Digital Finds

joseph dot reeves at thehumanjourney dot net

Free bus travel, or "how not to deal with onsite mobile communications"

May 07, 2009 by Joseph Reeves

Note: As ever the contents of this blog reflect my own opinions, not those of my employer. In no way do I condone or promote any activity that may be even vaguely illegal.

The Oxford Bus Company's Airline service is a wonderful example of how not to deal with online transactions for two important reasons - it's bad for customers and presents an easily exploited security flaw that can result in free bus travel for anyone who wants it. At a wider level, the Oxford Bus Company demonstrates that a half-hearted approach to online commerce, and a failure to deal with modern mobile technology, can be much more detrimental to your business than simply not engaging with online commerce at all.

Discovering the flaw, or "how to upset paying customers"

I recently purchased a return bus ticket online to travel from Oxford to Heathrow and back. It cost me £25. The ticket arrives as an email, which you're asked to bring along with you when you board the bus. How you "bring the email" with you is open to debate; on the website you're told you need to print it, on the email itself you're told to simply "bring it with you". All my emails end up on my mobile phone, so I planned to bring the email with me by simply taking my phone. I also took my passport with me - I'd need it at Heathrow and was told that I would need to show photo ID to the bus driver. Boarding the bus I was told that I did not have enough to complete the journey - I had the email, in electronic form, and I had photo ID, but I needed to have a paper copy of the ticket, as such I would need to spend another £25 on a ticket from the bus driver.

I also had an electronic plane ticket that had been emailed to me and that I had also not printed. This was liked to my passport number, so all I needed to do was hand my passport in at the check-in desk at the airport and they could retrieve my details. Similarly, I have previously booked airport car parking online and have been sent a confirmation number that I have not printed, just remembered, and provided to staff at the car park to enable me to leave my car. Other companies, it seems, that allow you to pay for things online, don't need a printed email, or any email, to identify the buyer.

Other companies not only provide you with a reference number when you pay for something, but more importantly, they also provide their customer facing staff with access to the data behind this reference number. The Oxford Bus Company do not do this, they only require you turn up with a printed email and photo ID. This is two factor authentication - something I have and someone I am - but it's very unfortunate that the something I have is produced by myself, rather than by the bus company; as such a genuine looking piece of paper can be used to exploit the system.

Exploiting the system, or "give the man what he wants"

Exploiting the hole in the Oxford Bus Company's awful system is easy; print a genuine looking email that contains the details of any bus journey you want to take. The bus driver only wants to see an email and your ID, they have no access to any passenger lists; should anyone with a passenger list board the bus (some kind of ticket inspector, I guess), you can remind them that the customer is always right; furthermore, act mortified at the fact that they blame a failing of the booking processing system to register your journey as some sort of criminal action on your behalf.

Fixing the system, or "use what you've already got"

Fixing this bus ticket problem would be very simple - the Oxford Bus Company just needs to generate a unique ID number that it includes in emails to customers and to provide drivers with access to a passenger database. Buses are already fitted with Internet connections to be used by passengers on the journey, so all that needs to be provided is a very simple device to the driver.

A passenger boards the bus, hands over their ID and says "my number is 546672", the driver taps this into the machine and replies "ah yes, hello Mr Reeves, I'll let you know when we're at Heathrow Central bus terminal".

At present, the Oxford Bus Company uses the Internet to take your money, but have taken no steps to use the technology to improve either the customer experience or their own SOP. This half-hearted approach only serves to annoy those customers who have had previous dealings with such systems and to introduce opportunities for abuse. The system demonstrates a lack of technical understanding within the Oxford Bus Company and reveals remarkably poor work by either the in-house IT technicians or contracted company employed to produce this service.

IT specialists are specialists, just like bus drivers

This all goes to show that if you're considering implementing IT within your company or organisation, you need to consult a competent IT specialist for the job. I wouldn't tell the bus driver how to drive to Heathrow, or how to park once we got there, but I'd like to think that anyone with even the slightest familiarity with mobile Internet applications could have helped with this one.


Surely you've already been onto the Oxford Bus Company to offer a solution based on the Freerunner?

Posted by Chris Puttick on May 09, 2009 at 06:54 PM BST #

Wow! 9 paragraphs dedicated to that bl**dy bus! It really burnt you, didnt it? :-P

Good to know that the Oxford-London connection is so convenient! Now, will you please forward that superb e-ticket (haha) to me?

Just kidding!
Juan Lucas

Posted by Juan Lucas Domínguez on May 10, 2009 at 12:00 AM BST #

[Trackback] Joseph Reeves has an interesting little story about how a badly designed e-commerce system results in both an obvious security flaw and a missed opportunity for better customer relations over in Oxford. This all started when the bus driver refused to a...

Posted by The Musings of Chris Samuel on May 10, 2009 at 07:24 AM BST #

Post a Comment:
Comments are closed for this entry.