post related to my last question about Deutschland-Job-Ticket and avoiding google, a company the transportation authority seems to have a deal with.
Some of you have suggested I download a pkpass file. Great!, let me download something so I can save it to my phone!
Nope, the google icon I pasted in my first post (see here as well) simply redirects me to a google service to CREATE A F&#(#&% ACCOUNT WITH THEM!!
motherf*$)#(#…
I just learned what a pkpass file because some of you seem to know this technology, but ain’t it an apple technology?
Second question is, how widespread is the use of pkpass in Germany for travel documents and for android devices? I don’t know if most of the people answering this question are people not residing in Germany.
And yet another question, if I send an email asking the transportation authority what kind of technology they use for travel documents, if they provide any alternative to google or any way to download the ticket in either pkpass format or any other format that doesn’t require me to give my personal data to a data grabber, if they provide plastic travel cards to people that won’t allow their data to be used by google, what are the chances they won’t ignore me or outright laugh at me?
When I cross the Atlantic I pdf or screenshot the plane ticket. Never had a problem. Why can’t this be like that?
I had this discussion with someone checking my ticket once. The argument being, that you could share the screenshot with multiple people.
The TL;DR is, that this is not true and comes from a lack of digital understanding.
For the long explanation: copying the ticket with a screenshot does provide a smaller hurdle for “copying” tickets, but the alternative is downloading the ticket on a second phone which is no hurdle at all. Even if it were restricted to one phone, I could backup my apps and restore the backup on a different phone. For every 10 ft wall there will be a 12 ft ladder, because: you can’t trust the users phone. They have full control of it.
Which is why the tickets have a UIC918.3 Aztec Code on them (what people call QRCode), which has a digital signature. Basically there are pairs of public and private keys (one per issuer of tickets), and the list of public keys is on the device checking your ticket. Without the knowledge of a private key, signing a ticket is statistically impossible (else there would be a lot of bigger problems worldwide)
That is why every control should check your id regardless. Because the Barcode does not identify you! Their assumption, that a valid ticket means you are the owner is not reasonable! And yet they do.
In another comment a user claimed that changing the name on the ticket would be thinkable, it is not. What has happend in the past with issuers of “fake” tickets is that someone got access to the private key of a local train company and was able to sign tickets in their name. (Don’t confuse “normal” signatures with digital ones: this is not like forging a signature on a cheque, but more like finding a chequebook full of presigned cheques)
After this discussion, I made a test. I saved the online (HTML) version of the ticket, changed the text around it to say I was the owner of the rail network (instead of the owner of the ticket) and changed my birthday to 69.69.420. The barcode I would download once a month, and replace it in the ticket (because again, that is the only unfakable part and in case someone would scan it I would like for it to be valid)… And never had issues with it again.
So basically I made an obviously fake but elaborate screenshot, and because something moves on it I never had issues with it. Which sucks, because in the end, it is the illusion of security that is the biggest danger to actual security.
your airplane ticket or you public transport / d-bahn ticket?