75% (roughly) UK airline tickets purchased online,Yet only 2% of heathrow express tickets bought on-lineBecause people only think and act on their public transport needs as they approach the station.Mobile can give every user their own ticket machine, that never has a queue.
We’re using on-screen barcodes to show the ticket values for reading by automatic gates, or checking by the train guards who carry hand-held scanners.The ticket code can be transferred to the NFC element on compatible phones (like this nokia 6131) but this handset is the only mainstream GSM handset with NFC and we’ve not heard of others in the pipeline.Even when NFC services become mainstream, you will still need a secure interface to purchase entitlements, before they get transferred to the NFC element.
[The screenshots above are animated, to show useful UI widgets helping the user to select from large lists, or input Credit Card numbers correctly]WAP and WEB services are Thin Clients ; good when you have a reliable, low latency connection. Mobile is not like that. – inside buildings, moving vehicles and in remote locations: connections are often dropped or unavailable.Mobile Java allows us to build FAT clients, and not just glorified mini-browsers!Applications should provide most of the interaction while OFF-LINE and then only require an occasional connection at the end to make transactions, or get updates.e.g. you should be able to review your bank account and create new payment instructions while on the metro, not only when stood still in good Here are screenshots showing how you can quickly select one station from a list hundreds long, and also how to perform local validation of credit card numbers before sending to reduce the number of unecessary network connectionsSMS Failover:Many users (more than half, we reckon) cannot make network connections from Java using WAP, because they need to switch to the correct INTERNET settings. To provide these users with an out-of-the-box instant purchase, the application can automatically detect the lack of functioning GPRS and switch to encrypted SMS instead.
This is circa end 2008 – since then, there are many more on left and one more on right. None on right have operator subsidies.Nokia are the most pro-active NFC handset manufacturer.
Credit Card details entered just once into the application.Users have said “easier to use the mobile purchase than web purchase” because of quick, optimised workflow.
Simple – simply put in your car, your credit card, and how long you want to park.Brand new user can sign up and pay in just one secure SMS (or 0.02pence worth of data)Extend your parking without returning to the vehicle.
Come see me after for live demos, or to chat about building secure mobile applications form-commerce,Banking,Ticketing,Messaging,Read our blog for more details on security.blog.masabi.com
Masabi - Transport Ticketing 2010 Workshop
Barcode Ticketing<br />Self-print and Mobile<br />
Barcode Ticketing<br />Goals of eTicketing in general<br />Barcode User Workflow<br />Self-print and Mobile ticket display<br />Selling tickets on the mobile<br />Ticket Inspection Workflow<br />Soft Rollout and then adding Scanners<br />UK Barcode Ticket Standard<br />Open security<br />Barcode and Smartcard comparison<br />
Who are Masabi?<br /><ul><li>Masabi build mobile applications
Projects with:</li></ul>Consultancy to set the standardsfor self-print and mobile barcodes <br />mobile tickets for <br />
Why introduce eTicking?<br />TOC Incentives:<br />Reduce cost of sales <br />Capex and Opex on people and machines<br />Reduce queues<br />Gather more customer Data <br />Encourage modal shift through down-sell<br />Enable new product types<br />Increase revenue through up-sell and cross-sell<br />Customer Incentives:<br />Avoid the pain of queues<br />Cheaper Tickets, such as Advanced<br />
Technology Warning!<br />Just because you cando something with new technology –<br />Does not mean customers will adopt<br />Does not mean that companies will make money from it<br />
User Adoption of “new”?<br />Normal people only try a new technology to do something…<br />…if the old way of doing it is painful enough to make them try.<br />At that moment: offer them a better way.<br />
Mobile ticket opportunity<br />Only 12% of 2008’s UK rail tickets sold on the internet – most bought at station<br />But most mobile service users do not complete any registration on the web<br />So: Sign up the users when they need it<br />in a queue<br />in a hurry<br />next to a broken ticket machine<br />
Barcode Tickets<br />Self-print and <br />Mobile<br />
Web Purchase Workflow<br />Self-print<br />Or Mobile Delivery<br />
Mobile Purchase Workflow<br />Human readable <br />and scannable tickets<br />(ToD pickup option for routes not accepting Barcode yet)<br />
Mobile Barcode Tickets<br />WAP/MMS/Images<br />Any phone with MMS always has WAP<br />SMS-pictures not big enough for RSP<br />Compromise between text and barcode<br />Re-sizing can be an issue<br />DRM not everywhere<br />Smart Application<br />Full-screen, no re-sizing issues<br />Text and barcode separate<br />Application organises tickets<br />
Example HEX Tickets<br />Adaptive layout, size, rotation, DRM<br />
WAP Ticket Features<br />Flexible Branding and Layout<br />generated from xHTML/CSS<br />Auto-adapts according to handset<br />Size, Rotation, DRM, Image Format<br />Supports gif, png, jpg, dm, drm, dcf<br />WAP Push and SMS Link – autodetect<br />Users don’t need to register<br />Friendly file names - 12JuntoDoncaster.dm<br />
Usability – Mobile Apps<br /><ul><li>Still useful without a reliable data connection (unlike WAP)
UK Rail Barcode Ticket Standard<br />RSPS3001 Approved in December 2008as the UK standard for self print and mobile barcode rail ticketing<br />
