Ministry of Railways takes Measures on IRCTC website to control ticket booking using automated software
In furtherance to strengthen its PRS (Passenger
Reservation System), Ministry of Railways has taken various measures on IRCTC
website to control ticket booking using automated software. In this regard, a Combined
Press Conference was held today i.e. 19.01.2016 by the Indian Railways. The
Conference was attended by the apex officials namely CMD, IRCTC Shri Dr. A. K.
Manocha, MD, CRIS Shri Sanjaya Das, Executive Director, C&IS Shri U.
Hazarika Railway Board and other senior officials from Railway Board. The
various measures which IRCTC and CRIS now takes to control rail ticket booking
by using automated software are as follows : -
Internet
Ticketing:
Internet
ticketing on IRCTC website was started in year 2002 with 29 tickets on the
first day. This has now increased to more than 13 lakh tickets booked in a
single day (achieved on 01/04/2015).
Internet
ticketing on IRCTC website has progressively increased over the years and its
share in the total reserved tickets has also progressively increased.
Table-A
: Year wise Internet tickets booked.
|
Year wise Tickets
Booked(Internet)
|
||
|
Year
|
Tickets Booked
|
Ticket Fare (In
Rs.)
|
|
2010-2011
|
96911148
|
80071642602
|
|
2011-2012
|
116177134
|
94984557141
|
|
2012-2013
|
140688214
|
124194653792
|
|
2013-2014
|
157981713
|
154101353840
|
|
2014-2015
|
183021842
|
205146330319
|
Table-B : Growth of Internet
Ticketing over last five years.
Table-C: Continuously increasing
Share of Internet ticketing.
|
Year
|
% Internet Ticketing
Passengers to Total Passengers Travelled
|
% PRS Passengers to Total
Passengers Travelled
|
|
2011- 2012
|
38.54
|
61.46
|
|
2012- 2013
|
43.21
|
56.79
|
|
2013- 2014
|
48.73
|
51.27
|
|
2014- 2015
|
54.52
|
45.48
|
Next Generation e-Ticketing System
(NGeT) :
Due
to increased demand of e-ticketing and capacity constraint there were problems
in ticket booking process and complaints of website slowness and non
availability. The Next generation e-ticketing system(NGeT) was launched on
28/04/2014 to handle increased ticket booking. The capacity was increased from
2000 tickets in a minute to 7200 tickets in a minute . The capacity of NGeT was
further increased to 15000 tickets in a minute in 2015 to book tickets fast and
easily. The e-tickets may be booked easily and faster through website and the
IRCTC website is able to handle 15000 tickets per minute at present. The
concurrent user connections were increased from 40,000 to 1,20,000 in NGeT, which
has further been increased to 3,00,000 before Diwali rush. The enquiries in
NGeT have also been increased from 1000 per second to 3000 per second. Capacity
in NGeT was increased this year by doubling the servers in integration layer
and adding storage space.
Scripting:
A
scripting or script language is a programming language that supports scripts,
programs written for a special run-time environment that automate the execution
of tasks that could alternatively be executed one-by-one by a human operator.
Scripting languages are often interpreted (rather than compiled). Primitives
are usually the elementary tasks or API calls, and the language allows them to
be combined into more complex programs. Environments that can be automated
through scripting include software applications, web pages within a web
browser, the shells of operating systems (OS), embedded systems, as well as
numerous games. The scripting technology is also useful to automate the process
of filling the data in web pages at client end. The scripting is available in
google chrome, Mozila and other browsers.
CAPTCHA:
CAPTCHA
Tells Humans and Computers Apart Automatically. A CAPTCHA is a program that
protects websites against attacks by generating multiple automatic requests
using scripting technology or other computer program. In general, a CAPTCHA is
used to prevent abuse by automated scripts.
