Free Rides in Denmark: Lessons from Improperly Generated Mobile Transport Tickets

Research output: Conference Article in Proceeding or Book/Report chapterArticle in proceedingsResearchpeer-review


The term security ceremony describes a technical system extended with its human users. In this paper, we examine the inspection ceremony for the mobile transport ticket in Denmark. We find several security weaknesses that are ascribable to both human and computer components of the ceremony. The main vulnerabilities are due to the design choices of how the visual inspection ceremony is organised and the lack of information that is stored into the 2D barcode. These vulnerabilities allow a ticket holder to travel up to 8 zones with a 2-zone subscription and enable several people to travel with the same subscription. The attack is significant as it can be automated, and rather modest skills are necessary to break the inspection ceremony. We state four principles that aim at strengthening the security of inspection ceremonies and propose an alternative ceremony whose design is driven by the stated principles.
Original languageEnglish
Title of host publication22nd Nordic Conference on Secure IT Systems (NordSec)
Publication date2017
ISBN (Electronic)978-3-319-70290-2
Publication statusPublished - 2017
SeriesLecture Notes in Computer Science


  • Security Ceremony
  • Mobile Transport Ticket
  • Inspection Ceremony
  • Security Vulnerabilities
  • 2D Barcode


Dive into the research topics of 'Free Rides in Denmark: Lessons from Improperly Generated Mobile Transport Tickets'. Together they form a unique fingerprint.

Cite this