Hacking UK train tickets for fun, but not for profit

Presented at May Contain Hackers (MCH2022), July 23, 2022, 6:40 p.m. (30 minutes)

We take a scenic tour through the origins of the UK train ticket, from the original BR specification in the 1970s through to modern replacements like mTickets, eTickets and ITSO.

This is just a detour though, and we'll focus on the 'orange ticket' (RSP 9399/9599) - which continues to be a stalwart of the UK rail network. Surely they can't be that secure? After all, anyone can encode a magstripe - right?

We'll take a look through the data encoded on these tickets, what interesting things you can do with them and maybe (assuming I've got it working by then) we'll be able to read and write our own!

We take a scenic tour through the origins of the UK train ticket, from the original BR specification in the 1970s through to modern replacements like mTickets, eTickets and ITSO.

This is just a detour though, and we'll focus on the 'orange ticket' (RSP 9399/9599) - which continues to be a stalwart of the UK rail network. Surely they can't be that secure? After all, anyone can encode a magstripe - right?

We'll take a look through the data encoded on these tickets, what interesting things you can do with them and maybe (assuming I've got it working by then) we'll be able to read and write our own!


Presenters:

  • Hugh Wells
    Site Reliability Engineer, payments nerd and hackathoner Doing SRE at WORTH Internet Systems, previously public sector digital things at London Borough of Hackney and the JAC. Ex-Mastercard Dispute Resolution at Monzo and RHUL alum. Serial hackathon & event organiser (RoyalHackaway, HackTheMidlands, UKGovcamp), flies light aircraft and messes around with servers.

Links:

Similar Presentations: