Illegal ticket stores: More cases of fraud with Deutschlandtickets uncovered

Contents

The Rhein-Main-Verkehrsverbund (RMV) recently restricted payment methods due to increasing cases of fraud with the Deutschlandticket. In particular, direct debit and credit card were deactivated as payment options in the RMVgo app for new customers, as reported by the FAZ. RMV took these measures after noticing that there had been a “very high number of automated fraud attempts”. According to the FAZ, RMV had already incurred losses of around one million euros at the beginning of last year as a result of such fraud. Across all transport associations, the lost revenue is likely to be in the three-digit million range.

The scam, also known as “triangular fraud”, works as follows in the case of Deutschlandtickets: Fraudsters offer these tickets at low prices on dubious platforms. Prospective buyers submit their details, while the fraudsters use stolen third-party bank details to purchase genuine tickets from a transport association and pass them on to the buyers. If the legitimate cardholders notice the unauthorized debits and cancel the tickets, they become invalid. This often happens too late so that the purchasers can travel undisturbed with the Deutschlandticket that has been valid for so long. Otherwise, they are suddenly left without a valid ticket.

Illegal offers on Telegram

During our research, we came across several illegal stores that typically offer tickets for Germany via Telegram (bots) – for between 5 and 30 euros, typically in Russian. One operator of such a channel gives potential customers explicit tips: “For your safety and mine, always buy tickets with a small mistake in the name”. He also explains why only Deutschlandtickets and no ICE tickets are offered because the “current methods could cause damage to third parties. This could lead to legal consequences and I want to avoid inconveniencing anyone, including myself”. With explanations like this, it should be clear to buyers that these are illegal offers, apart from the fact that there are no official sales channels for Deutschlandtickets on Telegram under names such as “DB Ticket Store” or “D-Ticket Manager”.

More illegal ticket stores discovered

While investigating such fraudulent ticket stores, Q Misell from the Max Planck Institute for Informatics and others also discovered the website dticket.online. This turned out to be one of the sources of payment data fraud at the expense of the Rhein-Main-Verkehrsverbund and other transport companies. Due to vulnerabilities in the system (such as the use of Django in debug mode in the production environment), the security experts were able to retrieve and analyze almost 1200 of the tickets stored in the “ticket portal” there. There was no active purchase function on dticket.online at the time of the research: the order button led back to the website. In an archived version of the website, however, there was a link to a Telegram channel.

heise online examined some barcodes of these tickets as examples. The website Train Tickets to Wallet Passes from Q Misell and the Android app protraQ are suitable for this purpose.

It turned out that the tickets examined complied with the VDV-KA ticket standard (Verband Deutscher Verkehrsunternehmen – Kern-Applikation). To prevent fraud and counterfeiting, the security system of the transport companies in the VBV is based on three pillars: central key management by the VDV eTicket Service, special secure access modules for ticket signing and a central, tamper-proof recording of all tickets issued.

The illegal ticket store dticket.su, on the other hand, had issued tickets for Germany in accordance with the UIC standard (Union internationale des chemins de fer). With this procedure, each company registered with the German fare network is currently responsible for generating the key pairs for signing the tickets, as well as for reporting the Deutschlandtickets sold. Anyone who gains access to a valid private key can generate any number of Deutschlandtickets, unlike with VDV-KA.

However, even if VDV-KA offers a higher level of security than the Deutschlandtickets currently issued using UIC, it is just as little immune to payment data fraud.

heise investigativ

Many heise-investigativ investigations are only possible thanks to anonymous information from whistleblowers.

If you have knowledge of a grievance that the public should know about, you can send us information and material. Please use our anonymous and secure mailbox.

https://heise.de/investigativ

Various transport associations affected

A detailed analysis by Q Misell & Co. of almost 1,200 VDV tickets from the fraudulent portal dticket.online showed that a large number of different transport companies are victims of triangular fraud. These include Deutsche Bahn AG, Rhein-Main-Verkehrsverbund GmbH, WSW mobil GmbH and others. However, RMV was particularly frequently affected (797 out of 1184 tickets since August 2024), with an upward trend until January 2025.

According to Q Misell, it is particularly noticeable that the tickets issued by RMV all have a payment type code that indicates SEPA direct debit. This makes it relatively easy to collect money from other people's accounts, as only the account details and the consent of the account holder (which fraudsters can simply click on) are required. However, account holders can also easily reverse such direct debits if they notice them. This could explain the reason for RMV's decision to discontinue the possibility of new orders by SEPA direct debit. The decision to also disable credit card payments may have been taken as a precautionary measure, although credit card payments are validated in real time. RMV plans to re-enable the payment methods gradually depending on the level of fraud, writes the “Allgemeine Zeitung” from Mainz.

Large number of individual ticket stores encourage fraud

The real problem for triangular fraud does not lie in the UIC or VDV-KA ticket standards themselves, but in the large number of individually designed ticket stores of the various transport companies. Each has its approach to the technical implementation of the payment process, which increases the likelihood that fraudsters will come across stores that are negligent in the validation of payment information and are therefore suitable for fraud. The SEPA direct debit scheme in particular is difficult to secure, as there is no second factor, as is known from credit cards in the form of “3D Secure”. There are basically two common options for direct debits: Either a Schufa query with a comparison of bank details and identity. However, this only works if the fraudsters have not also captured the address data. Or a comparison directly in the bank account using an account information service (KID) approved by the Federal Financial Supervisory Authority (BaFin) such as Tink, as practiced by Deutsche Bahn. This involves logging into the bank account with your access data via the KID, which compares your name and IBAN and then sends the merchant a yes or no and then deletes the data again.

Although, according to the Allgemeine Zeitung, customers have had to verify their account details via the Tink platform for payment services provided by Visa when setting up a new SEPA direct debit since last year. Cases of fraud continue to occur. Deutsche Bahn had already required account confirmation for direct debit subscriptions via Tink or Verimi at the end of 2023.

What rail passengers should do

If you want to buy a Deutschlandticket, you should stick to the official ticket stores (see tariff conditions of the Deutschlandtarif, p. 20) and buy from your local transport company or Deutsche Bahn. Otherwise, you run the risk of your ticket suddenly being blocked and you will be removed from circulation as a fare dodger – if you receive a ticket at all. If you entrust your account or credit card details to an illegal ticket store, you also run the risk of the data being misused or offered for sale on the darknet.

Anyone whose bank details have been misused for triangular fraud can usually get a refund via their bank. In the case of unauthorized direct debits without direct debit authorization, you can have a direct debit reversed for up to 13 months. However, you should always contact the transport company and report the incident to them. Otherwise, the companies will routinely initiate dunning proceedings and then debt collection. If you need to block online banking or credit cards, you can contact your bank via chat or telephone and, outside service hours, the nationwide 116 116 blocking hotline.

(vza)