Sunday, 21 August 2011

Brief look at SMS tickets of "De Lijn"

De Lijn, a public transportation company in Belgium, allows you to pay for your journey with a mobile phone. This is done by sending a SMS containing the letters “DL” to the number 4884. You then receive a conformation SMS that is similar to the following: “10* Valid on all vehicles of De Lijn on 18/08/2011 until 08h58. Price: 1,30 EUR 0758T18bk311Z4u429918”.

The readable date, hour and price are clearly to inform the user about the ticket he/she purchased. The code at the end seems to be an authentication code that might be used to check if your ticket is legitimate and not a counterfeit. The first number/symbol in the SMS also appears to have a special purpose as it’s not immediately clear for what it stands. The question is now how secure this system is.

According to the information page knowing your mobile phone number is enough to verify if you actually bought a ticket. This is again confirmed in the FAQ section in the answer to “What if my mobile phone’s battery is flat”. Here they state that in such an event you must give your phone number. They also say that a forwarded SMS ticket can be recognized as invalid, which is reasonable considering the ticket is registered to the phone number that paid for the ticket. From this it’s clear that you cannot cheat the system by trying to construct a fake SMS ticket, they don’t even need to see the code in the SMS to verify you bought the ticket! It means they store every SMS ticket sold combined with the phone number of the customer.

Nevertheless, the codes and numbers contained in the SMS ticket are still interesting. Let’s first collect a list of valid tickets by using the system and write down the information in an organized list:

Sender            Nr    Date        Hour  Code

+32476136809      09*   19/08/2011  17:41 1641t19bk527Q6a444464
+32476136808      08-   19/08/2011  08:50 0750s19rm527Q6f438993
+32476136804      04+   18/08/2011  18:42 1742S18zk527Z4c436361
+32476136810      10*   18/08/2011  08:58 0758T18bk527Z4u429918
+32476136803      03*   18/08/2011  08:51 0751G18uz527Z4g429841
+32476136803      03+   18/08/2011  08:51 0751G18vz527Z4k429838
+32476136815      15*   28/07/2011  20:26 1926L28tw527J1a265124
+32476136813      13/   28/07/2011  13:44 1244I28us527J1n260332
+32476136816      16/   06/05/2011  19:39 1839E06em527S4g349355
+32476136805      05/   05/02/2011  16:44 1544f05vi527Z4m707955

From this we can derive several things. The first code 1641t19bk527Q6a444464 will be used to illustrate these observations:
  • Multiple phone numbers are used to send the ticket. The first two digits of the SMS ticket (see the column named "Nr") correspond to the last two digits of the phone number that send the ticket to the customer. For the first ticket in the list the first two digits are 09* and the sender was +32476136809.
  • The first four digits of the ticket code denote the time of when the SMS ticket was created/purchased. In the example code that time is 16:41.
  • The sixth and seventh digit stand for the day of the month the ticket was requested. In the example this is the 19th of the month.
  • The three digits in the middle of the code are the last three digits of the phone number that requested the SMS ticket. In the example the phone number of the customer is of the form 04xx/xxx527.
  • Although the meaning is still unknown, the following letter and number (in the example Q6) are correlated with the date the ticket was bought on. Notice that for tickets that are bought on the same day the number is always the same for every ticket.
  • The laster number is a counter that increases for every ticket created. In the example this number is 444464. This can be clearly seen from the two tickets bought on 18/08/2011 at 08:51. The first one has a number of 429838 and the second 429841. When this counter reaches 999999 it appears to be simply reset to zero.
  • It's unknown what the other letters/digits are for.
The reason some of this info is easy to reverse engineer is probably so the bus driver can do a basic check of the code himself. Using the first two digits he can check if the ticket has been received from the correct phone number and with the first four digits of the ticket code he can confirm how long the ticket is valid. Even though such checks don't guarantee security, it does increases the practical usability of the ticket code. But as already mentioned, you cannot cheat the system. Since they record every ticket sold an inspector will notice the counterfeit ticket is not in this list, and thus know you haven't paid anything.