75% (roughly) UK airline tickets purchased online,Yet only 2% of heathrow express tickets bought on-lineBecause people only think and act on their public transport needs as they approach the station.Mobile can give every user their own ticket machine, that never has a queue.
We’re using on-screen barcodes to show the ticket values for reading by automatic gates, or checking by the train guards who carry hand-held scanners.The ticket code can be transferred to the NFC element on compatible phones (like this nokia 6131) but this handset is the only mainstream GSM handset with NFC and we’ve not heard of others in the pipeline.Even when NFC services become mainstream, you will still need a secure interface to purchase entitlements, before they get transferred to the NFC element.
[The screenshots above are animated, to show useful UI widgets helping the user to select from large lists, or input Credit Card numbers correctly]WAP and WEB services are Thin Clients ; good when you have a reliable, low latency connection. Mobile is not like that. – inside buildings, moving vehicles and in remote locations: connections are often dropped or unavailable.Mobile Java allows us to build FAT clients, and not just glorified mini-browsers!Applications should provide most of the interaction while OFF-LINE and then only require an occasional connection at the end to make transactions, or get updates.e.g. you should be able to review your bank account and create new payment instructions while on the metro, not only when stood still in good Here are screenshots showing how you can quickly select one station from a list hundreds long, and also how to perform local validation of credit card numbers before sending to reduce the number of unecessary network connectionsSMS Failover:Many users (more than half, we reckon) cannot make network connections from Java using WAP, because they need to switch to the correct INTERNET settings. To provide these users with an out-of-the-box instant purchase, the application can automatically detect the lack of functioning GPRS and switch to encrypted SMS instead.
This is circa end 2008 – since then, there are many more on left and one more on right. None on right have operator subsidies.Nokia are the most pro-active NFC handset manufacturer.
Credit Card details entered just once into the application.Users have said “easier to use the mobile purchase than web purchase” because of quick, optimised workflow.
Simple – simply put in your car, your credit card, and how long you want to park.Brand new user can sign up and pay in just one secure SMS (or 0.02pence worth of data)Extend your parking without returning to the vehicle.
Come see me after for live demos, or to chat about building secure mobile applications form-commerce,Banking,Ticketing,Messaging,Read our blog for more details on security.blog.masabi.com
Barcode Ticketing Self-print and Mobile
Barcode Ticketing Goals of eTicketing in general Barcode User Workflow Self-print and Mobile ticket display Selling tickets on the mobile Ticket Inspection Workflow Soft Rollout and then adding Scanners UK Barcode Ticket Standard Open security Barcode and Smartcard comparison
Consultancy to set the standardsfor self-print and mobile barcodes mobile tickets for
Why introduce eTicking? TOC Incentives: Reduce cost of sales Capex and Opex on people and machines Reduce queues Gather more customer Data Encourage modal shift through down-sell Enable new product types Increase revenue through up-sell and cross-sell Customer Incentives: Avoid the pain of queues Cheaper Tickets, such as Advanced
Technology Warning! Just because you cando something with new technology – Does not mean customers will adopt Does not mean that companies will make money from it
User Adoption of “new”? Normal people only try a new technology to do something… …if the old way of doing it is painful enough to make them try. At that moment: offer them a better way.
