The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

Barcoding Tickets

I developed a Ticketing Software for a department using VB.NET 2003 and MS Access. I want to keep track of genuine tickets so that no fake tickets get entry. For this barcoding is the solution and I talked to a local barcode service providers for this. They suggested one of their software that can be integrated with VB.NET and can produce barcode of any text passed into it. For this I want to know what unique text to pass that can be later identified as a genuine ticket.

Alternatively, suggest any other way to do this.
K Send private email
Saturday, December 23, 2006
 
 
I would use some sort of encrypted identifier, maybe an encrypted serial number. When your software decodes that information, it can tell genuine tickets from faked ones as only genuine tickes give the mentioned identifier/serial number.
JK
Saturday, December 23, 2006
 
 
Encryption doesn't help here, a copy of the barcode is still indistinguishable from the original.  The best you can do is check against a database to prevent the same serial number from being used more than once, and rely on other techniques to distinguish a genuine ticket from a copy.
Joe
Saturday, December 23, 2006
 
 
+1 Joe.

Anything that can be copied perfectly won't help you to distinguish the genuine copy, and that include barcode.

You need something like COA (certificate of authenticity) to help with this issue.  This might have to do with how they print the actual physical material... no idea the details.
Yin-So Chen Send private email
Sunday, December 24, 2006
 
 
K,

As others have noted your problem isn't as simple as you might think.

Bar coding is not "the" solution - as in "the correct solution."  It is a technology that allows faster and more accurate reading of data.  Nothing more, and nothing less. It won't make it impossible to forge tickets.

Some questions:

- Where are the tickets printed?  On your printers, or can the purchaser print them out on their own home printer?

If you are printing them, you could incorporate design elements into the paper on which the tickets are printed that will be difficult to duplicate.  This is similar to what is done when money and checks are printed by the manufacturers: something difficult or impossible to reproduce by copying is incorporated into the original print so it's easy to spot a forgery.

- What will be the circumstances when the tickets are presented?  Will the ticket-takers be able to ask for ID to prove the person on the ticket is who s/he says s/he is, or will there be the opportunity to ask for the answer to a question asked when the ticket was purchased?

This will give the ticket-taker the opportunity to cross-check the ticket handed to them against something that only an original purchaser would have known, so you require proof from the purchaser that they indeed purchased the ticket and it was not a copy.

I can print an airline boarding pass or theater ticket at home because I will have to present identification when I "redeem" it.  It is the cross-check of an element not present on the printed ticket that makes the method secure and relatively forgery-proof.
Karl Perry Send private email
Sunday, December 24, 2006
 
 
Will the following solution work:

(1) When the ticket is issued, the name of the tourist, date/time stamp of issue and the date of visit gets encrypted and converted to a Radix4 format. This string also gets printed somewhere on the ticket.

(2) Even if someone copies the string on his ticket or a fake ticket, this string when decrypted will reveal the date/time issue and date of visit on the computer that is used to verify the tickets.
K Send private email
Monday, December 25, 2006
 
 
"Will the following solution work:"

...

And then what?

Will you only allow the first ticket with a matching issue date/time and visit date?  What happens if the first matching ticket presented happens to be a forgery, and subsequently the genuine ticket holder appears?  You've already let in the forger.

You need a means of positively identifying the ticket holder as the legitimate purchaser of the ticket he or she is holding.  To do this I think you will need something external to the information printed on the ticket - a drivers license, typing in the purchaser's last name on a kiosk keyboard at redemption, etc. - that can identify the information on the ticket with the purchaser.

At the moment I can't think of anything you could encode or encrypt into a single piece of paper that can't be faked.
Karl Perry Send private email
Monday, December 25, 2006
 
 
You can get ticket stock with magnetic strips underneath. Just encode some verification on that... it's unlikely a ticket forger would have a ticket printer for the same kind of stock, AND a magnetic reader.
John
Monday, December 25, 2006
 
 
I'd take some time to read these 2 books:
http://www.schneier.com/book-sandl.html 
http://www.schneier.com/book-beyondfear.html 

Then, I'd sit down and try to figure out who my "opponents" and "enemies" who will try to defeat the ticket system. If you let people print them at home, then you've got to worry about people figuring out your scheme and printing up new ones. If you mail them to people, you'll get to worry about anti-counterfeiting measures, like checks and currency.

