In December 2017, the CBI arrested 14 people including one CBI employee for misusing the Tatkal booking through an illicit software. Responding to a question in the Lok Sabha, the government listed down the additional checks put in place to prevent such misuse.

The Central Bureau of Investigation (CBI) registered a case on 25th December 2017, against one Mr. Ajay Garg and 14 others for misusing the Tatkal booking system. Mr. Garg was working as an Assistant Programmer in CBI. Now, the government in its response to a question in the Lok Sabha has acknowledged that many websites were providing illegal software for Tatkal booking and that a request was sent to Ministry of Electronics and Information Technology (MEITY) to block such websites. The government also listed the various additional checks put in place to prevent misuse of the Tatkal booking.

The CBI case

The CBI in its FIR mentioned that Mr. Garg worked with IRCTC earlier and had gained inside knowledge of the technical platform, its functioning and vulnerabilities. It goes onto state that he had developed an illicit software to dupe the Tatkal booking system and had distributed the software to various people across the country.

The software developed by Mr. Garg reduces the time taken to book a ticket by saving all the required details like IRCTC IDs, passenger names, payment methods, class of travel etc. These details are auto filled on the IRCTC portal as soon as the Tatkal booking starts. The software also provided for proxy IP addresses, bypassing CAPTCHA and bank OTP among other things. The CBI FIR also mentions that one Mr. Anil Gupta who distributes the software on behalf of Mr. Garg transfers money to Mr. Garg through bitcoins, hawala etc.

IRCTC introduces further checks to prevent quick data entry

After this incident came to light, IRCTC had introduced the following additional checks to negate quick data entry, as per the response to a question in the Lok Sabha .

• Form-filling Time Check:These checks are to ensure that the time taken in online filling of reservation form by a software is comparable to that of an individual filling the form manually.
  • Standard Form Filling time of passenger details in Passenger Detail Form is set at 25 seconds irrespective of number of passengers
  • Minimum time check of 10 seconds for users to carry out payments
• Restriction on Number of Tickets:There are restrictions on number of tickets that can be booked during Tatkal from a single userid, IP address etc.
  • Only 2 Tatkal tickets can be booked for single user ID from 10am to 12pm
  • Maximum 6 tickets in a month can be booked by a user from one user ID and 12 tickets can be booked by a user in a month if Aadhaar is verified and one of the passengers is Aadhaar verified
  • Only 1 Tatkal ticket in single session is allowed (except for return journey)
  • Only 2 Tatkal tickets per IP address is allowed between 10am and 12pm
  • One user can have only one login session active at one point of time
  • Quick book functionality (single page for booking tickets) is not allowed between 8am and 12pm
  • Only 2 tickets of Opening Advance Reservation Period can be booked by a user between 8am and 10am
  • One user can do only one login at one point of time either from multiple windows of same browser or different browsers
  • Agents are not allowed to book tickets between 8am to 8.30am, 10am to 10.30am and 11am to 11.30am
  • Aadhaar Card is mandatory for Agents registration
• Technical checks to prevent automation softwares have also been implemented as per information provided by the government. These include the following.
  • Minimum input time for CAPTCHA on Passenger Details Page and Payment Page is set to 5 seconds
  • CAPTCHA is provided at Login page, Passenger detail page and Payment page
  • Implementation of Dynamic Field name on Passenger page
  • One Time Password is mandatory for all Banks for Net Banking
  • QR Barcodes are being printed on Electronic Reservation Slip
  • Additional security question related to user personal information like user name, email, mobile number, check box etc. is asked randomly after passenger input page
• Regular security audit by Standardization, Testing and Quality Certification (STQC) of MEITY.

As per the information shared by the government, exception reports are being generated for suspicious IDs, time check violation attempts and for bookings done in first second of opening of Tatkal booking period. The government also mentioned that such user IDs are deactivated manually after analysis.