Why Passenger Rail Needs to Adopt Decentralised Digital Identity Technology

By Thibault Serlet, Partner at Key State Capital

As anyone who has ridden a train in the past decade knows, mobile train tickets are the future.

There is no more need to wait in line behind a ticket machine; struggle with the machine’s bad user interface; rush because you worry about missing your train; or face the pain of losing a recently purchased ticket stub. With mobile train tickets, passengers just whip out their phones, and present the appropriate QR code.

What most passengers do not see is that these new ticketing technologies have created significant new burdens for the passenger rail industry. Mobile train tickets have enabled new scams which cost the industry billions; expose passenger data to breaches; and open up rail companies to significant legal liabilities.

Mobile train tickets are an intermediate step in the evolution of passenger ticketing; not the end point. The problems caused by mobile ticketing will be solved when the market fully adopts decentralised digital identity. Until then, the problems caused by mobile ticketing will escalate.

A New Age of Fraud

Mobile ticketing has enabled a wide variety of new schemes to defraud passenger rail companies. Most of the new schemes are mundane fare evasion tactics. Some are elaborate scams perpetrated by organised crime.

Due to mobile tickets, the scale of ticket fraud has reached unprecedented levels. In 2024, the German government estimated that it lost 1.4 billion EUR due to mobile ticket fraud.

The most common mobile ticket fare evasion schemes take one of two shapes. Either someone waits to purchase a ticket if they see a controller on the train; or a passenger refunds tickets if they do not see a ticket controller. A single UK fare evader who was caught had bought 4,000 GBP of tickets in the year from 2021 to 2022. He had managed to refund 3,246 GBP of the tickets he had purchased – or roughly 80% of the money he had paid for tickets.

In the UK, mobile ticket-enabled fare evasion has become so common that one rail line has put together a full-time forensic team to identify fare evaders. In its first year of operation, that team pursued 53,000 fare evaders, recovering 2.9 million GBP. Alarmingly, the forensic team only recovered a very small part of the total amount of fares avoided.

In certain regions, train ticket scalping is a significant problem. Unlike fare evasion, ticket scalping is often run by sophisticated organised crime groups.

Train ticket scalping is most prevalent in populous countries in Asia, where popular train lines are often completely sold out. China has faced an uphill battle against train ticket scalpers for the past 20 years. Scalping is one of the main reasons why China has been a major early adopter of mobile ticketing systems and passenger digital ID. The problem is not confined to mainland China. Taiwan’s rail system has also struggled with ticket scalping for more than a decade. The problem is so pervasive across Asia that even train tickets in North Korea have been targeted by scalpers.

The online sale of train tickets has given scalpers a significant boost. A cybersecurity expert analysed ticket selling patterns for the train from Singapore to Johor Bahru in Malaysia. He found that tickets sold on the official website were almost always sold out. Instead, you had to buy the tickets via a shady WhatsApp account to get the ticket. He found that the official app where tickets were sold had a captcha to prevent non-humans from manually buying the tickets; but the captcha could be easily bypassed by a hacker because the app did not use certificate pinning. The result was that technologically sophisticated scalpers could easily use bots to buy out and resell tickets on popular routes.

The common response of passenger rail companies to challenges such as scalping is to go from a mobile ticketing system to a digital identity-based system.

Ticket scalping isn’t exclusively a problem in Asia. As a result of the war, many Ukrainian train lines started getting regularly sold out. Organised crime groups immediately seized upon this, and started scalping the tickets. The Ukrainian government responded by blocking all ticket sales except through the official Ukrainian Railways app. Users using the Ukrainian Railways app would also need to download a second app – Diia, the Ukrainian government’s digital ID app – to verify their real identity. Now, online tickets can only be sold online and tickets can no longer be bought anonymously.

Data Breaches and Lawsuits

The knee-jerk reaction of passenger rail companies is to combat mobile ticket fraud by collecting and storing significant amounts of information about passengers. Although this may alleviate short-term problems like fare evasion and scalping, it often creates far more serious long-term problems.

Amtrak – the largest passenger rail operator in the United States – would learn this lesson the hard way.

Amtrak’s initial motivation to start collecting large amounts of passenger data had nothing to do with solving problems caused by mobile ticketing apps. Instead, Amtrak wanted to incentivise its passengers to take the train more often and drive less often. Amtrak’s solution was to create an extensive system of Guest Rewards accounts, which passengers could access online. Participating passengers would buy the tickets through the account. The more they rode the train, the more points they would collect. These points could then be used to buy more train tickets or claim other prizes. On paper, the programme seemed like a great idea.

On 16 April 2020, Amtrak announced that there had been unauthorised access to the servers that managed Amtrak’s Guest Rewards accounts. Amtrak assured the public that “no financial data, credit card information or Social Security numbers were compromised.” They offered affected customers 12 months of free credit monitoring and urged them to closely check all of their online accounts. Amtrak claimed that they had immediately revoked the access for attackers within hours, and that little damage had been done.

