Mobile phone train apps used in major cities in Britain could be manipulated to create free tickets and defraud operators, it has emerged, after activists hacked two public transport apps.
The hackers, who claimed they were campaigning for public transport to be free, said they were able to use the First Bus app and Manchester’s Metrolink app, called “get me there”, to create tickets free of charge. The apps create QR codes that function as virtual tickets when a user pays for a fare and can be scanned, similar to barcodes.
Mobile phone train apps used in major UK cities could be manipulated to create free tickets and defraud operators, after activists hacked two public transport apps https://t.co/VYaD5P7Fg8
— Telegraph Technology Intelligence (@TelegraphTech) September 3, 2019
This is one of the damaging effects that can happen when systems transfer to digital or phone-based methods. Abuse of such QR codes and tickets isn’t new, but when not enough money is pumped into the security of an application, this highlights how easy they can be abused.
Such short-sighted security can have damaging effects, and threat actors are always ready to try and take advantage of any flaws, which can have huge consequences on the future trust of such digital tickets. If in the wrong hands, this vulnerability, as harmless as it may seem now, might be exploited the other way around. QR codes could be created to scam commuters to pay, and overpay, straight into the pocket of the hackers.