Mobile ticket opportunity Only 12% of 2008’s UK rail tickets sold on the internet – most bought at station But most mobile service users do not complete any registration on the web So: Sign up the users when they need it in a queue in a hurry next to a broken ticket machine
Web Purchase Workflow Self-print Or Mobile Delivery
Mobile Purchase Workflow Human readable and scannable tickets (ToD pickup option for routes not accepting Barcode yet)
Mobile Barcode Tickets WAP/MMS/Images Any phone with MMS always has WAP SMS-pictures not big enough for RSP Compromise between text and barcode Re-sizing can be an issue DRM not everywhere Smart Application Full-screen, no re-sizing issues Text and barcode separate Application organises tickets
Example HEX Tickets Adaptive layout, size, rotation, DRM
WAP Ticket Features Flexible Branding and Layout generated from xHTML/CSS Auto-adapts according to handset Size, Rotation, DRM, Image Format Supports gif, png, jpg, dm, drm, dcf WAP Push and SMS Link – autodetect Users don’t need to register Friendly file names - 12JuntoDoncaster.dm
Key Usability Points: No sign-up process! no usernames no passwords Mostly off-line interface, SMS backup Fast repeated regular purchases Full screen barcodes for fast scanning
UK Rail Barcode Ticket Standard RSPS3001 Approved in December 2008as the UK standard for self print and mobile barcode rail ticketing
Shared Barcode Standard Public and open security Based on standard SSL certificates Each TOC generates and sign tickets with their own private key Scanners only contain list of TOC public keys to scan and validate Decentralised system robust and can operate off-line cheap to implement and use Share self-print and mobile barcodes between Operators and 3rd party retailers Integrate with standard EPOS
Do tickets need security? Early e-ticketing systems just used numbers as tickets Limited barcode tickets to either: Advanced Tickets, with manifest synchronised to the guard’s devices Or guards perform live check via WiFi/GPRS Problem: real systems cannot guarantee live connections or synchronisations
PKI vs ITSO/Oyster ITSO and Oyster are Symmetric =Same Keys PKI is Asymmetric =Different Keys Private key to create ticket (safe on TIS server) Private key to create ticket Private key to check ticket (some risk from key theft) PublicKeyto check ticket (no risk from key theft)
Open PKI Security Model Traceability, and no security risk from theft of scanning devices If private keys are leaked, only the vendor that loses the keys is affected 3rd parties and other EPOS vendors can take part, even taxis and coffee shops can scan and validate cross-sale tickets or entitlements
Easy to Scan and Validate Offline validation from software Add to existing EPOS or gate systems No mobile databases required No synchronisation of valid tickets from one Train or Bus Co. to another (too much data, too unreliable) Enables Walk-up tickets
Forgeries and Copies Isn’t it easy to photocopy a self-print paper ticket? What if a bunch of clever people figure out how to copy mobile tickets? What if one user copies a ticket, gets onto an off-line train, and his friend gets onto a second off-line train?
Anti-Copying Policy Scanners only accept first seen barcode On-line scanners can check for previous scans at other locations Off-line scanners submit scan records back to ticket issuer for post-processing Post processing identifies dual use, and blocks future purchases from the same credit card until fine paid, limiting fraud
Large Data Capacity Sealed by: East Coast Railways Issued by: East Coast Railways Ticket Number: EC0005342103 Issued at Kings Cross 1st Class, Adult, Single, Outbound LTOT: UNK; FTOT: SVR From Oban Station to London Bridge Station Valid from: 2008/08/28 valid on train departing: 18:08 ID Check: Credit Card ending 1241 Name: P. PEARSON Male With Network Railcard £16.34 (Price was discounted) Validity Code: ES Purchase Ref: REF41414A5 Valid 1 day with one extra adult one (1) journey leg: 2008/08/27 18:08Retail Service ID = TS0001; Reserved: Coach C, Seat 24 B Optional ITSO header not included. Extra Entitlement: FREE MUFFIN AT NERO WITH ANY DRINK; REF #572931
Flexible Ticket Data More free space for single TOC products and extra entitlements“Includes free cup of Costa Coffee and 2 Adults entry to Disneyland” Cross sale opportunities can finally make the ticket sales channel work harder, and release more revenue from the whole journey
How to Rollout Barcode? Ask your Web ticket sales system provider to enable barcode ticketing, controlled by route and ticket type Brief revenue enforcement staff on how to perform visual inspection of e-Tickets Advertise it (in stations next to queues best) Gradually add scanners and gate scanners as each route experiences more adoption of eTickets
Soft Rollout of Scanners Free pennies £x,000 £££ £££££
Scanner Options Any barcode scanner, online or off-line, must support: 2D Aztec with CCD imager Handheld Small basic scanners for door staff Advanced PDA based scanners for service staff Bluetooth scanner upgrade for Avantix Mobile 2 Cash Register/EPOS Scanners Connect via USB or as “keyboard wedge” in between keyboard and EPOS like a normal scanner Fixed Scanners for gates or check-outs Retro-fit to existing gates or built in at manufacture by gate supplier User places phone face-down to scan Basic Advanced Bluetooth EPOS Scanner Fixed gate scanner (as fast as Oyster)
Barcode Suppliers Working with established Systems Integrators and suppliers to ensure that innovative barcode services are delivered with industrial scalability and reliability
Benefits of Barcode: Customer Sign-up in the queue (no usernames or passwords) No queues ever again Quicker re-purchase Tickets same price Operator Lower cost per sale No need to expand stations Staged capital expense on scanners
Business Case & User Case People will only try to use new technology to do a regular daily activity… …if the old way of doing it is painful enough to make them try something new. At that moment: offer them a better way.