Then, in May 2024, Amtrak’s Guest Rewards accounts were breached again. This second attack was carried out using credentials stuffing. The attackers purchased large amounts of emails and passwords on the darknet from another website which had been breached, and then tried plugging in all of the emails and passwords into the Amtrak Guest Rewards account to see if any of them worked. Thousands worked. For three days, from 15 May until 18 May 2024, hackers had complete access to the Amtrak Guest Rewards accounts for thousands of passengers.

Significant amounts of data were stolen from Amtrak customers including names, addresses, travel history, and credit card information. However, the goal of the attackers was not to steal passenger data. An expert told the press that he believed that the goal had been to spend the Amtrak rewards points that passengers had accumulated to buy tickets. The tickets could then be refunded for cash or resold to scalpers.

Amtrak is now facing ongoing class action lawsuits from passengers who were damaged by the two data breaches. As of January 2025, the lawsuits have not yet been resolved.

The scale of Amtrak’s data breaches pale in comparison to those faced by RailYatri.

RailYatri is India’s largest ticket booking website. In December 2022, an unprotected server allowed hackers to steal the personal data of roughly 30 million passengers. According to cybersecurity vendor Heimdal “the most damaging aspect of the data breach was the partial credit and debit card payment logs, which included the name on the card, the first four digits of the card number, the card-issuing bank, as well as the expiration date of the card.” The Indian government responded by penalising RailYatri with a fine, although the details and amount paid have not been publicly disclosed.

The theft of passenger data is an alarmingly common problem.

In April 2023, the Dutch National Railway had data stolen for 780,000 customers. A similar attack affected Transport for London in September 2024, where significant amounts of passenger data – including bank details – were leaked.

This problem is not new. As soon as rail providers allow for online booking and provide mobile tickets, these breaches become an issue. Almost immediately after China began offering online ticket sales in 2013, its national ticketing system suffered from a data breach. When data is stored, it is stolen. Likewise, shortly after it upgraded its system to allow easier online booking, Rail Europe was breached in 2018. For three months, hackers had unfettered access to extremely sensitive passenger information.

Many more passenger ticketing systems have not yet been breached, but are sitting on ticking time bombs. Over the last three years, well-meaning researchers have found significant vulnerabilities in the online ticketing systems of France, Germany, and Switzerland. Luckily, these researchers were “white hat” hackers rather than criminals, and reported the vulnerabilities. It is likely that many more ticketing systems have undiscovered vulnerabilities.

Decentralised Identity

One solution that is increasingly being adopted by the industry is decentralised identity.

Key State Capital, a venture capital group which invests in digital identity, recently published a study which found that there are over 400 government-backed decentralised identity initiatives worldwide.

There are two core advantages with decentralised identity.

The first is that the data is stored either on a decentralised database such as a blockchain or is spread among many encrypted devices on the network. The lack of centralised storage means that there are fewer places for attackers to target.

More importantly, many decentralised identity projects use a technology called Zero Knowledge Proof. This technology can completely prevent rail companies from coming into contact with passenger data, eliminating the risk and liability altogether.

Using a Zero Knowledge Proof system, the official or software querying an ID only gets the bare minimum information they need without having access to any other information.

Imagine that someone is buying a ticket. There are discounts for students, youths, and people living in a given city. Without Zero Knowledge Proof, the passenger rail company would have the passenger enter all of the data into their computer system. This data would then be stored on their servers, becoming a lucrative target for attackers.

With Zero Knowledge Proof, the passenger could simply present their digital ID. Their digital ID contains information that is either stored locally or somewhere decentralised such as a blockchain. The software of the passenger rail company then asks “yes” and “no” questions about the passenger. Is the passenger a student? Is the passenger under 21? Does the passenger live in the right city? The passenger’s ID automatically answers the questions so the rail company can issue the appropriate ticket.

This system has a huge advantage: it means that rail companies can avoid coming into contact with passenger data. They still have the benefit of accessing the data to answer specific relevant questions, without the risk and cost of storing it. Storing less information means that there is less information to steal. This, in turn, reduces the legal liability incurred by passenger rail companies in the event of a breach.

Conclusion

Decentralised identity for train tickets is coming.

Researchers from the University of Birmingham are now urging British passenger rail providers to adopt a blockchain ticketing system:

In January 2025, Indian Railways began issuing tickets which used NFT technology to pilgrims. Digital ID giant Yoti has started similar trials in Northern Ireland. Russia and China are increasingly adopting biometric payments for their passenger rail.

Passenger rail faces a hard choice. Mobile ticketing has caused a lot of problems. The old solution of storing large amounts of customer data is untenable. In the long term, the market will likely gravitate towards decentralised ID. If it doesn’t, some other similar solution will come about. One thing is clear: the current state of affairs is untenable in the long run.