Schneier on Security
A blog covering security and security technology.
« Privacy on Facebook |
| Worldwide Browser Patch Rates »
February 12, 2009
Cheating at Disneyworld
Interesting discussion of different ways to cheat and skip the lines at Disney theme parks. Most of the tricks involve their FastPass system for virtual queuing:
Moving toward the truly disingenuous, we've got the "FastPass Switcheroo." To do this, simply get your FastPass like normal for Splash Mountain. You notice that the return time is two hours away, in the afternoon. Wait two hours, then return here and get another set of FP tickets, this time for later in the evening. But at this moment, your first set of FP tickets are active. Use them to get by the FP guard at the front, but when prompted to turn in your tickets at the front of the FP line, hand over the ones for this evening instead. 99.9% of the time, they do not look at these tickets whatsoever in this point in the line; they just add them to the pile in their hand and impatiently gesture you forward. All the examining of the tickets takes place at the start of the line, not the end. Voila, you've cheated the system. After this ride, you can get off and immediately ride again, since you've held on to the afternoon FPs and can use them in the normal fashion now.
Posted on February 12, 2009 at 1:24 PM
• 45 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Great site...if you want to be a criminal. Personally, I can understand that people want to save money and time, but these kinds of things doesn't just benefit the people that do it - it's at the expense of everyone there.
But, I mean, I'm not going to preach - more than I have to. If people feel this is okay, then that's not up to me to judge.
I quit going to Disneyland because of the fast pass.
Disneyland feels just like any other park now, long roped lines in silly places... only now you have the added insult of having long runs from where the ropes are to the ride.
When i was younger, the lines were as amazing as the rides. I used to marvel at the psychology they would play with me, making me think I'm "almost there" then giving me yet annother queue room. To support fast-pass, they had to stop the slow-pass people so far behind that you end up just runnign through all the cool parts.
As a longtime Disneyland fan, I can verify their claim.
Honestly, though, skipping a line is a mild offense, and the above trick will keep you from getting another FastPass for any ride until the one taken from you would have expired. Well, it would, except that not all of the ride's FastPass machines even talk to each other. Disneyland regulars have figured out which rides are disconnected from the others and can be held at the same time.
FastPass itself is a failure. The idea was to get people shopping while they waited for the time to come up. The FP holder would be encouraged go into a store rather than go on another ride, as getting in line somewhere else could risk you missing the hour-long window printed on the pass. But they stopped caring about the end time - I have never seen a FastPass refused on that basis, even when it was new - so poeple stopped fearing that and the whole "make money in stores to offset all this spending" side of it fell through.
They ask in the article whether the Guest Assistance Card is as easy to obtain as the horribly abused Special Assistance Pass, and the answer is no. For a GAC, you at least need to provide proof of earning handicapped parking priveleges, and more often need a signed note on your doctor's letterhead. Not that this can't be forged, but it used to be granted upon simple request.
Sommerfeldt - going twice in a row on Splash Mountain in Disney theme parks makes you a *criminal*?
Please, let's stay realistic...
You could also wait by the FastPass kiosk until someone gets one, then beat them with a rubber hose until they give it to you. Voila, you have an extra FastPass.
The switcharoo is just another form of line jumping. Disney has to rely on a certain degree of civil behavior. A FastPass has no more financial value than a place in line. If most people aren't total jerks than the system works well enough, without the cost and friction of computerized enforcement.
I think you misunderstand the purpose of discussing this. It's not something that we're advocating. It's simply an interesting subversion of the system. It's not criminal, but it is wrong to do. It is NOT wrong to discuss, however. Only by watching how people subvert systems can we learn how to better secure them.
This is great if I want to ride the same ride twice in a row...
I don't know the laws in Florida or California, but in Ohio it IS a criminal offense to "line jump", and I would imagine that a court would find this to be line jumping.
So yes, depending on the jurisdiction, this is criminal. (Not that I agree with that.)
When I was at DisneyWorld in Florida three years ago, the system would print a ticket with a black background if your previous FP hadn't expired (even if it was a different ride).
Sadly, I saw a number of people get a "black" FP, then step in line. The park employee didn't even look at the ticket enough to notice the BOLD BLACK INVALID notice on the sticker!
It'd be kind of hard to prove this wasn't a mistake.
The fact is, most people are honest and it's just not worth it to catch the few cheaters. Line-jumping? Going around in a handicapped cart without needing it? A few people do it and the "cost" to the others is minimal.
If your goal is avoiding waits, there's a lot of ways to structure your trip--off-seasons, off-hours, just paying attention to crowds and attentions, that pay off much bigger than a fastpass cheat. Stay flexible, be aware of where the crowds are and why, use the fast pass legitimately and you'll never have to wait *that* long.
