Actions on Ticketing Issues raised by Citizens
Multiple submissions with issues and solutions have been received via the Make Railways Better circle on making IRCTC site more robust and fixing gaps that are misused by agenta/touts.
We are pleased to share that IRCTC has has taken a slew of measures to book tickets online through its website to facilitate hassle-free booking by genuine ticket seekers.
Now it is not possible to book ticket online before 35 seconds mandatory wait as it has been done to prevent faster booking by unscrupulous elements using any other means. Though it takes about 35 seconds minimum to fill the form followed by bank transaction online, there were cases of faster bookings by touts using certain automated software and thereby depriving genuine passengers.
Certain security measures have been taken to prevent manipulation of the ticketing site and at the same time the site has been upgraded with a substantial investment to enable the system to book 15,000 tickets per minute.
Below are additional details about the various measures impelmented:
Next Generation e-Ticketing System (NGeT) :
Due to increased demand of e-ticketing and capacity constraint there were problems in ticket booking process and complaints of website slowness and non availability. The Next generation e-ticketing system(NGeT) was launched on 28/04/2014 to handle increased ticket booking. The capacity was increased from 2000 tickets in a minute to 7200 tickets in a minute . The capacity of NGeT was further increased to 15000 tickets in a minute in 2015 to book tickets fast and easily. The e-tickets may be booked easily and faster through website and the IRCTC website is able to handle 15000 tickets per minute at present. The concurrent user connections were increased from 40,000 to 1,20,000 in NGeT, which has further been increased to 3,00,000 before Diwali rush. The enquiries in NGeT have also been increased from 1000 per second to 3000 per second. Capacity in NGeT was increased this year by doubling the servers in integration layer and adding storage space.
Scripting:
A scripting or script language is a programming language that supports scripts, programs written for a special run-time environment that automate the execution of tasks that could alternatively be executed one-by-one by a human operator. Scripting languages are often interpreted (rather than compiled). Primitives are usually the elementary tasks or API calls, and the language allows them to be combined into more complex programs. Environments that can be automated through scripting include software applications, web pages within a web browser, the shells of operating systems (OS), embedded systems, as well as numerous games. The scripting technology is also useful to automate the process of filling the data in web pages at client end. The scripting is available in google chrome, Mozila and other browsers.
CAPTCHA:
CAPTCHA Tells Humans and Computers Apart Automatically. A CAPTCHA is a program that protects websites against attacks by generating multiple automatic requests using scripting technology or other computer program. In general, a CAPTCHA is used to prevent abuse by automated scripts.
Scripting on IRCTC website:
The demand of Tatkal and ARP (Advance Reservation Period) tickets is increasing day by day hence use of Scripting technology is also increasing on IRCTC website client end web pages for filling up the various forms used during ticket booking process for faster booking. This Scripting technology and tools are being used by programmers for developing software like Black TS etc for faster filling the forms used during ticket booking process. The parameters at client end can be easily seen by programmers of any website and may be used for scripting. The scripting tools, technology is available online and Google Chrome and Mozilla Browsers support the scripting. The scripting software for input at client end may be developed easily for any website. Since the scripting at client end cannot be stopped, the impact of the use of scripting technology has been negated by the various checks in the form of Captcha , Time delay and other server side checks. Banks have also implemented OTP in net banking to control the automated booking using scripting software/tools.
Checks Implemented on IRCTC website to stop misuse of Internet Ticket booking facility by the use of automated softwares:
Registration:
CAPTCHA is implemented on IRCTC website at Registration page to stop automated registrations.
Single email, single Registration is also implemented on website to stop multiple registrations on one Individual email-id. Verification link is sent to email-id for verification.
Single Mobile, single Registration is also implemented on website to stop multiple registrations on one Individual Mobile. OTP (One time password) is sent to mobile to verify Mobile.
Booking:
(i) Minimum form filling time check implemented in passenger reservation form.
(ii) Minimum payment time check implemented for payment process.
(iii) Only two Tatkal tickets can be booked for single user ID in opening Tatkal Hrs. i.e 10-12 hours .
(iv) Maximum 10 tickets in a month can be booked on an user ID.
(v) One user can do only one login at one point in a time.
(vi) Only one Tatkal ticket in single session (except return journey).
(vii) Only two opening Tatkal tickets per IP address.
(viii) OTP (One time password) is implemented in net banking payment options.
(ix) Captcha is implemented at login, Reservation Form page and Payment page.
Time taken in Booking of ticket:
The Next Generation e-Ticketing System (NGeT) is able to handle load of 15000 tickets in a minute. Hence 250 tickets can be booked concurrently in a second. At best, an individual user can book his ticket in 35 seconds.. The time taken for ticket booking depends upon the speed of internet at client end, form filling speed of individual and bank response time. At reservation counters, a ticket can be booked in less than 35 seconds.
