...

2.1 Design of electronic machine-readable tickets

...

This means that the risks of travelers copying machine readable travel documents between themselves, with the result of several passengers traveling on the same ticket, must be handled. This should be done through a combination of measures, including:

• strict limitation of machine readable travel documents validity time, and

• validating and "punching" of the machine-readable travel documents to the back-end ticketing system.

On the occasions when the machine-readable travel document is stored in an app on a mobile device, there is the possibility to impose additional layers of protection against copying. It is possible to tie the machine-readable travel document to the mobile device in such a way that copying are made much more difficult. Time information in the mobile device's technical environment can be used to create variable data fields related to ticket information, thus making the ticket valid only in that moment.

...

For this reason, it is reasonable to limit the tickets validity time. What validity time constraints are appropriate is determined by how often it is possible to re-new a ticket using the back-end systems. For example, a purchase of a travel pass which is valid for one month, may result in daily tickets being issued which is valid for 48 hours. This can be achieved by limiting the validity of the issuer signature rather than the ticket's own validity. It also allows the mobile device to be disconnected for some time, and still obtain the updated ticket information before the previous one expires. This way, the risks of ticket information of more significant value is copied between devices can be mitigated. In some systems, it may also be possible to issue the tickets just before the trip is started and might also only apply to that particular trip, thus further limiting the ticket validity of the information.

2.4.2 Device Signature protection

In addition to restricting the MTB life-time, this specification allows for an extra level of protection using the Device Signature as previously described. Even though it is possible to hide the devices' keys in the device itself using obfuscation techniques, it must be recognized that some of these keys can and probably will be compromised. Good practices to mitigate these risks this may be to generate new device keys with some frequency.

...

If there are signs that some ticket may copied, it can trigger a ticket to be put on a blacklist which is promptly distributed to all validation devices in which the ticket would otherwise be valid. Such a function can suppress systematic fraud attempts where reliable synchronous on-line validation may not be possible.

2.4.4 Fraud detection and suppression

Even when using limited MTB life-times and dynamic Device Signatures, the risks for duplication of MTBs can not be completely eliminated. There is a balance between practicality and how short life-times a MTB and the Device Signatures can be given. Inevitably, there will be a time window in which it will be possible to (re)distribute a MTB for use by more than one traveller.

...

When developing a ticketing system with electronic tickets an implementor must take into account the requirements to protect travelers' privacy. Large scale collection of personally identifiable information (PII) to the central system may not lead to the ability of to map an individual's private life. Public transport authorities are prohibited to make significant intrusion into individuals' personal privacy, if it is done without the consent and it involves monitoring or mapping of the individual's personal life. This is regulated in the Swedish constitution (2 kap. 6 § regeringsformen). All transport companies, whether public or private, is required by law to minimize the amount of personal data processed, and thus do not collect more personal information than is necessary for the purposes of the processing. This follows from the Swedish Personal Data Act, Personuppgiftslagens 9 § f (SFS 1998: 204), and the upcoming Data Protection Regulation (General Data Protection Regulation (EU) 2016/679), Article 23.1. It should in this context be noted that the processing of data relating to legal offenses is specifically regulated by 21 § of the Swedish Personal Data Act (SFS 1998: 204).

...

The security of the machine-readable travel documents relies heavily on strong cryptographic mechanisms to secure data integrity and data origin authentication. Maintaining the confidentiality of the private encryption keys are therefor of utmost importance. The confidentiality of cryptographic keys can be compromised in a number different ways, for instance;

• The key generation process may be flawed, resulting in weak keys.

• The keys may be exposed by human error.

• The keys may be stolen by external or internal perpetrators.

• The keys may be calculated using cryptanalysis.

The most improbable of these risks can be assumed to be that the keys are compromised using cryptanalysis. To mitigate this risk the MTS1 specification includes a fallback signature algorithm based on a different mathematical problem than the primary.

...