Beware of invalid Germany tickets: fare dodgers against their will
Under mysterious circumstances, an online store has sold tickets that are now invalid. Many travelers unknowingly travel without a valid ticket.
(Image: Firn/Shutterstock.com)
There are currently an increasing number of reports of rail passengers who are being removed as fare dodgers when their Deutschlandtickets are checked – even though they have paid for them. The reason is apparently a well-frequented ticket store (D-Ticket.su) that sold the tickets. These are signed with an initially valid crypto key, but this was revoked under mysterious circumstances at the end of January. The affected travelers are therefore unknowingly traveling without a valid ticket.
"At first I was very enthusiastic, no problem for several months. Pro-rata payment and great travel by train. Today the barcode could not be read. I was issued a fare supplement for €60": There are currently plenty of reviews of this kind on the Trustpilot page of the ticket store "D-Ticket". For several days now, ticket inspectors have been declaring the provider's tickets for Germany invalid, turning inexperienced rail passengers into fare dodgers who usually have to pay a fine.
Meanwhile, an alleged employee of the store, who uses the name Maximilian S. on Trustpilot, tries to appease frustrated customers and claims that it is a mistake. Customers should send an email to support to find a solution. However, it is unlikely that the support team will be able to help – because, as our research shows, D-Ticket is apparently a dubious provider that is not allowed to sell tickets at all.
Tickets at special conditions
D-Ticket was considered an insider tip in many places because the store makes an offer that should not even exist: Germany tickets for the current month can be purchased there at a reduced price, and the time that has already expired for the month is deducted proportionately. The ticket is actually only available as a subscription, for 58 euros per calendar month – regardless of how long the month has been running.
The store has been selling Germany tickets for a long time, which have passed the ticket inspection as valid. This is confirmed by numerous positive customer reviews. Anyone wishing to issue such tickets must be a licensed transport company or have a partnership with one. Both appear to be extremely unlikely in the case of D-Tickets.
Videos by heise
The store can be accessed under the top-level domain .su, among others. This is no cause for concern, explained D-Ticket on its Trustpilot page: "The .su extension is historical and was originally intended for the Soviet Union. Today it is used by companies and projects worldwide that are looking for a short, memorable domain. This has no effect on you as a user. Your use remains unchanged. You can continue to use our service as usual – without any restrictions or additional steps." d-ticket.com and de-ticket.com also lead to this store.
However, the legal notice also looks suspicious: the store is allegedly operated by a company called RouteVibe Limited, which was only registered at the end of 2024 and is based in a London backyard. At this address, a service provider offers a virtual office address behind which company owners can hide for the equivalent of 26 euros a year.
The company is registered to a person from Porto Sant'Elpidio in Italy, not far from the Adriatic coast. The run-down building, which is registered as a residential address, was foreclosed in mid-January for around 82,000 euros.
The rail company Metronom provides a further indication that there is something fishy about the store in a post about fake Germany tickets on its blog. D-Ticket.su is cited there as an example of fake stores.
Digital signature leads to Saxony-Anhalt
But how can such a dubious company offer valid Germany tickets? heise online has a ticket that was purchased from D-Ticket at the end of last week. We downloaded it from the store and examined it. Deutschlandtickets are digitally signed and can be easily analyzed using tools such as Train Tickets to Wallet Passes or the Android app protraQ.
Germany tickets are structured according to a specific pattern in which the data is encoded in an Aztec code. This is an optically readable 2D code that resembles a QR code. Among other things, the code contains the validity period, the owner's name and a ticket ID. There is also the RICS number (Railway Interchange Coding System), which stands for the issuer of the ticket.
The digital signature can also be used to trace who issued the ticket or whose private crypto key was used for it. The digital signature is proof of a ticket's validity and is checked by the ticket inspector's reader on the train. Only tickets that have been signed with one of the crypto keys of authorized transport companies are accepted as valid. If you are interested in the details, we recommend the talk What's inside my train ticket? from the 38th Chaos Communication Congress (38C3).
Ticket analysis
Analysis of the Germany ticket from D-Ticket shows that the signature was apparently created using a key from Vetter GmbH Omnibus- und Mietwagenbetrieb from Lutherstadt Wittenberg, a legitimate provider of Germany tickets. The RICS number 5211 stated in the ticket is also assigned to Vetter GmbH, as can be seen from a public list (PDF).