Honestly, I can't believe that there are really that many people that would *fake* being handicapped to avoid standing in a longer line!
But, then I also say a little prayer to God when I walk past handicapped parking, thanking him that I am able to walk past them.
But that's just naive little me,
I understand that, but like somone else said up there, a minimum of civil behavior should not be too much to ask.
And no, going twice in a row on Splash Mountain does not make you a criminal, but that kind of behaviour is not really what civil and honest people would condone...
"I can't believe that there are really that many people that would *fake* being handicapped to avoid standing in a longer line!"
It depends on what you mean by "handicapped".
There have been times in my life when due to physical injury I've ended up on crutches. So I was "injured" not officialy "handicapped".
Thankfully I have not had to "fake" anything, I've simply asked an appropriate person at places like airports what the arangments are for a physical injury and I have been treated in the same way as though officialy "handicapped" for which I have been extreamly gratefull.
However now I suffer from trapped nerves in the spine I'm still not officialy "handicapped" but there are days when I wished I was as standing on trains and busses is a very very painfull experiance (sitting is almost as painfull but then you are at less risk of further injury).
So yes I can understand why people with bad backs (aprox 25% of middle aged and adove) would want to "fake" being officialy "handicapped" when faced with standing for prolonged periods.
Then there are those who do it just to gain a que advantage and for no other reason and to them I say "a pox on your house" 8)
It is not just DL that has these pass systems, most theme parks have a system of one sort or another.
In the UK there is a theme park that has a fast pass system based on a hardware token that you rent for the day. The system has time lock outs and "no multiple queing" lockouts.
Due to the fact that you are only alowed to rent one token per entry ticket this would appear to stop abuse.
However it does not. As most of the rides are for familes then you effectivly have groups using each token...
Therefore the obvious dodge for a group is to rent as many tokens as there are members in the group.
However the rental and deposit on each token is quite high and you cannot get two or more tokens on one credit card or in the same transaction.
So it is not a painless dodge, you have to plan a little in advance how to "work the system" and be prepared to pay the price. Having done a mental calculation on cost / benifit and knowing how to plan ahead I don't personaly think it's realy worth it.
A simple plan which beats most dodges is get to the park early, then once in go to the popular rides that are furthest from the entrance they will have either short or no ques untill later...
That being said there is always the "gone to get an ice cream" dodge.
You take along a spare adult who is not that interested in taking the rides. Most of the group go and stand in a short que whilst the spare adult stands in a long que. The group finishes the ride, goes and buys "ice cream" and then joins the adult in the long que, who then goes off to get their "ice cream" but actually goes and joins another que.
And of course there is the issue of what about large groups with one handicapped person. I have seen groups with obvious "friends" and "hangers on" being given the same benifit as the handicaped person and their carers. The ethics of this are open to debate but it is yet another dodge.
"You take along a spare adult who is not that interested in taking the rides. ... the spare adult stands in a long que. The [rest of the] group finishes [their] ride, ...then joins the adult in the long que, who then ... joins another que."
Spending all weekend standing in lines for unwanted rides - away from family and friends - sounds fun... could I please be somebody's "spare adult?"
All I'm saying is, you're kind of in the wrong place for your complaint. Take it to the people advocating this rude behavior, not the people analyzing it with a mind to security.
Go to Orlando in mid-September to early October. The kids are back in school, it's miserably hot and humid, and it's the height of hurricane season. No lines, no fuss.
Sounds like Ol' Bruce decided to use his brain for creative problem solving while he was standing in line rather than stuffing fried food into his face.
So you can cry and boo the man all you like, or perhaps you could appreciate that he has even bothered to share his non-professional, idiosyncratic brain droppings with us.
Or you can just go sob quietly to yourself in the slow lines.
So me expressing the view here that this behavior isn't acceptable is in the wrong place?
When it comes to analyzing this with a mind to security, I have to say that sneaking past lines at amusement parks isn't really a security issue... In this particular case, I'd say it's a case of such childish behavior that the people responsible for checking the FP's and tickets either doesn't find it important enough to post more manpower at the lines or think that the added time it takes to check all the tickets thrice isn't adding up when it comes to just getting people in there so they can spend money.
After all, DL or any other amusement parkvl doesn't make money off people while they're stuck in a line.
I would respectfully disagree that this is not really a security issue. The goal in this case (sneaking past the lines) is less important, however the vulnerability discussed is common across a number of different areas. One example that comes to mind is the boarding pass issue that has been highlighted numerous times on this blog.
I do however agree with your risk benefit analysis - fixing the loophole in this case is not worth the effort.
That reminds me to never go to Disneyland again. Spending a whole weekend waiting in lines for a 5-minute ride isn't as interesting as, say, riding some bicycles around.
This reminds me of one of my favourite security theatre hacks.
