OREANDA-NEWS. January 21, 2016. In furtherance to strengthen its PRS (Passenger Reservation System), Ministry of Railways has taken various measures on IRCTC website to control ticket booking using automated software. In this regard, a Combined Press Conference was held today i.e. 19.01.2016 by the Indian Railways. The Conference was attended by the apex officials namely CMD, IRCTC Shri Dr. A. K. Manocha, MD, CRIS Shri Sanjaya Das, Executive Director, C&IS Shri U. Hazarika Railway Board and other senior officials from Railway Board.  The various measures which IRCTC and CRIS now takes to control rail ticket booking by using automated software are as follows :

Internet Ticketing:

Internet ticketing on IRCTC website was started in year 2002 with 29 tickets on the first day. This has now increased to more than 13 lakh tickets booked in a single day (achieved on 01/04/2015).

Internet ticketing on IRCTC website has progressively increased over the years and its share in the total reserved tickets has also progressively increased.

Table-A : Year wise Internet tickets booked.

Year wise Tickets Booked(Internet)

Year

Tickets Booked

Ticket Fare (In Rs.)

2010-2011

96911148

80071642602

2011-2012

116177134

94984557141

2012-2013

140688214

124194653792

2013-2014

157981713

154101353840

2014-2015

183021842

205146330319

 

Table-B : Growth of Internet Ticketing over last five years.

 

Table-C:  Continuously increasing Share of Internet ticketing.

Year

% Internet Ticketing Passengers to Total Passengers Travelled

% PRS Passengers to Total Passengers Travelled

2011- 2012

38.54

61.46

2012- 2013

43.21

56.79

2013- 2014

48.73

51.27

2014- 2015

54.52

45.48

 

Next Generation e-Ticketing System (NGeT) :

Due to increased demand of e-ticketing and capacity constraint there were problems in ticket booking process and complaints of website slowness and non availability. The Next generation e-ticketing system(NGeT)  was  launched on 28/04/2014 to handle increased ticket booking. The capacity was increased from 2000 tickets in a minute to 7200 tickets in a minute . The capacity of NGeT was further increased to 15000 tickets in a minute in 2015 to book tickets fast and easily. The e-tickets may be booked easily and faster through website and the IRCTC website is able to handle 15000 tickets per minute at present. The concurrent user connections were increased from 40,000 to 1,20,000 in NGeT,  which has further been increased to 3,00,000 before Diwali rush. The enquiries in NGeT have also been increased from 1000 per second to 3000 per second. Capacity in NGeT was increased this year by doubling the servers in integration layer and adding storage space.

Scripting:

A scripting or script language is a programming language that supports scripts, programs written for a special run-time environment that automate the execution of tasks that could alternatively be executed one-by-one by a human operator. Scripting languages are often interpreted (rather than compiled). Primitives are usually the elementary tasks or API calls, and the language allows them to be combined into more complex programs. Environments that can be automated through scripting include software applications, web pages within a web browser, the shells of operating systems (OS), embedded systems, as well as numerous games. The scripting technology is also useful to automate the process of filling the data in   web pages at client end. The scripting is available in google chrome, Mozila and other browsers.

CAPTCHA:

CAPTCHA Tells Humans and Computers Apart Automatically. A CAPTCHA is a program that protects websites against attacks by generating multiple automatic requests using scripting technology or other computer program. In general, a CAPTCHA is used to prevent abuse by automated scripts.

Scripting on IRCTC website:

The demand of Tatkal and ARP (Advance Reservation Period) tickets is increasingday by day  hence use of Scripting technology is also increasing  on IRCTC website client end web pages for filling up the various forms used during ticket booking process for faster booking. This Scripting technology and tools are being used by programmers for developing software like Black TS etc for faster filling the forms used during ticket booking process. The parameters at client end can be easily seen by programmers of any website and may be used for scripting. The scripting tools, technology is available online and Google Chrome and Mozilla Browsers support the scripting. The scripting software for input at client end may be developed easily for any website.  Since the scripting at client end cannot be stopped, the impact of the use of scripting technology has been negated by the various checks in the form of Captcha ,  Time delay and  other server side checks. Banks have also implemented OTP in net banking to control the automated booking using scripting software/tools.

Checks Implemented on IRCTC website to stop misuse of Internet Ticket booking facility by the use of automated softwares:

Registration:

  1. CAPTCHA is implemented on IRCTC website at Registration page to stop automated registrations.
  2. Single email, single Registration is also implemented on website to stop multiple registrations on one Individual email-id. Verification link is sent to email-id for verification.
  3. Single Mobile, single Registration is also implemented on website to stop multiple registrations on one Individual Mobile. OTP (One time password) is sent to mobile to verify Mobile.

Booking:

(i)               Minimum form filling time check  implemented in passenger reservation form.

(ii)             Minimum payment time check implemented for payment process.

(iii)           Only two Tatkal tickets can be booked for single user ID in opening Tatkal Hrs.  i.e  10-12 hours .

(iv)           Maximum 10 tickets in a month can be booked on an user ID.

(v)             One user can do only one login at one point in a time.

(vi)           Only one Tatkal ticket in single session (except return journey).

(vii)         Only two opening Tatkal tickets per IP address.

(viii)       OTP (One time password) is implemented in net banking payment options.

(ix)           Captcha is implemented at login, Reservation Form page and Payment page.

