IRCTC to do a security audit of its ticketing system

Written By Binoo Nair | Updated: Jun 28, 2015, 07:55 AM IST

The NGET, officials claimed, is a revamped interface of the website with user-friendly features, such as fast login and better ticket booking environment.

Lakhs of passengers who log on to the Indian Railway Catering and Tourism Corporation (IRCTC) website every day to reserve train tickets have something to cheer about.

The IRCTC has decided to ramp up its e-ticketing operations by hiring services of Standardisation Testing and Quality Certification (STQC) for a security audit of its next generation e-ticketing system (NGET). The STQC is an entity attached to the Centre's department of electronics and information technology.

"A security audit will help IRCTC ensure that vulnerabilities, if any, in its e-ticketing system are detected and addressed and the web application and IT Infrastructure devices are free from any glitches," said Sandip Dutta, manager, public relations, IRCTC.

The NGET, officials claimed, is a revamped interface of the website with user-friendly features, such as fast login and better ticket booking environment.

The plan for a security audit, railway officials said, is the need of the hour. dna has run a series of articles on a touting racket — possibly the biggest in the country — where people used 'speed software' to corner tickets on the website. The scam, which came to light after several arrests last September, had shown the extent to which those arrested had been toying with the website. Railways retrieved 4,782 tickets worth over Rs2 crore as part of the scam.

Investigations by Central Railway's commercial department and the Railway Protection Force into the scam showed that touts were using the software to circumvent IRCTC's 'captcha' (acronym for Completely Automated Public Turing Test to Tell Computers and Humans Apart), a process used in computing to determine whether the user is human or not. They even knew the intervals after which the IRCTC system accepted a ticket request.

"This made the system strengthening immaterial for the touts, allowing them to theoretically fill in up to 128 tickets per minute from a single computer. Using a high-speed data connection and 10 computers, these touts built up a capacity of generating 10 times that number in a single minute. It is mind-blogging the way the system was being subverted," said a senior railway official.

IRCTC has around 3 crore registered users and the number is increasing by more than 15,000 new registrations a day.

Aadhaar on IRCTC soon?
In a press statement, IRCTC said it was planning to make Aadhaar card mandatory for its user registration process for e-ticketing. This will ensure that users registering on the website are properly identified through the Aadhaar card number verification, the statement said. Currently, the new user registration is done through verification of the customer's phone number and e-mail ID by sending the user an OTP (one-time password).

dna reports on the scam
October 6, 2014: Key IRCTC officer under scanner in ticket touting scam
October 9, 2014: Mirror websites of IRCTC help corner tickets
October 11, 2014: Touts knew ins and outs of IRCTC system
October 21, 2014: Country's largest touting scam loses pace