Many concerts use the "first valid copy gets in" approach, so a counterfeit that gets in first beats out a "real" ticket (for various values of real). Those are like self-cancelling, single use passwords - use them once and they are no longer valid. What do they do when multiple people present identical tickets? Why not ask a few for suggestions on how to make it harder.

The trouble with the antisecurity misfeature on airline tickets is that there was? is? no crosscheck at the security screening, so someone who printed out a ticket at home with the dreaded SSSS (this means you get to spend a couple extra hours while insecurity stooges strip search you physically and mentally) could print out a spare without the SSSS, use the spare to get past security screening, then use the "real" ticket at the boarding gate.
Peter
Tuesday, December 26, 2006
 
 
Of course you need to think about how much security you need -- risk-vs-cost analysis type stuff.

What comes to mind though (drawing on other posts) is to print a bar code that contains some unique identifier (e.g. row and seat number) and a cryptographic hash of it.  When the bar code is scanned the software displays the unique identifier (verified by the hash) for the ticket-taker to compare against what's printed in plaintext on the ticket.  The software would also mark that the ticket has been used in a database so if someone comes along with a second, identical ticket it will get flagged as counterfit.

Why the cryptographic hash?  This is to try to make sure that the only way to make a counterfit copy of the ticket is to get your hands on the original.  Thus you can feel justified in letting in the first copy which may be, in actuality, the counterfit one since the holder of the original must have been in collusion.  (Though a guy could still make 20 coppies and sell them on the street corner to hapless chumps who don't realize they're counterfits.)

(This isn't the most cryptographically secure scheme considering the text being hashed is probably quite short and available in plaintext, but it's probably good enough, especially if you change the key to the hashing algorithm for every event.)

Tuesday, December 26, 2006
 
 
"What comes to mind though (drawing on other posts) is to print a bar code that contains some unique identifier (e.g. row and seat number) and a cryptographic hash of it.  When the bar code is scanned the software displays the unique identifier (verified by the hash) for the ticket-taker to compare against what's printed in plaintext on the ticket.  The software would also mark that the ticket has been used in a database so if someone comes along with a second, identical ticket it will get flagged as counterfit."

What will get flagged as counterfeit?  If the two tickets are identical, there is no distinguishing the two.  The first ticket might be the counterfeit, the second might be, both might be, or neither.  That last case happens when you scan the valid ticket twice.  This could happen if the first scan apparently does not work.

Sincerely,

Gene Wirchenko
Gene Wirchenko Send private email
Wednesday, December 27, 2006
 
 
"What will get flagged as counterfeit?"
The second one.  The concept is that you bought one ticket, you get to use one ticket--whether it's the original or the copy.  As I said, if you buy tickets from a scalper who's made lots of coppies you lose out, but that's kind of unavoidable.  (The only precaution here is to include hard-to-reproduce features AND make sure everyone knows about them--they're not there so you can spot them, they're for the buyer to spot.)

There is a small possibility of legitamitely scanning a ticket twice--this can be reduced with good audio and visual feedback that a ticket has been scanned.  You can also allow the ticket-takers a degree of free will.  "I know I just scanned it twice, so you can go in."

The other problem is re-entry.  You could set up a scheme where the ticket is scanned when someone leaves, marking it as unused again, or you could just ban re-entry.  (But beware: this last option isn't very popular with smokers at non-smoking venues.)

Thursday, December 28, 2006
 
 
I would suggest throwing in parameters that include the person's date of birth, sex, first name and last names, place of birth and then encrypting it. (Add more personal detail parameters as desired).
Ezani Send private email
Tuesday, January 16, 2007
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz