Public transport ticketing systems are a prime target for hackers. How can they be kept safe?
Ticketing is in the grip of a digital revolution. Smartphones, bank cards and other contactless fare media have now all but replaced traditional cardboard tickets. Meanwhile, new “hands-free” ticketing solutions are fast becoming a reality.
It’s not just tickets that are changing. Digital technology is also changing the journeys we make. Mobility as a Service – MaaS – dramatically expands transport options in cities, so travellers can take advantage of ride sharing and e-mobility, as well as metros, buses and trams.
All of these innovations depend on sophisticated back office ticketing platforms. These are the brains of public transport systems, calculating your fare and ensuring that you are charged exactly the right amount – no matter how complex your journey. Mobile apps are also an increasingly important part of the ticketing ecosystem.
Together, these technologies are helping to make journeys by public transport easier, greener and more attractive than ever. But there are new risks to be managed as well.
Danger! Hackers at work
Cyber-attacks are now a major problem for businesses everywhere – and public transport is no exception. Indeed, research suggests that transportation is more likely to be hacked than sectors such as banking, aerospace and technology.
Ticketing systems are an attractive target for cyber criminals because they contain both personal and financial data. On top of this, attacks on ticketing systems often generate a lot of media attention – a bonus for some hackers.
One factor that makes cybersecurity so challenging is that threats can come from just about any direction. Attackers range from cyber mercenaries to cyber terrorists, as well as disgruntled employees and recreational hackers. Motives for cyber-attacks include extortion, attempts to spread propaganda, state-sponsored interference and terrorism.
Whatever the motive, the consequences for transport operators and passengers can be disastrous. Impacts include theft of personal data and IP, loss of revenue, exposure to extortion, travel disruption, regulatory sanctions and reputational damage. Not surprisingly, finding ways to protect ticketing systems is now a top priority.
How can we help?
Thales is a leader in digital ticketing technology and our back office system for account-based ticketing – TRANSCITY™ – is trusted in several cities around the world. TRANSCITY™ is Cybersecured by Design, which means that cybersecurity is an integral part of the system architecture.
As well as delivering systems that are secure, we work by our customers side to make sure that everything stays compliant throughout the life of the solution. Our services include cybersecurity risk assessments, training, maintenance and patching, security monitoring, operations support, incident management and recovery.
Thales offers deep domain knowledge across the entire cybersecurity spectrum:
Cybersecurity strategy – full strategy definition for fare collection systems, including ticketing system requirements, communications network requirements and equipment requirements – including systems using contactless EMV bank cards.
Smartphones and smart media – Thales can help you to develop a strategy to safely integrate smartphones and other smart media into your ticketing system. This is an area which requires expert assistance, because heterogeneous security architectures and capabilities will need to be accommodated.
Key management – this ensures continuous security of the ticketing system over time and across all of your installed equipment.
Mastery of standards and regulations – these include ISO/IEC 27001:2013, ISO/IEC 27002:2013, CLC/TS 50701:2021, IEC 62433 series, NIST Cybersecurity Framework and the GDPR.
Our unique expertise helps you to protect your passengers, assets and operations – providing you with peace of mind and helping to build a future we can all trust.