...
When designing a mobile ticket scheme using the BoB specifications, several important security aspects must be considered. These can not pre-emptively be accounted for in this handbook, but must be identified, categorized and analysed though a continuous risk evaluation process. As input to the risk analysis the following topics should be taken into account:
2.4.1
...
Maskinläsbara biljetter som distribueras till resenären via till exempel App eller e-post kan kopieras. Även om biljettinformationens äkthet och integritet kan säkerställas genom starka kryptografiska metoder, finns det inga möjligheter att avgöra om kopiering ägt rum.
...
Tickets' validity time
Machine-readable tickets distributed to travelers through for example an App or e-mail can be copied. Although ticket information authenticity and integrity can be ensured through strong cryptographic methods, there is no way to determine whether copying has taken place.
For this reason, it is reasonable to limit the tickets validity time. What validity time constraints are appropriate is determined by how often it is possible to re-new a ticket using the back-end systems. For example, a purchase of a travel pass which is valid for one month, may result in daily tickets being issued which is valid for 48 hours. This can be achieved by limiting the validity of the issuer signature rather than the ticket's own validity. It also allows the mobile device to be disconnected for some time, and still obtain the updated ticket information before the previous one expires. This way, the risks of ticket information of more significant value is copied between devices can be mitigated. In some systems, it may also be possible to issue the tickets just before the trip is started and might also only apply to that particular trip, thus further limiting the ticket validity of the information.
2.4.2 Device Signature protection
...