Chicago’s Ventra App – Good Security + Good UX

I just returned from traveling and wanted to highlight some good design I saw: the mobile ticket display for Chicago’s Metra (suburb commuter) trains.

What I Saw

I found this in the Ventra app that Chicago offers to users of its various public transit options. When you are on a train, you activate your ticket and then show the app to the conductor. There’s a QR code on the screen with (presumably–I haven’t decoded it) some information on the purchased ticket so that it can be validated (I’ve redacted the QR code in the screenshot).

Except, I noticed that the conductor wasn’t looking at the QR code. Instead, he just looked at the picture. (It looks more or less like this screenshot, though in the app there are some animations.)

After he saw it, he asked me to touch the screen. It then changed color to look like this:

What It Provides

It took me a little bit to figure out why this was valuable, but then I realized it was a simple attempt to make it harder to counterfeit tickets. Here are the security measures I see:

  • It has a QR code, so we are (presumably) still able to do a real final check.
  • The animations show that it isn’t just a screenshot, while the date and time show that it’s current.
  • The touch-activated color change shows that it’s more than just a recorded video.

The QR code is probably the only piece that provides real security (i.e. security that we can’t counter with mere effort). Everything else is just “keeping honest people honest.” But security isn’t just about having perfect locks. It’s about having perfect locks that people can use.

While the QR code can be checked with a wireless-connected scanner, that can be slow and expensive to do for every ticket. Instead, a nice animation gets us:

  • A higher level of effort required to counterfeit. For an average person, this effort probably isn’t worthwhile for a $6 train ticket.
  • Reduced training costs. It’s easy to explain to staff that “it’s fake if it doesn’t change colors when you touch it.”
  • Efficiency. Just viewing a screen is probably faster than forcing conductors to scan every single person’s ticket. Currently, many riders still use the old punch cards, so conductors are being slowed down by having to use multiple tools. If a new system placed a significant burden on top of that, it wouldn’t get used.
  • Reduced equipment costs. If every ticket needed scanning, they’d probably have to buy more scanners, plus spares. They’d need to be more concerned about battery life. The image makes that unnecessary, and it provides a simple alternative for times when the scanner isn’t available.
  • Reduced connectivity costs. Conductors need connectivity to a server so they can validate the results. Getting them a stable data connection over every mile of track is likely impossible. This solution gives them a fallback for when they’re in tunnels with no signal.

At the end of the day, it’s not a perfect solution. But adding it to their existing security measures is cheap to do, easy to roll out, and as described above, definitely improves many aspects.

Plus, there are ways to mitigate its weaknesses. They could perform a risk-limiting audit periodically to detect and discourage fakes. They could also rotate new animations in to make counterfeiting require an ongoing effort.

Security & Tradeoffs

Every time we try to prevent misuse or abuse, we make tradeoffs. Better security is almost always more expensive to build and deploy, and usually harder to use.

It’s often better to have a system that’s marginally less secure, if you get one that’s significantly easier to use. If you make it hard to use, your workers aren’t going to use it, and the most perfect security in the world will be for naught.