Scripting on IRCTC website:
The
demand of Tatkal and ARP (Advance Reservation Period) tickets is increasing
day by day hence use of Scripting technology is also increasing on IRCTC
website client end web pages for filling up the various forms used during
ticket booking process for faster booking. This Scripting technology and tools
are being used by programmers for developing software like Black TS etc for
faster filling the forms used during ticket booking process. The parameters at
client end can be easily seen by programmers of any website and may be used for
scripting. The scripting tools, technology is available online and Google
Chrome and Mozilla Browsers support the scripting. The scripting software for
input at client end may be developed easily for any website. Since the
scripting at client end cannot be stopped, the impact of the use of scripting technology
has been negated by the various checks in the form of Captcha , Time delay
and other server side checks. Banks have also implemented OTP in net banking
to control the automated booking using scripting software/tools.
Checks Implemented on IRCTC website
to stop misuse of Internet Ticket booking facility by the use of automated
softwares:
Registration:
- CAPTCHA is implemented on IRCTC website at Registration page to stop automated registrations.
- Single email, single Registration is also implemented on website to stop multiple registrations on one Individual email-id. Verification link is sent to email-id for verification.
- Single Mobile, single Registration is also implemented on website to stop multiple registrations on one Individual Mobile. OTP (One time password) is sent to mobile to verify Mobile.
Booking:
(i)
Minimum form filling time check implemented
in passenger reservation form.
(ii)
Minimum payment time check implemented
for payment process.
(iii)
Only two Tatkal tickets can be booked for
single user ID in opening Tatkal Hrs. i.e 10-12 hours .
(iv)
Maximum 10 tickets in a month can be
booked on an user ID.
(v)
One user can do only one login at one
point in a time.
(vi)
Only one Tatkal ticket in single session
(except return journey).
(vii)
Only two opening Tatkal tickets per IP
address.
(viii)
OTP (One time password) is implemented
in net banking payment options.
(ix)
Captcha is implemented at login, Reservation
Form page and Payment page.
Time taken in Booking of ticket:
The
Next Generation e-Ticketing System (NGeT) is able to handle load of 15000
tickets in a minute. Hence 250 tickets can be booked concurrently in a second. At
best, an individual user can book his ticket in 35 seconds.. The time taken for
ticket booking depends upon the speed of internet at client end, form filling
speed of individual and bank response time. At reservation counters, a ticket can
be booked in less than 35 seconds.
To
stop the misuse of website various time checks and Captcha have been
implemented as discussed above. With these checks in place, it is not possible
to book any Opening Tatkal ticket by any software being sold in the market earlier
than 35 seconds. Tables shown below which indicate first 35 seconds bookings
and 36th second to 60th second booking separately at
10:00 AM and 11:00 AM for Opening Tatkal at PRS counters vis a vis IRCTC
website.
Table-D:
First Minute Tatkal ticket booking in AC Classes at 10:00 AM.
|
First Minute Tatkal
Ticket Booking (AC Classes)
|
||||
|
Transaction Time
|
10:00:00 to
10:00:35
|
10:00:36 to 10:01:00
|
||
|
Transaction Date
|
No. of tickets
booked (Tatkal)
|
No. of tickets
booked (Tatkal)
|
||
|
PRS Counter
|
IRCTC
|
PRS Counter
|
IRCTC
|
|
|
25-Dec-15
|
2,312
|
0
|
868
|
3,095
|
|
26-Dec-15
|
2,481
|
0
|
1,069
|
3,345
|
|
27-Dec-15
|
1,909
|
0
|
781
|
3,576
|
|
28-Dec-15
|
2,089
|
0
|
877
|
2,891
|
|
29-Dec-15
|
2,054
|
0
|
795
|
3,102
|
|
30-Dec-15
|
1,647
|
0
|
655
|
2,484
|
|
31-Dec-15
|
2,012
|
0
|
871
|
2,680
|
|
01-Jan-16
|
2,380
|
0
|
1,024
|
3,195
|
|
02-Jan-16
|
2,446
|
0
|
1,027
|
2,843
|
|
03-Jan-16
|
1,721
|
0
|
722
|
3,381
|
|
04-Jan-16
|
1,804
|
0
|
728
|
2,673
|
|
05-Jan-16
|
1,644
|
0
|
619
|
2,379
|
|
06-Jan-16
|
1,600
|
0
|
653
|
2,047
|
|
07-Jan-16
|
1,835
|
0
|
763
|
1,856
|
|
08-Jan-16
|
2,013
|
0
|
817
|
2,424
|
|
09-Jan-16
|
1,991
|
0
|
918
|
2,231
|
|
10-Jan-16
|
1,404
|
0
|
586
|
2,459
|
Table-E:
First Minute Tatkal ticket booking in Non AC Classes at 11:00 AM.
