Yes, TfL asked people to write down their Oyster passwords – but don't worry, they didn't inhale

About your data breach the other day, lads...

Transport for London is looking at ways to improve its processes after a Register reader queried why he was being asked to write down his password on a paper form for railway staff to read.

London-dwelling Alfie Fresta wanted a National Rail travelcard discount added to his London Oyster card so the discount would work automatically with his pay-as-you-go smartcard.

He was startled when London Overground staff at New Cross Gate station handed him a paper form with a box on it asking for his online Oyster account password.

"I was in utter disbelief," Fresta told El Reg, having just read about Oyster online accounts being breached by credential-stuffing crooks. "Having worked on a number of web apps, I know storing passwords in clear text is, for lack of a better word, a ginormous no-no."

Oyster plain text password form from Arriva Rail London, which operates London Overground

The Arriva Rail London form handed to Fresta. ARL is the outsourced operator for TfL's London Overground services. Click to enlarge

Just to check that this wasn't a local misunderstanding by station staff, Fresta checked it out at other stations – and was again asked to write down his password in plain text for staff to read.

TfL did not deny that this is its standard procedure for staff adding discounts to Oyster cards, but insisted in a statement to The Register that it doesn't store those passwords and lets customers take the completed form away afterwards.

A spokeswoman told us: "Customers can add discounts to their Oyster cards at all station ticket machines and our staff are on hand to support them with this process. If a customer prefers to do this via a ticket office rather than a machine, then a password is temporarily provided to the ticket office staff via a form.

"The password is always entered in the presence of the customer and the form is returned to them to ensure it can be disposed of securely. Customers are advised to change the password on first login, if setting up an online Oyster account. We recognise that where possible this process could be improved and work is under way to identify options."

Fresta was not impressed with TfL's customer service, telling us he wasn't given "any explanation as to how the information [would] be handled or why".

National Rail tickets are paper-based with a magnetic stripe as local storage, whereas TfL's Oyster card is NFC-based with a proper database behind it. The two systems don't talk to each other, requiring humans to manually enter things like discounts that can be used on both. Public transport-using Britons in the southeast will be aware that discounts like a Two Together Railcard can be applied to Oyster fares. If you know how to navigate the arcane National Rail ticket system and precisely what to ask ticket clerks to sell you, train journeys entering or leaving the capital's Oyster fare zones can be discounted quite significantly too; in some cases halving the price of an Anytime fare to some non-London destinations.

None of this, of course, helps one's security – particularly when TfL asks you to write down your password. As ever, the standard advice is never to reuse password credentials across different sites or providers. We might add to that: as soon as you've written it down for ticket office clerks to read, change your password. ®

Sponsored: Beyond the Data Frontier

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2019