCTS card or a
QR code.
The tickets machines widely used outside London seem quite
sophisticated. The read contactless cards, ITSOs for the English
Concessionary Scheme and others (local Ryanair staff present an ITSO.
I don't know what's on it). They also read barcodes/QR as some
products such as local rover-type schemes are carried on a paper
ticket which is read by the machines.
They also have GPS.
Most bus services require you to place the a concessionary pass on the
reader and also let the driver have sight of it. The machine beeps and
shows a green light if the ticket is valid but the driver is supposed
to look at the photograph. For some reason First buses issue a ticket;
most operators don't.
Anna Noyd-Dryver
2023-02-14 12:11:50 UTC
Permalink
Post by Charles Ellson
On Sun, 12 Feb 2023 21:40:07 -0000 (UTC), Recliner
Post by Recliner
Post by Charles Ellson
On Sun, 12 Feb 2023 14:29:41 +0000, Recliner
Post by Graeme Wall
Post by Recliner
Post by Roland Perry
As for the buses, perhaps someone with a Freedom Card (which is ITSO)
can tell us if the readers accept it, or do the just show it to the
driver.
The London bus readers accept it, and know that it's a Freedom Pass,
not just a generic English bus pass. But I think
people with such the latter just show their passes to the driver.
That's right, just show it to the driver. Not sure if they press a
button to register the fare, I suspect not as they won't know which
council to charge.
I used my London Councils Freedom Pass in Ipswich a few days ago. The
card had to be held under a reader (which appeared to be the same type
as used on Reading buses) although whether it did any more than just
matching the image to a button press is a mystery. The immediately
readable/OCRable information would have been my name, the card number
and the expiry date.
How do you know it didn't read the ITSO data? Were locals holding their
passes in the same way?
The red light shining on the card from above suggests an optical
rather than an RF interface. The card was held under the light rather
than being placed on a pad. Not necessarily definitive but the web
page dealing with bus passes uses the words "If your pass isn't
scanning on buses it isn't the pass that's faulty, it is more likely
that the reader on the bus has not been programmed to read your pass".
Also, any time I have watched someone having their pass scanned, it
has always been face up and not hidden in a wallet, something that
makes no different with a Freedom Pass on its home territory. There
also seems to often be a delay, something not usual with RF cards
touched on a pad. The use of QR codes further suggests an optical
interface :-
https://www.ipswichbuses.co.uk/app/ticket-purchasing-notes/
and maybe explains the delay if the scanner has to decide if it is
being presented with the central printed portion of an ENCTS card or a
QR code.
The readers on buses in Bristol (and I've seen them elsewhere) have a light
above, to read QR codes, and an NFC reader below, to read ITSO/contactless
etc.

They look something like this
<Loading Image...>


Anna Noyd-Dryver
Roland Perry
2023-02-13 12:40:44 UTC
Permalink
Post by Recliner
Post by Charles Ellson
AFAIAA there is no per occasion charging within Greater London rather
than a periodic accounting exercise. IIRC the same button is used for
"foreign" cards, unreadable cards and any other form of non-Oyster
travel authority.
Yes, there's no cross-charge to the council that issued the bus pass.
Another of your infamous excluded-middles. The charge applies to the LA
within which the trip is undertaken, not the one issuing the card.
--
Roland Perry
Recliner
2023-02-13 13:33:26 UTC
Permalink
Post by Roland Perry
Post by Recliner
Post by Charles Ellson
AFAIAA there is no per occasion charging within Greater London rather
than a periodic accounting exercise. IIRC the same button is used for
"foreign" cards, unreadable cards and any other form of non-Oyster
travel authority.
Yes, there's no cross-charge to the council that issued the bus pass.
Another of your infamous excluded-middles. The charge applies to the LA
within which the trip is undertaken, not the one issuing the card.
Correct, just as I said.
Clive Page
2023-02-12 15:18:51 UTC
Permalink
Post by Roland Perry
Post by Clive Page
Can you just load money on your rail operators smart card and then use
it on a whim on some other route on which they operate, say going up
towards Norwich or Bury St. Edmunds without specifying which at the
time of loading? I didn't think you could in general on an ITSO-based
card.
You can on the routes where KeyGo is accepted[1]. So the technology is
proven, all it needs is for other TOCs to adopt it (which is a marketing
decision).
I've now looked at all the information on the Thameslink "The Key Smart" card which can be used on all routes covered by Gatwick Express, Great Northern, Southern and Thameslink. But I think they are all the same company now, so not so surprising.