At one time it was possible to bypass the lines for bag search at Animal Kingdom by passing through the gift shop.
@Muffin and others:
No, queue-jumping etc in Disney amusement parks does not make one a criminal (I assume there isn't a Disney park in Ohio yet).
It just reveals that the queue-jumper is an asshole.
Queue jumping is not just a security issue but a safety one as well due to the "mind set" it engenders in people.
If you see a door, gate or low fence with "staff only", "keep out" or "danger" on it and it looks like it can be used as a short cut to queue jump then some idiot is going to try it and see.
The mindset is only marginaly more extream than the same one people use they cross roads and railway tracks where they know they shouldn't.
They may be safe they may not but it gets them into the mind set of taking unkown risks for marginal benifit.
And as we know from accident statistics sometimes the unknown risks are death.
But as a general note any system that has exceptions will end up being exploited by people with this mind set.
Likewise any system involving humans with varying degrees of knowledge of the system will be worked by those with knowledge (it's one way of defining a "market").
The difference is one of mentality and outlook on life, those who plan ahead do not need to exploit the system by "cheating" to gain advantage.
Those who do cheat get seen and unfortunatly encorage other "me first" peeople to do likewise, although they would think otherwise they are usually neither smart nor clever.
The result is that when people break the rules new systems are introduced. Invariably these systems have costs which reflect back on entry costs etc...
Worse they get into a cheating mind set which they carry forward into the rest of their lives. Sometimes this less than ethical "me first" behaviour starts to become a "rules are for wimps" or "mine for the taking" attitude, which often gives rise to illegal activity all be it petty. But in some cases this develops into less petty criminal activity.
And as we have found out with the banks and the credit crunch the "me first" and "rules are for wimps" / "mine for the taking" attitude can have significant undesirable effects for the rest of society.
Oh and arguably for National Security as well...
@ Fifth Wheel,
"Spending all weekend standing in lines for unwanted rides - away from family and friends - sounds fun... could I please be somebody's "spare adult"?"
Something tells me you don't have children of a certain age (lucky you 8)
If you look around amusment parks most parents are not there for their own amusment and they are most certainly not having the sort of "fun" they would prefere.
Oh and parents can take turns at being the "spare adult" just to get the chance of being alone / less stressed for a short while ;)
I have this sneeky suspicion that "shoping" is a self defence excersice. Apparently it is hated by children and men but loved by women and is often used as a social activity when children are not there...
You get screwed twice. But some people still don't learn. That is why it's OK.
@ David M,
"Sounds like Ol' Bruce decided to use his brain for creative problem solving while he was standing in line rather than stuffing fried food into his face."
I suspect that "Ol' Bruce" spends very little of his limited spare time stuffiing fried (fast) food into his face...
Now if it was calamari in a new and exciting eatery then you can be almost certain he is working on another column for a newspaper in his second job as a critic of fine eateries...
Speaking of which have you come across any eateries in London you'd care to eat in on a regular basis and take people to?
Irrelevant here, but it's also interesting to consider the economics of theme parks.
At a regular fair, you pay for every ride. Along comes a theme park with many exciting rides and the promise that you pay only once but can ride as often as you want to.
But then the theme parks can't afford to have you ride as often as you want to, so they limit their capacity and make you stand in line.
Still, most people think that they got a good deal, but at the end of the day, paying $10 for individual rides at the fair would have been cheaper.
You can talk about how this behavior isn't acceptable, but this fact is so completely obvious that your criticism comes across as being directed at *us*, as though we implicitly approve of it because we're discussing it. If that's not how it's meant to sound then I apologize for the misunderstanding. But we discuss a lot of bad stuff on here and nobody feels a need to come out and say how bad it is to blow people up or steal millions of dollars, because we all know already.
My experience with Disney World (specifically Epcott) was very different when I went in lines normally versus when I went on lines with someone in a wheelchair.
Look...I don't know why you think I'm speaking directly to you, and perhaps that's something we shouldn't delve into any more either...
But you have to stop talking like that. Who is *us*? I've been in security for 10 years, both as a supervisor and area manager, I've led seaport and airport security operations, been directly responsible for 1,400 guards and technicians, so I think I'm pretty qualified to be included in the discussion.
As it were, my meaning, since it apparently needs clarification, was that the type of behavior that we are discussing is unacceptable, and that people employing these "tricks" are displaying a lack of civility that I think we can agree is not very flattering.
Like I said earlier, the fact that people feel it's a worthwhile hobby to think up ways to sneak in lines at amusement parks isn't really a security issue as far as I can see. The time and effort it takes to thwart these schemes isn't worth it, and as far as victims go, the only ones are the fellow park visitors and common courtesy.