To stop the misuse of website various time checks and Captcha have been implemented as discussed above. With these checks in place, it is not possible to book any Opening Tatkal ticket by any software being sold in the market earlier than 35 seconds.
Security measures to control Hacking
Multilayered security with deep defense in the NGeT system:
1. State of the art perimeter security in the data center comprising of front-end & backend firewall, network intrusion prevention system, Web application firewall, Security information event management(SIEM) , host intrusion prevention system (HIPS), OS hardening on all servers , Web/App server hardening, database server hardening, Spring security framework in the application software.
2. All best practices for ensuring security in the application software have been followed. All 10 OWASP (Open Web Application Security Project) application software vulnerabilities have been addressed. .
3. By dint of these security measures, no hacking attempt has been successful on the NGeT system. All intrusion or Distributed Denial of Service (DDoS) attempts have been thwarted.
Third party audit
Periodic external audits are being conducted. In a recent audit done by STQC (Standardization, Testing and Quality Certification) ,DeitY, Govt. of India, the auditing agency has certified that the web application is free from OWASP top 10 and any other known vulnerabilities; and is safe for hosting.
Pre-launch Source code audit by Cert-In (Computer Emergency Response Team - India), DeITY Govt. of India, was conducted.
Real -time feed of internet traffic to Cert-IN for security alerts:
Packet headers of traffic traversing through internet gateway routers are forwarded in real-time to CERT-In for their analysis & reporting. In response, CERT-In sends real time alerts (in case some malicious activity is detected) and weekly reports. more
We are pleased to share that IRCTC has has taken a slew of measures to book tickets online through its website to facilitate hassle-free booking by genuine ticket seekers.
Now it is not possible to book ticket online before 35 seconds mandatory wait as it has been done to prevent faster booking by unscrupulous elements using any other means. Though it takes about 35 seconds minimum to fill the form followed by bank transaction online, there were cases of faster bookings by touts using certain automated software and thereby depriving genuine passengers.
Certain security measures have been taken to prevent manipulation of the ticketing site and at the same time the site has been upgraded with a substantial investment to enable the system to book 15,000 tickets per minute.
Below are additional details about the various measures impelmented:
Next Generation e-Ticketing System (NGeT) :
Due to increased demand of e-ticketing and capacity constraint there were problems in ticket booking process and complaints of website slowness and non availability. The Next generation e-ticketing system(NGeT) was launched on 28/04/2014 to handle increased ticket booking. The capacity was increased from 2000 tickets in a minute to 7200 tickets in a minute . The capacity of NGeT was further increased to 15000 tickets in a minute in 2015 to book tickets fast and easily. The e-tickets may be booked easily and faster through website and the IRCTC website is able to handle 15000 tickets per minute at present. The concurrent user connections were increased from 40,000 to 1,20,000 in NGeT, which has further been increased to 3,00,000 before Diwali rush. The enquiries in NGeT have also been increased from 1000 per second to 3000 per second. Capacity in NGeT was increased this year by doubling the servers in integration layer and adding storage space.
Scripting:
A scripting or script language is a programming language that supports scripts, programs written for a special run-time environment that automate the execution of tasks that could alternatively be executed one-by-one by a human operator. Scripting languages are often interpreted (rather than compiled). Primitives are usually the elementary tasks or API calls, and the language allows them to be combined into more complex programs. Environments that can be automated through scripting include software applications, web pages within a web browser, the shells of operating systems (OS), embedded systems, as well as numerous games. The scripting technology is also useful to automate the process of filling the data in web pages at client end. The scripting is available in google chrome, Mozila and other browsers.
CAPTCHA:
CAPTCHA Tells Humans and Computers Apart Automatically. A CAPTCHA is a program that protects websites against attacks by generating multiple automatic requests using scripting technology or other computer program. In general, a CAPTCHA is used to prevent abuse by automated scripts.
Scripting on IRCTC website:
The demand of Tatkal and ARP (Advance Reservation Period) tickets is increasing day by day hence use of Scripting technology is also increasing on IRCTC website client end web pages for filling up the various forms used during ticket booking process for faster booking. This Scripting technology and tools are being used by programmers for developing software like Black TS etc for faster filling the forms used during ticket booking process. The parameters at client end can be easily seen by programmers of any website and may be used for scripting. The scripting tools, technology is available online and Google Chrome and Mozilla Browsers support the scripting. The scripting software for input at client end may be developed easily for any website. Since the scripting at client end cannot be stopped, the impact of the use of scripting technology has been negated by the various checks in the form of Captcha , Time delay and other server side checks. Banks have also implemented OTP in net banking to control the automated booking using scripting software/tools.
Checks Implemented on IRCTC website to stop misuse of Internet Ticket booking facility by the use of automated softwares:
Registration:
CAPTCHA is implemented on IRCTC website at Registration page to stop automated registrations.
Single email, single Registration is also implemented on website to stop multiple registrations on one Individual email-id. Verification link is sent to email-id for verification.