However, Vetter's website does not refer to D-Ticket as the distribution partner for the Deutschlandticket, but to the Munich-based company MoPla Solutions GmbH, which offers the tickets via its mo.pla app, among other things.
We came across a screenshot of the mo.pla app in the Play Store, which shows an example of the Aztec code of a Germany ticket. This appears to be a real ticket from the previous year, issued in the name of a company employee. It was signed with the same cryptographic key as the ticket from the online store in question, D-Ticket.
Vetter key declared invalid after misuse
The key pair used by D-Ticket bears the identifier 521100001.pem (RICS 5211, Key-ID 1) and was recently declared invalid because it was allegedly used to sign a large number of invalid tickets that were sold in fake stores, as information available to heise online shows. Since then, signed Germany tickets have been considered invalid and passengers traveling with them have been banned. It has been replaced by a new key pair called 521100002.pem (RICS 5211, Key-ID 2).
It is therefore suspected that one of the digital crypto keys used to sign Germany tickets was used without authorization or even fell into the hands of dubious ticket providers who used it to make a fortune. This went well for a while and even the customers were satisfied, as they were actually able to use their tickets – at a reduced price and without any obligation to subscribe.
60 euro fine despite ticket
Since the key was revoked, however, this has suddenly come to an end, which has caught many rail passengers off guard: As the Trustpilot reviews show, D-Ticket customers have been caught out as fare dodgers in rows for several days and have to pay a fine of 60 euros. In Germany, driving without a valid ticket can constitute a criminal offense under §265a StGB (fraudulent concealment of benefits) from the first offense.
heise online asked Vetter GmbH for a statement in advance, as there is every indication that D-Ticket sold tickets signed with a Vetter crypto key. Vetter confirmed that the key had been exchanged: "We have been implementing a new security concept since this year and regularly exchange the keys. As part of this, we have switched from 521100001.pem to 521100002.pem. If necessary, we will repeat this at shorter intervals."
Vetter denies this
However, the transport company does not want to have anything to do with the tickets from D-Ticket: "We regularly buy test tickets from various fake stores for verification purposes. We bought several tickets on the d-ticket.su website for testing purposes. These were all VDV tickets that have nothing to do with us." VDV stands for the Association of German Transport Companies.
The company does not say when Vetter carried out the test purchases. According to our observations, a Vetter key was used at D-Ticket at least at the end of last week, and the store may also have offered tickets with the digital signatures of other transport companies in advance. It remains unclear how D-Ticket was able to issue tickets in the names of its customers and provide them with a digital signature.
No ticket replenishment
Since the key became invalid, D-Ticket no longer seems to be able to sell Deutschlandtickets. Several purchase attempts by heise online failed with an error message, and other customers also report that it is no longer possible to purchase tickets from D-Ticket.
On Trustpilot, the provider is now asking its customers to check their payment details and contact support to resolve the problem. Our attempt to contact them by email only resulted in an automated reply in which D-Ticket asked us to describe the problem in more detail.
Many heise-investigativ investigations are only possible thanks to anonymous information from whistleblowers.
If you have knowledge of a grievance that the public should know about, you can send us information and material. Please use our anonymous and secure mailbox.
What to do now
There are many indications that D-Ticket is dealing with a fraudulent offer. Anyone who has purchased Deutschlandtickets in the store should try to get the money back via the payment service provider, the credit card company or the bank. If a credit card was used, it should be blocked to be on the safe side, as it cannot be ruled out that the website operators have stored the credit card details.
Those affected should also check account statements, credit card statements and so on carefully in future and react immediately in the event of unauthorized debits. Rapid assistance can be obtained, for example, by calling the 116 116 blocking emergency number. However, fare dodgers can only hope for goodwill from the transport companies
Anyone who has purchased a legitimate ticket from Vetter or mo.pla can continue to use it: "We have been signing tickets with the 521100002.pem key since January. Our customers therefore have no problems" and "There are currently no tickets issued by us with the old key 521100001.pem in circulation", Vetter explained to heise online.
If you need a new Deutschlandticket, you can purchase one from your local transport company, online providers such as mo.pla or Deutsche Bahn for 58 euros per subscription. ()
