Booking Agent Bypassed IRCTC Security Using Software

Questions have been raised about the IRCTC or Indian Railway Catering and Tourism Corporation’s computer systems’ security following the recovery of 68 e-tickets which worth Rs 1.43 lakh. On June 22, the Railway Protection Force discovered that a Shahibaug-based travel firm had used software to generate 68 e-tickets with personal IDs, not agent IDs.

The agents used the software to buy Tatkal tickets and sold them at a different price.

According to Gracious Fernandez, the method of the agent was using the software to put in the details of the train, the payment mode, the passenger before 10 am, which is when the IRCTC allows bookings. The booking would then automatically happen right at 10 am. The software even bypassed security features like “Captcha”, which is used to ensure a human user is carrying out the booking.

This particular software comes with several advanced features including proxy IP services, Captcha readers, a complicated chain of servers, and an OTP bypassing mechanism. With its upgraded version, user can even buy up to 20 individual tickers with just one click.

It would normally take 30 minutes for a regular user to book 20 tickets. And the booking system also doesn’t allow more than five transactions. However, in this case, the agent succeeded in booking 20 confirmed tickets in just 1 minute.

Fernandez said through investigation, he found that the railway tickets agent based in Shahibaug had several IRCTC personal IDs. The agent was using these IDs to book Tatkal tickets. As an agent, he is allowed to book only with his agent ID. However, agent IDs need to wait for 30 mins after regular users to book tickets. But by then, all the Tatkal tickets are sold out.