Single Mobile, single Registration is also implemented on website to stop multiple registrations on one Individual Mobile. OTP (One time password) is sent to mobile to verify Mobile.
Booking:
(i) Minimum form filling time check implemented in passenger reservation form.
(ii) Minimum payment time check implemented for payment process.
(iii) Only two Tatkal tickets can be booked for single user ID in opening Tatkal Hrs. i.e 10-12 hours .
(iv) Maximum 10 tickets in a month can be booked on an user ID.
(v) One user can do only one login at one point in a time.
(vi) Only one Tatkal ticket in single session (except return journey).
(vii) Only two opening Tatkal tickets per IP address.
(viii) OTP (One time password) is implemented in net banking payment options.
(ix) Captcha is implemented at login, Reservation Form page and Payment page.
Time taken in Booking of ticket:
The Next Generation e-Ticketing System (NGeT) is able to handle load of 15000 tickets in a minute. Hence 250 tickets can be booked concurrently in a second. At best, an individual user can book his ticket in 35 seconds.. The time taken for ticket booking depends upon the speed of internet at client end, form filling speed of individual and bank response time. At reservation counters, a ticket can be booked in less than 35 seconds.
To stop the misuse of website various time checks and Captcha have been implemented as discussed above. With these checks in place, it is not possible to book any Opening Tatkal ticket by any software being sold in the market earlier than 35 seconds.
Security measures to control Hacking
Multilayered security with deep defense in the NGeT system:
1. State of the art perimeter security in the data center comprising of front-end & backend firewall, network intrusion prevention system, Web application firewall, Security information event management(SIEM) , host intrusion prevention system (HIPS), OS hardening on all servers , Web/App server hardening, database server hardening, Spring security framework in the application software.
2. All best practices for ensuring security in the application software have been followed. All 10 OWASP (Open Web Application Security Project) application software vulnerabilities have been addressed. .
3. By dint of these security measures, no hacking attempt has been successful on the NGeT system. All intrusion or Distributed Denial of Service (DDoS) attempts have been thwarted.
Third party audit
Periodic external audits are being conducted. In a recent audit done by STQC (Standardization, Testing and Quality Certification) ,DeitY, Govt. of India, the auditing agency has certified that the web application is free from OWASP top 10 and any other known vulnerabilities; and is safe for hosting.
Pre-launch Source code audit by Cert-In (Computer Emergency Response Team - India), DeITY Govt. of India, was conducted.
Real -time feed of internet traffic to Cert-IN for security alerts:
Packet headers of traffic traversing through internet gateway routers are forwarded in real-time to CERT-In for their analysis & reporting. In response, CERT-In sends real time alerts (in case some malicious activity is detected) and weekly reports. more
Viewed by 12102
View all 167 comments Below 167 comments
there are so many preventive measures but they may be user tools of touts like cap ache is one of the arm can delay after filling correctly filled also and taking time for filling total data or log-in details. more
Nov 28
No doubt about many such good ideas introduced by our govt. But today what another individual conveyed while talking, made me confirm my own thought that the govt is forgetting the plight of masses in many places: Catching big sharks is a very welcome sign, but small fries getting fried more severely must be avoided by finding ways. Assuming what he stated prevails even today, I am submitting this suggestion, (though I always use online booking from time I remember). While the govt is promoting digital world within India, if one goes to the railway counter for ticket booking, only a few or very limited 'counter or counters' accept credit card payments while many counters accept only cash! Is it right? Then what is digital world? When there was a need for +30 tickets for a tour arranged by our company, the people who went to the counters had a lot of trouble as there was a limitation is number of booking also acceptable per request form, besides needing cash, as credit card counters were limited! If we are capable of becoming digital, can we not find an answer to the question of allowing more tickets during such needs in a single form? I accept, this facility IS BEING MISUSED BY MANY TOUTS, but is that not happening with the full knowledge of some "inside collaborators"? The intentions are without any doubt very good. But if the normal people suffer more, it needs to be understood that they will be very easily brain washed in many ways, enabling the back door operators regain power easily. people even if they understand their mistake, will find it more difficult to change the top, because of various other techniques sure of getting engaged by those people with power in hand. Let the govt itself not dig its own grave in a totally unexpected way please. So let credit cards be accepted in all counters, besides increasing number of tickets per form in genuine cases, with required checks both during booking as well as during actual journey. more
Nov 28
1. Use technology such as big data to track the patterns of the touts and check them. 2. Make heavy penalties, criminal cases on the touts can bring some fear. 3. TTC should be give additional tools and powers to check fake tickets and book cases more
Feb 19
What action railway has taken to ensure senior citizen quota, as well preference? now a days it has been observed that lower aged persons allotted in lower birth while senior citizen in the same coop has been allotted middle or upper birth. railways must monitor this very closely. more
Feb 02
