All my Deutschlandtickets gone: Fraud at an industrial scale [video]
media.ccc.deGermany has missed the digitalisation train, but how long will it continue to miss it for?
At least, transparent issues like this one can only help.
The problem is the lack of centralization - there should obviously only be one issuer of this ticket and thus just only one website / app to keep bug free.
Lack of centralization is one part of it (see also: communal digital services), yes, but the complete lack of standards and guidelines is also a massive issue. I tried buying a Deutschlandticket from the DB Navigator app a while back, and immediately ran into some issues:
- they only take credit card, probably because of the massive SEPA fraud they've had happen
- they require id verification with a third party(!), which then only supports the e-perso(!!) or video ident(!!!), which they could've just used the actual PostIdent service for, which would've provided an alternative for non-smartphone-havers / people who'd rather not have their ID and face recorded by some Eastern European company until the end of time
- their entire authentication system was down when it came to actually purchasing
buying from my local Verkehrsverbund was a single tap in their app instead, with no id verification whatsoever. If DB's offering were the only option it would be an absolute travesty.
> they only take credit card, probably because of the massive SEPA fraud they've had happen
Does Germany not have a free state-run e-payment system such as Austria's EPS? If not, it wouldn't be too hard to implement if there is political will to stop this fraud.
Hetzner does this invasive ID flow for credit cards now. Fortunately they don't bother with PayPal.
Airbnb wanted access to my bank account transaction details (via Plaid) a while ago, "to verify my credit card". Hotels have never looked so appealing.
At some point booking.com decided it doesn't want to accept my money because I'm a fraud, apparently, so I use it to search and then book directly at the hotel, and booking.com doesn't get their commission.
Isn’t that one of the problems mentioned in the video? Being able to buy and get the ticket before the payment is fully validated?
(Or did your local Verkehrsverbund require you to use another payment for the initial purchase other than bank transfer?)
If purchasing via SEPA there's a wait period until the payment has cleared, if payment is done via credit card/[Apple|Google] Pay/PayPal fulfillment is instant.
Or foreigners that don't have German e-persos, because 99% of the time we don't need them.
If you've come to Germany as a foreigner recently you might have it automatically, newer ID cards have it activated
I lived here half on my life, and even though Portuguese ID cards are also electronic, they aren't accepted in such workflows.
I would need to pay 70 euros for one at a Burgerbûro just for that purpose.
The country that lived through pervasive mass state surveillance by secret police for 40 years is unsurprisingly quite cagey about digital centralization of records, even so many years later
Germany has a tendency to wish something into existence with a law, and stop there. No guidelines, no tools, no enforcement. Often not a thought about feasibility. Nothing past the press release.
Sometimes a law will be in effect for two or three years and virtually no one will even know about it. Recycling electronics in supermarkets? Nope. E-Rechnung mandated for all B2B invoices? In your dreams.
I work at the other end of the spectrum, reducing friction for new immigrants to Germany. I find it especially frustrating. I could explain how things should be, but it would be pointless when reality is far more disappointing.
> Germany has a tendency to wish something into existence with a law
After living here five years I've finally realized the same thing - Germany is the country of Rules, often well-intentioned, but no one actually follows them. It's especially damning when those rules actually are important and would protect regular people esp. around labor and housing, but oops zero meaningful enforcement. Wish we'd have 1/10th the rules but people had to actually follow them
As German speaking person, we can be glad it’s not a fax ticket.
Is there a similar ticket, flat for 50 Dollar per month, that takes you through the US? I wonder who pays for the real cost of the ticket, who cleans and repairs the trains, who invests in infrastructure and all that. I always wonder how the germans can pull this off for 50 Euro. Magic.
> I wonder who pays for the real cost of the ticket
Everybody already has local regional tickets anyway. And most people can't be in more then one place at the time anyway. And most people stay in the same region most of the time anyway.
So really you are not losing much compared to having separate local region tickets in a system where the long distance trains are separated.
> who cleans and repairs the trains
The already existing organizations that have run the trains for a long time.
> who invests in infrastructure and all that
The government ...
