Fare enough: A systems view of ticketing and fare evasion on Melbourne’s trams, from bell-punch to myki

By Russell Jones. First published 2012.

Key to the future

The Metcard contract was originally planned to end in March 2007. Despite the completion of the Metcard rollout in 2003, as noted in the previous section, fare evasion on Melbourne public transport continued to be a major problem.

The successful implementation of a number of stored value card systems by international public transport operators [9] showed the Victorian State Government what could be achieved. The Transport Ticketing Authority (TTA) was established in April 2003 with the objective of replacing the Metcard system with a smart card system. The original budget was $741.9 million, with the objective of replacing Metcard by the original end of contract in March 2007.

In July 2005 the successful tenderer Kamco began work on developing the myki system, with an adjusted budget of $999 million. However, like many complex IT projects, myki development ran over time and over budget, increasing to $1.35 billion in April 2008 and four years behind the original schedule. This has required the extension of the Metcard contract. The two systems were run in parallel on the train system since the end of 2009, with myki deployment on trams and buses commencing on 25 July 2010.

As originally conceived, myki was to be implemented with three types of smart cards:

• Registered cards, associated with an individual passenger. These cards are required for the use of any concessional fares, or where cards are topped up through use of the myki web site.
• Single use cards, available from myki outlets, and from a variety of vending machines including machines deployed on trams.
• Anonymous cards, which can only be topped up through a myki terminal, located at railways stations and other key locations. Myki terminals were originally also to be deployed on trams.

No personal details other than the card balance and details of the last ten trips were to be held on an anonymous card. Anonymous cards were not to be permitted with student or senior concessions. Use of anonymous cards in conjunction with the myki website was also excluded from the design.

Due to the project overrun and close association of the project with the previous Labor administration, the newly elected Baillieu State Government commenced a review of the myki project in December 2010. In June 2011, it decided to not to cancel the project, which is now planned to replace Metcard at the end of 2012.

The review has resulted in a reduction of scope, including the decision not to deploy myki ticketing vending machines on trams, and not implementing single use myki tickets. The withdrawal of Metcard will leave tram passengers unable to either purchase any form of ticket or ‘top up’ their smartcard on a Melbourne tram, nor will they be able to purchase or ‘top up’ myki cards at most tram stops.

In an effort to ameliorate adverse public reaction to this decision, as of 1 January 2012 the State Government reduced the cost of purchasing a myki multi-use smartcard from $10 down to $6. The life of a myki smartcard is expected to be four years. The replacement fee for a lost or stolen myki card was abolished as part of the same decision.

On its introduction on Melbourne trams, the key characteristic of the myki card was the requirement to ‘touch on’ when boarding, and ‘touch off’ on exit. This required a change in passenger behaviour, as Metcard passengers were only required to validate tickets on entry. This requirement was actively resented by myki users as it significantly slowed tram entry and exit, particularly on crowded trams.

The reason for this requirement was Melbourne’s multi-zone fare system, and the overlap of the tram network across Zones 1 and 2. Unlike the Hong Kong Octopus card where a flat fare is charged for tram journeys, requiring only a ‘touch on’ at vehicle entry, myki required the location of boarding and departing the vehicle to be recorded in order to calculate the correct fare.

Additionally, Hong Kong trams have separate entry and exits, making it simpler to police compliance with the requirement to ‘touch on’, whereas the Melbourne tram system allows entry by any door.

Myki validator on board Z3 class tram, September 2012.

Photograph courtesy Noelle Jones.

The original use of the higher Zone 1 and 2 default fare to penalise passengers who do not ‘touch off’ was hoped to force compliance with this required behavioural change. This is problematic, especially when there is an established culture of fare evasion on Melbourne’s trams, which is unlikely to encourage passengers to ‘touch on’ when boarding a tram, and the impossibility of ‘touching off’ on (for example) a crowded peak hour St Kilda Road tram. The design shortfall was addressed in 2012 to some extent by modifying the implementation for trams by assuming that the ‘touch off’ point is within Zone 1 if the passenger neglects to ‘touch off’. Therefore, tram passengers are not penalised by failing to ‘touch off’, unless their journey is entirely within Zone 2. It does expose the operator to some revenue loss on those few routes that span both zones.

A factor that will most likely increase the level of fare evasion was the decision to remove the ability to purchase or ‘top up’ myki cards on trams from the scope of myki. Many passengers will find the balance on their myki card is insufficient to travel legally. This is particularly a problem with impulse-driven use of public transport, in that the operator is making it difficult to purchase the right to use the service. Faced with this situation, many intending passengers will risk a fine and travel illegally.

Unfortunately the design of the myki business model as a stored value card does not contribute positively to this particular problem, particularly when considering the network-savvy younger generations. While the ability to ‘top up’ a myki card is available through an Internet-connected mobile phone, tablet or laptop, there is an advertised delay of at least one day before on-line payments are credited to the stored value myki card. This is clearly unacceptable for the impulse traveller.

Over time, the travelling public will increasingly demand this functionality, due to the lack of utility of the myki system deployed on Melbourne’s trams. Regrettably, the fundamental architecture of the myki system as deployed on trams will make this capability extremely difficult to implement.