|
First Minute Tatkal
Ticket Booking (Non-AC Classes)
|
||||
|
Transaction Time
|
11:00:00 to
11:00:35
|
11:00:36 to
11:01:00
|
||
|
Transaction Date
|
No. of tickets
booked (Tatkal)
|
No. of tickets
booked (Tatkal)
|
||
|
PRS Counter
|
IRCTC
|
PRS Counter
|
IRCTC
|
|
|
25-Dec-15
|
2,258
|
0
|
1,537
|
1,956
|
|
26-Dec-15
|
2,392
|
0
|
1,539
|
1,768
|
|
27-Dec-15
|
1,887
|
0
|
1,221
|
2,429
|
|
28-Dec-15
|
2,244
|
0
|
1,578
|
2,094
|
|
29-Dec-15
|
2,290
|
0
|
1,526
|
33
|
|
30-Dec-15
|
2,162
|
0
|
1,404
|
1,787
|
|
31-Dec-15
|
2,374
|
0
|
1,460
|
1,478
|
|
01-Jan-16
|
2,463
|
0
|
1,587
|
1,639
|
|
02-Jan-16
|
2,454
|
0
|
1,598
|
1,775
|
|
03-Jan-16
|
1,904
|
0
|
1,198
|
1,628
|
|
04-Jan-16
|
2,245
|
0
|
1,456
|
1,625
|
|
05-Jan-16
|
2,221
|
0
|
1,469
|
1,770
|
|
06-Jan-16
|
2,149
|
0
|
1,465
|
1,202
|
|
07-Jan-16
|
2,267
|
0
|
1,486
|
1,798
|
|
08-Jan-16
|
2,354
|
0
|
1,583
|
1,753
|
|
09-Jan-16
|
2,249
|
0
|
1,522
|
1,496
|
|
10-Jan-16
|
1,761
|
0
|
1,154
|
1,650
|
From
the above tables, it is clearly evident that while it is possible to book
tickets through human process at PRS counters within first 35 seconds, it is
not possible to book any Tatkal ticket in first 35 seconds on IRCTC website
even by using scripting software. The claim made by various software sellers in
the market that their software can book Tatkal in 10 to 20 seconds is not factually
correct. Further, only 5 to 6 Thousand tatkal tickets are booked in the first
minute both at PRS counters and IRCTC website put together out of the total 1.5
lakhs Tatkal tickets available on PRS. This again is contrary to the claim made
by the media that entire Tatkal tickets are booked within first 30 seconds by
using automated software.
Security
measures to control Hacking
Multilayered
security with deep defense in the NGeT system:
1. State
of the art perimeter security in the data center comprising of front-end &
backend firewall, network intrusion prevention system, Web application
firewall, Security information event management(SIEM) , host intrusion
prevention system (HIPS), OS hardening on all servers , Web/App server
hardening, database server hardening, Spring security framework in the
application software.
2. All
best practices for ensuring security in the application software have been
followed. All 10 OWASP (Open Web Application Security Project) application
software vulnerabilities have been addressed.
.
3. By
dint of these security measures, no hacking attempt has been successful on the
NGeT system. All intrusion or Distributed Denial of Service (DDoS) attempts
have been thwarted.
Third
party audit
- Periodic external audits are being conducted. In a recent audit done by STQC (Standardization, Testing and Quality Certification) ,DeitY, Govt. of India, the auditing agency has certified that the web application is free from OWASP top 10 and any other known vulnerabilities; and is safe for hosting.
- Pre-launch Source code audit by Cert-In (Computer Emergency Response Team - India), DeITY Govt. of India, was conducted.
Real
-time feed of internet traffic to Cert-IN for security alerts:
Packet headers of traffic traversing through internet
gateway routers are forwarded in real-time to CERT-In for their analysis &
reporting. In response, CERT-In sends real time alerts (in case some malicious
activity is detected) and weekly reports.
***********