> I always wonder how the germans can pull this off for 50 Euro. Magic.
Its not magic its just a transportation policy and taxes.
Not sure I understand your point about
Everybody already has local regional tickets anyway. And most people can't be in more then one place at the time anyway. And most people stay in the same region most of the time anyway.
I live in Rostock. So if I want to go to Berlin or Hamburg (you know, where stuff like actual airports are) I am crossing "regional borders" even if it is a 200-250 km trip to each city
Most people don't use regional services to travel long distances. And you pay for proper inter-city services.
The point is, if you are in Hamburg, you are no longer in Rostock. So you are only using regional services in exactly one place.
At least from Rostock to somewhat closer destinations you have both options. There's a bi-hourly IC to Hamburg or Berlin and another bi-hourly RE towards the same destinations. They're not terribly different in terms of travel time, but one is a regional train and one is an inter-city train.
Sure, long distances (I had to travel from Rostock to Tübingen last weekend) are typically not taken with regional trains (although you technically can; I did that as a poor student a few times, it just takes 16 hours instead of 10), but over medium distances (around 2–3 hours) you often have both options.
Continental USA: 8 million square kilometer.
Germany: 0.35 million square kilometer.
On the point of the upkeep, locals know German trains are now legendary for unpunctuality and cancellations, so maybe it's not working. But the answer is obviously (trigger warning for the libertarians...) taxes.
The ticket came about because energy prices went crazy after their energy dealer Putin went crazy and warry, I think it was an attempt to motivate people to take public transport rather than have them moan about fuel prices going way way up...
> Continental USA: 8 million square kilometer.
> Germany: 0.35 million square kilometer.
This does not matter much, since most people do not travel across states, countries, continents, etc on a daily basis. Most people probably travel within a 50 km (30 mile) radius (travelling to and from work, daycare, school, shopping, etc.).
iirc, the average is slightly higher in the US, but this is probably more due to how the US has approached urban planning over the last century or so than to the size of the country.
> But the answer is obviously (trigger warning for the libertarians...) taxes.
I think many people forget the huge societal cost of owning and running cars, including infrastructure maintenance, crash-related deaths and injuries, health conditions caused by crashes, air and noise pollution, climate change, resource extraction, and time lost in traffic. In other words, the savings from reducing these social, health, and environmental costs could easily finance the ticket. A study estimated that a modal shift of 10% to public transit could save Germany about 19 billion Euros a year (https://foes.de/publikationen/2024/2024-04_FOES_OEPNV.pdf).
fyi regional trains (which the deutschlandticket is valid for) are very punctual, it is the long distance/ICE trains that are always late/broken, and you cannot ride those with thw deutschlandticket anyways.
no they are not. source: i am german and i use regional trains occasionally
thats great, but they are on time 85% of the time vs long distance trains' 62%
https://www.deutschebahn.com/de/konzern/konzernprofil/zahlen...
see my other comment too
If you take a train to work five days a week and it's "on time" (not delayed by 6 minutes or more) 85% of the time, you'll be late on at least one day most weeks. Hardly very punctual.
Personally, I think they should just abandon timetables, run trains as fast as they can, and if you need to be somewhere by a certain time, you give the planner a target reliability and it uses a probabilistic model of the entire system to tell you when to leave so you can arrive on time (0 minutes delay, or earlier) with that given probability.
true, the actual word used is less important to me than the distinction between long distance trains and regional trains, since those get conflated quite a bit in this discussion.
Most local and S-Bahn trains in Germany are pretty decent, data is pretty clear on this. Its not Swiss level but still pretty good. Nothing compare to ICE.
not sure what you count RB/RE as, but they are absolutely broken as well in my experience.
The german trains, even at their worst, are so much better than anything in the US. Complaining can also be a sport in Germany. Take a ride on Njtransit or the NYC subway to appreciate the difference. Or try to get anywhere in New Jersey without a car. In many parts of Germany, you can get almost anywhere conveniently with only public transportation.