This problem could have been avoided through use of a business model premised on payment in arrears rather than stored value cards. The implementation by CityLink – the Melbourne toll roads operator – of accounts that automatically deduct toll road usage on a monthly basis from a nominated credit card has avoided exactly this issue for road users.

This business model could have even been extended to reward frequent users, by automatically upgrading consistent daily use to a cheaper monthly tariff, thus encouraging passengers to ‘touch on’ and ‘touch off’. Sometimes the carrot can be more effective than the stick.

A golden opportunity to reduce impulse-driven fare evasion was lost by the TTA through failure to implement payment by arrears.

However, the myki website provides the capability to automatically ‘top up’ a registered myki card if the stored value falls below a specified level. This goes some way towards reversing the perceived loss of utility through not being able to buy a ticket on board a tram. Passengers selecting this method of paying for travel in theory never have to worry about the amount of money stored on their myki card. This means that as long as they ‘touch on’ and ‘touch off’, they are in no danger of travelling illegally, and have gained a great deal of convenience.

It will be interesting to see if this factor will be sufficient to reduce fare evasion to levels that were seen prior to the withdrawal of tram conductors.

Myki stored value card for adult (non-concession) traveller, October 2012.

Photograph courtesy Noelle Jones.

One characteristic of the introduction of the myki system that has resulted in a lack of public acceptance has been the unreliable and slow validation experienced by early adopters. Observation by other passengers of myki users attempting to ‘touch on’ or ‘touch off’ and blocking tram exits has resulted in slow takeup by many passengers, who clearly preferred the familiar Metcard despite the lower fares charged with myki. Unfavourable media reports regarding system problems have also reduced public acceptance of myki, reinforcing the natural resistance to change of the broader travelling public.

However, it is clear from examination of processes regarding administration of the myki system that considerations of customer service were of a secondary nature in the myki design. The stated ten-day turnaround for replacement of a faulty card is a disincentive for passengers to comply with the system, as well as the cumbersome requirement to return a ‘locked’ card. Locking will occur in the event that a credit card ‘top up’ is declined through insufficient credit balance, or expiry of a credit card during an automated ‘top up’ transaction, leaving the passenger without the ability to travel legally.

If a card is not used for three months, any credit card ‘top up’ will also be locked out, or more correctly suspended. This cannot be reversed through the myki website, requiring lengthy action through the call centre to remedy. This feature of myki has some unintended consequences. It essentially removes the ability of a customer to have a ‘stand-by’ card linked to the same account, particularly when considering that the myki website does not allow an account-holder to transfer value from one card to another. This is possible only through interaction with the myki call centre, which also attracts imposition of a standard service fee – which as of January 2012 was $9.80. The restriction of account-holders to have no more than eight cards applies additional limitations when managing an account for a larger family. This occurs in the case when children need to change from a standard child concession myki card to a student concession myki card. The suggested solution of having multiple accounts together with the inability to transfer balances without the imposition of a service fee significantly makes the service unworkable for larger families, while the inability to transfer balances without reference to the call centre and its service fees creates difficulties for any sized family attempting to manage an account with multiple cards – with or without children.

The TTA has also missed a marketing opportunity with the eight card limitation on a single account, as this is a significant impediment to businesses wishing to make myki cards available to their staff as a fringe benefit, encouraging them to use public transport rather than servicing novated leases of motor vehicles. Even the ability for companies to maintain accounts purely for work-related travel is constrained by this design feature. .

Further evidence of lack of attention to an effective customer service strategy is shown by the information displayed on-screen by the ‘touch-on’ readers when validating. The only information provided is the current card balance and the size of any deduction from stored value, rather than empowering the passenger by displaying the remaining time before ‘two-hour’ myki use escalates to a daily ticket. This lack effectively removes the ability for the pasenger to control his or her usage of myki, the result being a system that is not as useful as it could have been.

Further work also needs to be carried out with regard to the robustness of the back-end systems, as evidenced by the February 2012 system failure that resulted in the website account details not being updated for at least four days. Clearly, significant attention needs to be paid to improving the customer experience of myki before it becomes truly successful.

A media report in ZDNet on 4 May 2012 indicated that the TTA is not in a hurry to modify the back-end systems until at least the rollout of myki is complete. As at June 2012 no statement has been issued by the TTA or Public Transport Victoria in relation to projected changes to myki to improve the customer experience or functionality.

The introduction of smartcard technology raises a new challenge to the field of fare evasion – the prospect of the supporting IT systems or the cards themselves being hacked to defraud the underlying system. This is a common challenge to all IT systems used for e-Commerce, and will require ongoing investment in, and development of, the technology.

This risk was underlined by 2011 media reports in ZDNet and ITNews that the Triple DES encryption of the Mifare smartcard used by myki had successfully been hacked by German researchers. The manufacturer recommended that organisations using the technology should upgrade to the latest version of the card, the EV1 model, as has occurred with Transport for London’s Oyster card.

The TTA declined to stop issuing the existing myki card, intending to run down existing stocks before purchasing more secure technology. It stated that the only exposure to the exploit were the last ten transactions together with the current account balance. It added that the following additional measures inherent in the myki system provided sufficient security for this reported hack not to be a significant exposure.

