— by Lin McNulty —
Does this solve part of the mystery? Perhaps. At least it puts to rest the chatter in my head about how this theft of valid ticket numbers could have happened. I was seeing an “inside job” by someone at the Anacortes landing, or a hack of the Ferry’s computer system. Nothing else made sense to me.
Never would I have guessed how easy it might have been. So stop looking for a computer genius who pulled off this caper.
Armed with two valid WAVE2GO ticket numbers, I was able to go online to the WSF website and, within minutes, find five additional valid ticket numbers.
The ticket numbers are 18 digits long, making it seemingly implausable to guess a valid number. However, the first 12 numbers seem to be constant, with only the last six as variables. The last two numbers of the known ticket number I checked was “22.” I was then able to find valid numbers at 24, 33, 38, 42 and 44.
I consider this a true DUH! moment for Washington State Ferries. Perhaps for a few dollars more, they could have acquired a random number generator for ticket numbers.
Fortunately, WSF has since changed their policy of accepting handwritten ticket numbers for passage on all routes, even though it appears that this fraudulent use only occurred for Anacortes to Orcas rides (with possibly one unconfirmed ride to Lopez). They now require the ticket, or a photocopy thereof, to be in the possession of the ferry passenger when checking in at all ferry terminals.
Looking back on this system, however, it would not have been difficult for any of us to go to the WSF website and find a valid number in minutes. Good thing most of us are honest. And to reiterate…this will no longer work for getting you a free ride.
**If you are reading theOrcasonian for free, thank your fellow islanders. If you would like to support theOrcasonian CLICK HERE to set your modestly-priced, voluntary subscription. Otherwise, no worries; we’re happy to share with you.**
Security through obscurity is not much security at all. This was the obvious hack 5 minutes after the story broke.
I notice they still accept photocopies. Hope they decide to randomize the ticket numbers a bit more and put some sort of hard checksum in the barcode, which at the moment simply appears to contain the ticket number. A few moments with Photoshop and a printer and you could still produce valid ticket “photocopies”.
Thank you Lin for your great investigative reporting. Brian, I like your solution but considering that this is the WSF system after all – I think that their vendor’s eyes are getting crossed by now trying to figure what a checksum is. An easy solution could perhaps be that when the ticket is purchased either online or from the agent, the customer could be asked to input a 3 or 4 digit PIN to be associated with the ticket’s barcode/number, then that PIN is entered by the customer at the ticket booth next time they use it.
I’d hate to loose the flexibility of sharing my card with my family because the current digits are easily hack able.
Tony – if their vendor can’t have a prototype up in an afternoon of a system that makes it “hard” for end-users to make up fake ticket images, they need a new vendor :-)
The necessary software libraries are open-source, and not rocket science.
It might take weeks-to-months to roll out the patches to the sales terminals and readers, but still – they’d have to do that anyways to implement a PIN system. And I always forget my PINs :-)
Told ya so…..it did not take a rocket scientist–just a crook to actually follow through on the easy loophole. Ruins it for the rest of us who on occasion would like to continue to use numbers to get our loved ones home.
Just wait to see the reservation system if you think the Wave2Go was a problem.
Most often reason ferries are late or cancelled lately is because they don’t have enough qualified crew to make it happen. Sounds like having qualified employees isn’t a problem just with the boat crews. Its a known fact that if your computer consultant is over 16 years old, you probably aren’t aren’t going to get a fix that will last past Haloween. Wonder if WSF knows that?
Bravo Lin McNulty…
Thank you Lin and Orcas Issues for your investigative reporting– for taking the time for this, which it doesnt seem either WSF or the cops were willing to do. Bravo for true “community journalism”.
And I agree whole-heartedly with John Polleti’s comment above.
Thank you Lin for this good work!