It's probably worse if it was once reliable and now not, compared to if it's never reliable: if it's never reliable, you've been trained to have a huge safety margin and backup plans, if it's reliable and suddenly it messes up, you're thrown in a new situation and have to think "Shit, what do I do now?". Probably very stressful, and it leads people to avoid the service altogether.
Although apparently NYC subways used to be better too.
what’s going on in New York is irrelevant. The trains in Germany are largely bad. Bad enough that I don’t use them unless I have to. Once they’re at that stage it doesn’t matter how much worse they get for me, I still won’t use them.
I can't say what your experience is and what 'absolutely broken' means. There is data on these things. I can only tell you what the data says. Could be you are in region that is worse then others. Or your definition of 'absolutely broken' is different then most peoples.
Are you crazy? I use local trains daily and they are everything, but punctual. Also, S-Bahn? Worst service ever.
idk what to tell you except that your personal experience does not generalize, see https://www.deutschebahn.com/de/konzern/konzernprofil/zahlen...
the regional trains run by regional orgs rather than db get similar results, e.g. bwegt in baden württemberg or beg in bavaria
https://beg.bahnland-bayern.de/de/aufgaben/kontrollieren/pue...
https://vm.baden-wuerttemberg.de/de/mobilitaet-verkehr/bahn-...
It looks like another system made by politicians to check a box on a list. "Digitalize" is not a purpose, it's a solution to a problem, but for many politicians it's a checkbox on the list of political promises and empty words they sell.
Also in Europe excellence is not rewarded. Nobody become a millionaire by designing and building great IT systems, there is no SV salary to attract and motivate talents, so we are drowning in mediocrity and when the governments are making systems, barely delivering something is the norm. The quality of requirements is very low (who will do better?), the deliverables are either from the lowest bidder or from the party in power friends, depending on the country and project.
Uh, I received a call from my credit card company saying that train tickets were bought using my card in Germany. I told them I haven't been in Germany for the last decade, and was issued a new card.
So at least your credit card issuer (presumably) actually has a working fraud department.
In the private sector, fraud detection is often heuristic based. So this was probably flagged because you didn't buy German railway tickets in the recent past and maybe even you didn't buy anything else in or near Germany.
I remember years ago getting a decline on a credit card transaction to pay for one of my ISPs, and then hours later a phone call. My bank apparently didn't understand (yet, this is years ago) that ISPs are like, not necessarily physically nearby and so since the ISP is on another continent and I had no other nearby transactions it was flagged as likely fraud.
tl;dw please?
There's a summary directly below the video (though its not a very good summary). Basically, it's easily to generate valid tickets with fake bank credentials, which then get canceled later (but after already being resold).
Transit companies are pretty bad at PKI infrastructure and internet security combined with the inefficiencies inherent in German bureaucracy / anti-centralization as well as the inherent insecurity of the SEPA model sometimes make crime possible
"Transcript" it's called :)
That's... a totally different thing. There is actually a summary though below the video.
ChatGPT managed the following given the submitted source URL and the prompt "summarize the key technical facts into two sentences suitable for a hacker news comment".
Deutschlandticket fraud stemmed from decentralization and weak controls: tickets were issued instantly on unverified SEPA debits, and a leaked or mismanaged signing key let attackers mint valid tickets at scale. Poor revocation and fragmented verification meant many fraudulent tickets still scanned as valid, enabling mass resale and huge losses.
This is a good concise summary, regardless of provenance.
Instead of making a fuss, have you considered taking another look at the video page? It includes a summary that helps show why those technical facts are actually relevant in the context of German society, and hints at how those things came to happen. I would normally not bother with a comment, but this time I'm genuinely curious as to how someone might have missed scrolling down to see the summary.
(edit: the fussy bit, where the poster complains about downvotes, has been edited out. I'm leaving my comment the way it is.)
> I'm genuinely curious as to how someone might have missed scrolling down to see the summary.
Pretty simple. On my laptop the video fits 100% in the browser tab and there is no indication that there is more content under it. There is no text except the video title in the portion that I see when the page loads. And the link is marked [video] on HN.
So I simply closed it.
That's fair, appreciate it. I guess some folks were just unlucky.