Time taken in Booking of ticket:

The Next Generation e-Ticketing System (NGeT) is able to handle load of 15000 tickets in a minute. Hence 250 tickets can be booked concurrently in a second. At best, an individual user can book his ticket in 35 seconds.. The time taken for ticket booking depends upon the speed of internet at client end, form filling speed of individual and bank response time. At reservation counters, a ticket can be booked in less than 35 seconds.

To stop the misuse of website various time checks and Captcha have been implemented as discussed above. With these checks in place, it is not possible to book any Opening Tatkal ticket by any software being sold in the market earlier than 35 seconds. Tables shown below which indicate first 35 seconds bookings and   36th   second to 60th second booking separately at 10:00 AM and 11:00 AM for Opening Tatkal at PRS counters vis a vis IRCTC website.

Table-D: First Minute Tatkal ticket booking in AC Classes at 10:00 AM.

First Minute Tatkal Ticket Booking (AC Classes)

Transaction Time

 10:00:00 to 10:00:35

 10:00:36 to 10:01:00

Transaction Date

 No. of tickets booked (Tatkal)

 No. of tickets booked (Tatkal)

 PRS Counter

IRCTC

 PRS Counter

 IRCTC

25-Dec-15

2,312

0

868

3,095

26-Dec-15

2,481

0

1,069

3,345

27-Dec-15

1,909

0

781

3,576

28-Dec-15

2,089

0

877

2,891

29-Dec-15

2,054

0

795

3,102

30-Dec-15

1,647

0

655

2,484

31-Dec-15

2,012

0

871

2,680

01-Jan-16

2,380

0

1,024

3,195

02-Jan-16

2,446

0

1,027

2,843

03-Jan-16

1,721

0

722

3,381

04-Jan-16

1,804

0

728

2,673

05-Jan-16

1,644

0

619

2,379

06-Jan-16

1,600

0

653

2,047

07-Jan-16

1,835

0

763

1,856

08-Jan-16

2,013

0

817

2,424

09-Jan-16

1,991

0

918

2,231

10-Jan-16

1,404

0

586

2,459

 

Table-E: First Minute Tatkal ticket booking in Non AC Classes at 11:00 AM.

First Minute Tatkal Ticket Booking (Non-AC Classes)

Transaction Time

 11:00:00 to 11:00:35

 11:00:36 to 11:01:00

Transaction Date

 No. of tickets booked (Tatkal)

 No. of tickets booked (Tatkal)

 PRS Counter

IRCTC

 PRS Counter

 IRCTC

25-Dec-15

2,258

0

1,537

1,956

26-Dec-15

2,392

0

1,539

1,768

27-Dec-15

1,887

0

1,221

2,429

28-Dec-15

2,244

0

1,578

2,094

29-Dec-15

2,290

0

1,526

33

30-Dec-15

2,162

0

1,404

1,787

31-Dec-15

2,374

0

1,460

1,478

01-Jan-16

2,463

0

1,587

1,639

02-Jan-16

2,454

0

1,598

1,775

03-Jan-16

1,904

0

1,198

1,628

04-Jan-16

2,245

0

1,456

1,625

05-Jan-16

2,221

0

1,469

1,770

06-Jan-16

2,149

0

1,465

1,202

07-Jan-16

2,267

0

1,486

1,798

08-Jan-16

2,354

0

1,583

1,753

09-Jan-16

2,249

0

1,522

1,496

10-Jan-16

1,761

0

1,154

1,650

 

From the above tables, it is clearly evident that while it is possible to book tickets through human process at PRS counters within first 35 seconds, it is not possible to book any Tatkal ticket in first 35 seconds on IRCTC website even by using scripting software. The claim made by various software sellers in the market that their software can book Tatkal in 10 to 20 seconds is not factually correct. Further, only 5 to 6 Thousand tatkal tickets are booked in the first minute both at PRS counters and IRCTC website put together out of the total 1.5 lakhs Tatkal tickets available on PRS. This again is contrary to the claim made by the media that entire Tatkal tickets are booked within first 30 seconds by using automated software.

Security measures to control Hacking

Multilayered security with deep defense in the NGeT system:

1.      State of the art perimeter security in the data center comprising of front-end & backend firewall, network intrusion prevention system, Web application firewall, Security information event management(SIEM) , host intrusion prevention system (HIPS), OS hardening on all servers , Web/App server hardening, database server hardening, Spring security framework in the application software.

2.      All best practices for ensuring security in the application software have been followed. All 10 OWASP (Open Web Application Security Project) application software vulnerabilities have been addressed..

3.      By dint of these security measures, no hacking attempt has been successful on the NGeT system. All intrusion or Distributed Denial of Service  (DDoS) attempts have been thwarted.

Third party audit

  1. Periodic external audits are being conducted. In a recent audit done by STQC (Standardization, Testing and Quality Certification) ,DeitY, Govt. of India, the auditing agency has certified that the web application is free from OWASP top 10  and any other known vulnerabilities; and is safe for hosting.
  2. Pre-launch Source code audit by Cert-In (Computer Emergency Response Team - India), DeITY Govt. of India, was conducted.

Real -time feed of internet traffic to Cert-IN for security alerts:

Packet headers of traffic traversing through internet gateway routers are forwarded in real-time to CERT-In for their analysis & reporting. In response, CERT-In sends real time alerts (in case some malicious activity is detected) and weekly reports.