Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Friday August 09 2019, @11:49AM   Printer-friendly
from the miscreants-at-work dept.

Transport for London's online Oyster travel smartcard system has been accessed by miscreants using stolen customer login credentials, The Reg can reveal, forcing IT bods to pull the website offline for a second day.

The UK capital's transport authority has blamed the intrusions on passengers who have used email address and password combinations for their Oyster accounts that were also used for one or more hacked websites: criminals who have nicked login details from other sites can use that information to get into the Oyster accounts of people who reuse the same usernames and passwords everywhere. This technique is known as credential stuffing.

A TfL spokesperson told us: "We believe that a small number of customers have had their Oyster online account accessed after their login credentials were compromised when using non-TfL websites. No customer payment details have been accessed, but as a precautionary measure and to protect our customers' data, we have temporarily closed online contactless and Oyster accounts while we put additional security measures in place."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by The Mighty Buzzard on Friday August 09 2019, @02:30PM (9 children)

    Makes me want to go out right now and sign up for lots of things on the Internet with a debit card tied to my bank account!

    Seriously though, when will people learn not to trust random sites to store sensitive financial data? I've coded billing systems since the late 90s (without a single financial mishap) and there's no way in hell I'd ever use anything but a prepaid debit card even on extremely trustworthy sites. Even if everything I write is mathematical proof perfect, that doesn't mean any libraries I use, the database they're stored in, the webserver I'm connecting to, or my browser are. That's without even considering Spectre, IME, and the like on the hardware end of my box and their servers.

    --
    My rights don't end where your fear begins.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 1, Insightful) by Anonymous Coward on Friday August 09 2019, @02:49PM (1 child)

    by Anonymous Coward on Friday August 09 2019, @02:49PM (#877914)

    I don't duplicate credentials, but I would not use anything but a credit card. It won't be my money at risk.

    • (Score: 2) by The Mighty Buzzard on Friday August 09 2019, @03:53PM

      Prepaid debit doesn't even have that much worry. Fill it with exactly what you plan on spending, use it, throw it away, and get your hakuna matata on. Hell, there are even banks that offer one-time numbers with a fixed amount chargeable for exactly that purpose if you don't want to have to hit WalMart.

      --
      My rights don't end where your fear begins.
  • (Score: 2) by All Your Lawn Are Belong To Us on Friday August 09 2019, @07:00PM (3 children)

    by All Your Lawn Are Belong To Us (6553) on Friday August 09 2019, @07:00PM (#877997) Journal

    When other methods become as easy? If one is using the Oyster system one might not be broke, public transit being what it is in England as opposed to America. But I'm sure there are plenty of low-paid high-hours people who must use public transit probably find it the most convenient way to deal with the need to have one for transit. Buses don't accept cash. And there may are lots of other ways to purchase credit for an Oyster card, but again one might be dealing with a significant subset of people for whom the other accesses don't work for a variety of reasons.

    Why trust the card reader at the gas pump? It may have a skimmer on it.

    And assuming it is caught quickly and as someone else noted, what is the customer out besides time? It's not like they'll be held liable for the vendor's screwup. Saved a few dozen hours on the front end, what's ten on the back end dealing with the fall-out?

    --
    This sig for rent.
  • (Score: 0) by Anonymous Coward on Saturday August 10 2019, @10:02AM (2 children)

    by Anonymous Coward on Saturday August 10 2019, @10:02AM (#878158)

    Many places won't accept pre-paid card.
    Some demand home address and date of birth. For a credit card transaction.

    • (Score: 2) by The Mighty Buzzard on Saturday August 10 2019, @10:49AM (1 child)

      by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Saturday August 10 2019, @10:49AM (#878175) Homepage Journal

      Most prepaid cards I've used will return anything the processors query as address/dob/etc as valid.

      --
      My rights don't end where your fear begins.
      • (Score: 0) by Anonymous Coward on Saturday August 10 2019, @01:13PM

        by Anonymous Coward on Saturday August 10 2019, @01:13PM (#878216)

        Yep. Fundamentally these cards are all the same as debit cards issued by a bank. The bank that issues them is just some subsidiary in the middle of nowhere charging $5 for the card (and $3-5 every time you refill) and scraping up the leftover few cents when you stop using it.