teddyt

This makes no sense. How does the train ticket identify the rightful owner without checking their id? Instead of a screenshot, couldn't a person just download someone elses ticket in the app? How are these two different?

This is untrue.

The idea to manipulate the name is not feasable. And if it were it would not be used to fake Deutschlandtickets, but rather anything else that needs cryptography and brings extremely more money.

People are either selling tickets that are not scannable, scan on the wrong name, or in one case, got access to the private key of a regional provider and had the possibility to legally sign tickets. These tickets were then undistinguishable from legal ones, because they were legal ones (for the purposes of the system). But these tickets would also have been valid if they were not screenshots.

When I cross the Atlantic I pdf or screenshot the plane ticket. Never had a problem. Why can't this be like that?

I had this discussion with someone checking my ticket once. The argument being, that you could share the screenshot with multiple people.

The TL;DR is, that this is not true and comes from a lack of digital understanding.

For the long explanation: copying the ticket with a screenshot does provide a smaller hurdle for "copying" tickets, but the alternative is downloading the ticket on a second phone which is no hurdle at all. Even if it were restricted to one phone, I could backup my apps and restore the backup on a different phone. For every 10 ft wall there will be a 12 ft ladder, because: you can't trust the users phone. They have full control of it.

Which is why the tickets have a UIC918.3 Aztec Code on them (what people call QRCode), which has a digital signature. Basically there are pairs of public and private keys (one per issuer of tickets), and the list of public keys is on the device checking your ticket. Without the knowledge of a private key, signing a ticket is statistically impossible (else there would be a lot of bigger problems worldwide)

That is why every control should check your id regardless. Because the Barcode does not identify you! Their assumption, that a valid ticket means you are the owner is not reasonable! And yet they do.

In another comment a user claimed that changing the name on the ticket would be thinkable, it is not. What has happend in the past with issuers of "fake" tickets is that someone got access to the private key of a local train company and was able to sign tickets in their name. (Don't confuse "normal" signatures with digital ones: this is not like forging a signature on a cheque, but more like finding a chequebook full of presigned cheques)

After this discussion, I made a test. I saved the online (HTML) version of the ticket, changed the text around it to say I was the owner of the rail network (instead of the owner of the ticket) and changed my birthday to 69.69.420. The barcode I would download once a month, and replace it in the ticket (because again, that is the only unfakable part and in case someone would scan it I would like for it to be valid)... And never had issues with it again.

So basically I made an obviously fake but elaborate screenshot, and because something moves on it I never had issues with it. Which sucks, because in the end, it is the illusion of security that is the biggest danger to actual security.

Thought this was about this tesseract

Solche Vorkommnisse seien „leider kein Einzelfall, sondern passieren immer wieder“, sagt Deutschlands neuer Innenminister Alexander Dobrindt (CSU).

Ach, da sind wir uns ja einig!

„Die Polizei braucht keine Skepsis, sondern Rückendeckung durch die Politik.“

NVM, dachte es ging um Polizeilügen...