Shared Barcode Standard<br />Public and open security<br />Based on standard SSL certificates<br />Each TOC generates and sign tickets with their own private key<br />Scanners only contain list of TOC public keys to scan and validate<br />Decentralised system<br />robust and can operate off-line<br />cheap to implement and use<br />Share self-print and mobile barcodes between Operators and 3rd party retailers<br />Integrate with standard EPOS<br />
Do tickets need security?<br />Early e-ticketing systems just used numbers as tickets<br />Limited barcode tickets to either:<br />Advanced Tickets, with manifest synchronised to the guard’s devices <br />Or guards perform live check via WiFi/GPRS<br />Problem: real systems cannot guarantee live connections or synchronisations<br />
PKI vs ITSO/Oyster<br />ITSO and Oyster are Symmetric<br />=Same Keys<br />PKI is Asymmetric<br />=Different Keys<br />Private key to create ticket<br />(safe on TIS server)<br />Private key to create ticket<br />Private key to check ticket<br />(some risk from key theft)<br />PublicKeyto check ticket<br />(no risk from key theft)<br />
Open PKI Security Model<br />Traceability, and no security risk from theft of scanning devices<br />If private keys are leaked, only the vendor that loses the keys is affected<br />3rd parties and other EPOS vendors can take part, even taxis and coffee shops can scan and validate cross-sale tickets or entitlements<br />
Easy to Scan and Validate<br />Offline validation from software<br />Add to existing EPOS or gate systems<br />No mobile databases required<br />No synchronisation of valid tickets from one Train or Bus Co. to another (too much data, too unreliable)<br />Enables Walk-up tickets<br />
Forgeries and Copies<br />Isn’t it easy to photocopy a self-print paper ticket?<br />What if a bunch of clever people figure out how to copy mobile tickets?<br />What if one user copies a ticket, gets onto an off-line train, and his friend gets onto a second off-line train?<br />
Anti-Copying Policy<br />Scanners only accept first seen barcode<br />On-line scanners can check for previous scans at other locations<br />Off-line scanners submit scan records back to ticket issuer for post-processing<br />Post processing identifies dual use, and blocks future purchases from the same credit card until fine paid, limiting fraud<br />
Large Data Capacity<br />Sealed by: East Coast Railways<br />Issued by: East Coast Railways<br />Ticket Number: EC0005342103<br />Issued at Kings Cross<br />1st Class, Adult, Single, Outbound<br />LTOT: UNK; FTOT: SVR<br />From Oban Station<br />to London Bridge Station<br />Valid from: 2008/08/28<br />valid on train departing: 18:08<br />ID Check: Credit Card ending 1241<br />Name: P. PEARSON<br />Male<br />With Network Railcard<br />£16.34 (Price was discounted)<br />Validity Code: ES<br />Purchase Ref: REF41414A5<br />Valid 1 day with one extra adult<br />one (1) journey leg: 2008/08/27 18:08Retail Service ID = TS0001; Reserved: Coach C, Seat 24 B<br />Optional ITSO header not included.<br />Extra Entitlement:<br />FREE MUFFIN AT NERO <br />WITH ANY DRINK; REF #572931<br />
Flexible Ticket Data<br />More free space for single TOC products and extra entitlements“Includes free cup of Costa Coffee and 2 Adults entry to Disneyland”<br />Cross sale opportunities can finally make the ticket sales channel work harder, and release more revenue from the whole journey<br />
How to Rollout Barcode?<br />Ask your Web ticket sales system provider to enable barcode ticketing, controlled by route and ticket type<br />Brief revenue enforcement staff on how to perform visual inspection of e-Tickets<br />Advertise it (in stations next to queues best)<br />Gradually add scanners and gate scanners as each route experiences more adoption of eTickets<br />
Scanner Options<br />Any barcode scanner, online or off-line, must support: 2D Aztec with CCD imager<br />Handheld <br />Small basic scanners for door staff<br />Advanced PDA based scanners for service staff<br />Bluetooth scanner upgrade for Avantix Mobile 2 <br />Cash Register/EPOS Scanners<br />Connect via USB or as “keyboard wedge” in between keyboard and EPOS like a normal scanner<br />Fixed Scanners for gates or check-outs<br />Retro-fit to existing gates or built in at manufacture by gate supplier<br />User places phone face-down to scan<br />Basic<br />Advanced<br />Bluetooth<br />EPOS Scanner<br />Fixed gate scanner <br />(as fast as Oyster)<br />
Scan as fast as Smartcard<br /><ul><li>New gate scanners from Access IS (who make the airport scanners) as fast as Smartcard readers, even from legacy mobile
Now mobile barcode is ready for Mass-Transit and rush-hour travel
So why wait for NFC ?</li></li></ul><li>Barcode Suppliers<br />Working with established Systems Integrators and suppliers to ensure that innovative barcode services are delivered with industrial scalability and reliability<br />
Benefits of Barcode: <br />Customer<br />Sign-up in the queue (no usernames or passwords)<br />No queues ever again<br />Quicker re-purchase<br />Tickets same price<br />Operator<br />Lower cost per sale<br />No need to expand stations<br />Staged capital expense on scanners<br />
Barcode Vs Smartcard<br />SmartCard<br /><ul><li>Great for bigcities
Ticket distribution must be on-line</li></ul>Barcode<br />Great for long distance<br />Visual, readable<br />Soft rollout of scanners-> low capex<br />Free Security<br />No media to issue<br />Can cope with offline stations<br />
All user data entry and validation performed off-line by application
Secure SMS for users without data settings or with poor reception
New user can sign-up and pay in just one SMS</li></li></ul><li>Business Case & User Case<br />People will only try to use new technology to do a regular daily activity…<br />…if the old way of doing it is painful enough to make them try something new.<br />At that moment: offer them a better way.<br />