Investigations into the multi-crore railway ticket speed software scam, possibly the biggest in the railways, has now revealed the extent to which the online booking system of the IRCTC was compromised.
Investigators have found out that the arrested touts, who were using automation software to speed up bookings on the site, even knew minor details of the timings of the IRCTC software and also methods of bypassing some important processes.
What is captcha?
According to sources, one of the big security features that the IRCTC introduced in its system was that of 'captcha', a computer program or system intended to distinguish human from machine input, typically as a way of thwarting spam and automated extraction of data from websites.
How was it captured?
Investigators believe a bug was left when the captcha process was introduced in the IRCTC system. This allowed these touts to use software to circumvent it and fill up the captcha with a delay of less than 10 seconds.
"This made the IRCTC's system strengthening immaterial for these touts. It allowed the touts to theoretically fill in up to 128 tickets per minute from a single computer. Using a high-speed data connection and 10 computers, these touts built up a capacity of generating ten times that number in a single minute. It is mind-boggling how the system was subverted," said a senior railway official.
How did the touts get it right?
Those who developed the software to subvert the online booking system also knew the minute time intervals after which a second request can be sent from a computer. "These are details known only to those very closely linked with making the IRCTC software. The fact that these touts knew these minute time gaps is very disturbing," the official said.
How did it all unravel?
Almost two months ago, the CR's commercial and vigilance department got information that such a software was being used. Having bought it by using a decoy, the officials realised the damage it could do to bonafide passenger trying to book a ticket on the IRCTC portal. The software allowed the touts to generate email ids and accounts for the IRCTC website.
This software however died out after the IRCTC upgraded its system and introduced the captcha process among others. However as these officials realised, the new software found with the arrested touts had the wherewithal to disable IRCTC's captcha process.
What is the extent of the damage?
The railways has so far retrieved 4,782 tickets worth over Rs2 crore as part of the touting scam. The only silver lining was that the IRCTC system has not been hacked into. Though the IRCTC system was not breached, its discrepancy does allow the logging in for multiple links originating from one computer but masked by fictitious IP addresses. "This was rather an automation procedure rather than hacking," said the official.
What is the story so far?
On September 24, CR's commercial department managed to arrest father-son duo Rajendra and Mahesh Bafna from Govandi. Their interrogation revealed the names of Virar-based Kalpesh Shah and Guru Patel from Dharavi. They allegedly spilled the beans on sofwtare developer Kulbir Singh from Ahmedabad. The arrest of Singh from Dahanu on September 28 brought the RPF to the business end of the scam. At least 12 people have been arrested so far. A high-ranking IRCTC official too is under the scanner.
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}
)
){kind=small}
){kind=small}
)
)
)
)
)
){kind=small}
){kind=small}
){kind=small}
){kind=small}
){kind=small}