One of the FAQ answers claims that it can be used on any train on the routes which are covered, which includes between London and Bedford, but the EMR website has nothing whatever on the Key Smartcard or similar, and I'm very doubtful if they are accepted. But I cannot find anything about using it except by loading specific tickets, up to 5 in total apparently. This can include season tickets, so in that sense they cover all unplanned journeys over any stations in between the end-points (or routeing-guide allowed alternatives). But the ITSO card doesn't appear to be usable like an Oyster, i.e. you load up with money in advance (maybe with auto-topup) and then use when you want on any route on which it is valid. As far as can see that an important difference between Oyster cards (and contactless cards used in the London area on Oyster-card readers) and all of these ITSO cards. Maybe I'm wrong, but I simply can't find anything on line to say that ITSO cards are more flexible
Roland Perry
2023-02-12 16:53:40 UTC
Permalink
Post by Clive Page
Post by Roland Perry
Post by Clive Page
Can you just load money on your rail operators smart card and then use
it on a whim on some other route on which they operate, say going up
towards Norwich or Bury St. Edmunds without specifying which at the
time of loading? I didn't think you could in general on an ITSO-based
card.
You can on the routes where KeyGo is accepted[1]. So the technology is
proven, all it needs is for other TOCs to adopt it (which is a marketing
decision).
I've now looked at all the information on the Thameslink "The Key
Smart" card which can be used on all routes covered by Gatwick Express,
Great Northern, Southern and Thameslink. But I think they are all the
same company now, so not so surprising.
One of the FAQ answers claims that it can be used on any train on the
routes which are covered, which includes between London and Bedford,
but the EMR website has nothing whatever on the Key Smartcard or
similar, and I'm very doubtful if they are accepted. But I cannot find
anything about using it except by loading specific tickets, up to 5 in
total apparently. This can include season tickets, so in that sense
they cover all unplanned journeys over any stations in between the
end-points (or routeing-guide allowed alternatives). But the ITSO card
doesn't appear to be usable like an Oyster, i.e. you load up with money
in advance (maybe with auto-topup) and then use when you want on any
route on which it is valid.
Look closer, at Key-Go.
Post by Clive Page
As far as can see that an important difference between Oyster cards
(and contactless cards used in the London area on Oyster-card readers)
and all of these ITSO cards. Maybe I'm wrong, but I simply can't find
anything on line to say that ITSO cards are more flexible than that.
--
Roland Perry
Clive Page
2023-02-13 12:58:54 UTC
Permalink
Post by Roland Perry
Look closer, at Key-Go.
They are doing their best to make it easy to understand, aren't they? Key-go is distinct from The Key but maybe uses the same card? But The Key specifically states that you can't load Super Off-peak tickets on it, only Anytime and regular Off-peak. That seems ridiculous. The Key-go claims it always charges you the cheapest fare, but has no mention of the off-peak and super-off-peak distinction. At weekends all returns in this area are super-off-peak, so this is really odd. Any while you can load a National Railcard to get a discount, this takes 5 days.

The FAQ also says that if you need to combine it with journeys on TfL services it isn't appropriate to use Key-go (essentially as it doesn't work) and likewise it doesn't operate on East Midlands Trains services, because they don't get the data from the EMT gateline at St.Pancras. How mad is that. Sure you could switch smart cards, and a few stations like Farringdon have a pink touch-pad where, I suppose one could touch out a Key-go card and then touch-in an Oyster card, other stations where I often interchange have not, which means (as I've found the hard way) going out through a gate-line then a 180 degree turn, and in again through the same one again with a different ticket/card. In my opinion it's all a complete cock-up.

I accept that as a Senior Railcard holder making occasional journeys, often off-peak or super-off-peak, from Bedfordshire to London I'm an edge-case, though something like 30% of the population are now over-60. But it really is surprising that they haven't got their act together and have produced a product that isn't of any use to me, nor would it have been had it been available at any time in the last 30 years.
--
Clive Page
Loading...