• key diversification
• card blocking
• fraud detection
• card information binding.

Additionally, it was reported that the hack required over $3000 of specialised equipment and significant technical expertise in cryptography, and a year of effort from the researchers. This potential breach was judged not to be a major concern.

Essentially, large scale defrauding of the myki system would require one or more of the following approaches.

• theft of legitimate stored value cards with positive balances
• identity theft
• cloning of legitimate cards
• external hacking of TTA systems to modify account balances or create fraudulent accounts and issue bogus cards
• TTA staff or contractors defrauding the TTA.

Most of the above approaches can be protected against – or at least minimising potential losses – through use of fraud detection systems as an inherent component of the myki implementation. This type of approach has been successfully implemented by Australia’s major banks, and presumably has been implemented as part of the myki solution, although there have been no public announcements regarding this issue.

It should be noted that the cloning of cards does present a problem for myki on trams, due to the lack of ‘real time’ updates from the myki equipment on each vehicle. Instead, transactions are downloaded on a daily basis via WiFi networks at tram depots. Therefore, theoretically there is a window of up to twenty-four hours where cloned tickets could be used without detection by the on-board validators, or by central fraud detection systems. Rail-based myki validators, though still not real-time, have a much higher update frequency than has been implemented on trams. This issue is therefore not as important for rail as for the tram-based system.

While the Melbourne tram operator Yarra Trams monitors its vehicles through a real-time wireless network [10], it does not share the network with the ticketing operator. An opportunity was missed to provide more frequent downloads of myki usage from trams, although it may have complicated both the technical solution and operational procedures, as well as introducing bandwidth capacity issues for the wireless network. The problem of infrequent usage updates also applies to buses due to use of the ‘depot concentrator’ model for myki data transfer, but the large number of bus operators across both metropolitan Melbourne and regional Victoria makes a simple yet more frequent solution both difficult and expensive to implement. Therefore, rather than developing a capability for more frequent download of myki usage data just for Melbourne’s tram system using Yarra Trams’ real time network, the decision was made to minimise cost by implementing the same solution for both trams and buses.

The exposure created by the ‘depot concentrator’ model of updating card usage in the central database does not create a major problem, for the following reasons:

• The limited time window for fraudulent use of cloned cards on trams would dissuade mass attempts, due to the cost of reproduction versus the likely return, unless the cloner is selling cloned myki smartcards with notional high value periodical tickets. In this case the key objective of the seller is likely to be defrauding the customer purchasing the smartcard, rather than defrauding the TTA. This scenario is likely to generate bad public relations, as defrauded customers will seek someone to blame for their misfortune, and the public will expect that the ticketing solution will be proof against such hacks.
• Hand-held ticket validators used by Revenue Protection Officers (RPOs) with virtual private network access via wireless technology (presumably 3G/4G wireless broadband) to the central myki database would permit rapid detection of cloned myki smartcards.

The use of a hand held validator by an RPO also permits access to the last ten transactions, as well as the concession status and unique card identifier. However, the TTA Privacy Policy states that personal details are not immediately available to the RPO, who may only access these details through systems available at the tram depot, and only if the subject card is a registered myki card rather than an anonymous card.

This does raise the interesting issue of compliance with the Privacy Act, where an RPO may abuse his or her authority to acquire the personal details of passengers. While there have been no identified cases where this has been the case with myki, in 2011 NowPublic reported an incident where an RPO harassed a female passenger fined for fare evasion. In this instance the RPO was reported to have been reprimanded and demoted.

Clearly, the adoption of myki has introduced a risk with regard to the protection of the privacy of passengers.

A related exposure does exist – identity theft of passengers’ personal details such as credit card information from TTA systems. This potential requires the TTA to secure these details in accordance with existing legislation, as failure to do so will open the TTA to prosecution and lawsuits on behalf of adversely affected individuals. However, the TTA has made no public statement with regard to compliance with the PCI security standards [11] for securing credit card and payment-related data. This is of some concern, given that these standards are accepted by the financial industry as providing a minimum level of protection for their customers.

The issue of passenger privacy protection and identity theft is a challenge that the directors of the Melbourne Tramway & Omnibus Company could never have predicted back in 1885 when they set out to implement a secure and strong system to prevent fare evasion.

However, since 1989 all three attempts to introduce a comprehensive new ticketing system have been significantly flawed, with none realising their dual aims of minimising fare evasion while being accepted by the vast majority of the travelling public. Only time will tell if the myki system can or will be modified to address its shortcomings and achieve this objective. It is a given that it will never enjoy the longevity and success of the flimsy ticket system.

Footnotes

[9] Examples of stored value cards are the Oyster Card introduced by London Transport in 2003, and the Octopus Card from Hong Kong’s MTR Corporation, which was introduced in 1997.

[10] Yarra Trams provides a public downloadable application called tramTRACKER® from its website for customer information on current service status. The application interfaces directly with Yarra Trams’ real time fleet control network.

[11] The PCI security standards are a series of financial data security standards set by a global open forum, the Payment Card Industry Security Standards Council, founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.