Yes, "we" discuss a lot of "bad stuff" on here - believe it or not, I've followed both this blog and Schneier's site for quite a long time - and even though no one feels the need to come out and say how bad it is to blow people up or steal millions of dollars, I don't think people *usually* make websites about that either that get links from security blogs.
So maybe there *is* a need to come out and say that maybe that kind of behavior isn't all that acceptable.
When I visited Disneyworld in October 01, the FastPass machines had a small button in the back of them that would allow multiple passes to come out. You could print 5 or 6, wait the hour and then ride the ride multiple times in a row. Less than half of the FastPass machines allowed for this, and no one seemed to be suspicious of a few teenagers going on the rides so frequently one after another.
Sommerfeldt: Sorry, but all your experience apparently did not prevent you from failing to understand the true meaning of "security". The issues discussed here are security issues, and the security here is that of the underlying system. Not more but not less. Discussing how people cheat a system is always interesting because often such knowledge can be applied/transfered to other systems (also ones you would acknowledge as being security relevant).
"Sorry", but I think you're confusing "security" and "integrity". We can discuss the integrity the FP system and similar ticketing systems, and I can whine about how I think it's unacceptable that people think up ways to compromise that system, resulting in me spending much more time in line.
Or we can discuss security. Like I said, I can't really see what the security issue is, unless you count nuisance...and I don't.
A ticketing system, as this is, is designed to ensure that the provider of a service has been paid. It doesn't matter to an amusement park or whatever other venue that you sneak past their queue plan - what matters is getting you in, so you can either;
- spend more money
- be done and get out so someone else can spend their money to get in.
This most certainly is a security issue of the Disney Fast-Pass system. The post is about a method to subvert the intended use of the system.
...and for the record, the Fast-Pass system isn't really a "ticketing" system in the sense of ensuring riders have paid. There is no payment for the ride, or the fast-pass... The only payment is the entrance fee to the entire park.
I think Security is very necessary in Disney Theme park. I am very glad for your article.
I went to Disneyworld in Florida when I was 4 back in '89. One day they were out of strollers so they gave us a wheelchair for myself. Everyone just assumed I was handicapped and let my whole family bypass all the lines... In hindsight my parent's behavior was pretty embarassing but hey it was pretty nice to not have to wait in line.
My son is type 1 diabetic and qualifies for the GAC . The GAC doesn't give you the right to cut the line. It is there to help. For example children with diabetes require snacks, drinks, constant glucose monitoring especially in a heat so the pass helps them to get in and out of line without loosing their spot. We did wait less then we would in a regular line-up, but that is up to the discression of the attendants. Some were nicer then others.Also if we didn't have the GAC we would never be able to see and do everything our son wanted because it is very time consuming to take care of D-child and all the necessities that come with it (or any other disabled child for that matter).
I did see a family that had a father in a wheelchair (he didn't go on any rides just stayed at the restaurant) and gave his GAC to his 4 preteen boys who totally abused it. The rules state that the person and up to 4 or 5 members in his party are allowed to use the special entrance as long as the handicapped person is on the ride as well.
I work at DL and I must say while you may be correct about the fastpass system having some loopholes, the dissabled pass is an official document that is only handed to those who can show documented proof of a physical dissability. As of March 20, 2009, new rules have been established at all Disney parks. You must bring a physician's note not less than 10 days old in order to be issued a pass. Anyone who is "obviously disabled" is not granted a pass. DL has employed 4 registered nurses who make the final determination and they are instructed to error on the side of NOT granting the pass to someone who is not "Obviously Dissabled" due to several complaints from dissabled advocate groups that the dissabled access points were being crouded with people who didn't belong there.
Sorry...I meant to say Anyone who is NOT "Obviously Dissabled" is not granted a pass.
so, for someone like me that has a 'non-obvious' ailment that causes my heart to stop and fainting in extended periods of hot/sunny weather [severe dehydration] [from standing in long line outside or in non-shaded areas in this case] causing possible fainting spells that is documented by my electrophysiologist is not considered as an ailment?
I have just one question reguardless wheather or not disney set up fast pass it is butting in line. where you taught or do you teach your children butting in line is accettable? I believe the theam parks are sending the wrong message to our children. and it's to bad these are great place in general.
As a late follow up to JOJO...'s post. It is against the ADA laws to ask or require proof of ones disability. So apple you do NOT have to have a doctors note or any "proof" of disability. We get a GAC evertime we go ( twice since March of 2009) and never have we had to provide proof. Our son is not "obviously disabled" and would not be able to enjoy the parks if not for his GAC. I also contacted a CM that has worked with Disney for 15 years ( supervisor position in guest relations inside of the parks) and he said he has never heard any new rules.
I love finding ways to cheat the system, If you aren't cheating then your not trying, screw these other wimps!! LOLOL
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.