back to article Yes, TfL asked people to write down their Oyster passwords – but don't worry, they didn't inhale

Transport for London is looking at ways to improve its processes after a Register reader queried why he was being asked to write down his password on a paper form for railway staff to read. London-dwelling Alfie Fresta wanted a National Rail travelcard discount added to his London Oyster card so the discount would work …

  1. RichardB

    Add a discount using -your- password?

    Sounds like maybe there's a backdoor for adding it yourself?

    1. Warm Braw Silver badge

      Re: Add a discount using -your- password?

      I added a railcard to my non-registered oyster PAYG card (therefore no password) at a TfL ticket window (some still exist): they just needed the two cards.

      I presume this is because the network rail staff don't have access to the Oyster systems so there is some workaround - it does sound like a backdoor may be possible...

  2. mscha

    Aside from the security issues, it is also quite a usability issue if you use a passwprd manager and a generated password like $7iwz1bo9Rmw@6U7...

    1. wyatt

      Definitely! I don't know most my passwords and certainly couldn't access them on demand like this. Plus you'd be wondering what sort of scam the TFL people were running to be asking for this info straight away..

      1. Dan 55 Silver badge

        It's probably some cack-handed way of trying to preventing scams, because TfL couldn't come up with another way of stopping staff applying discounts to whatever Oyster account they wanted.

        Presumably installing a card reader at the ticket office window for the passenger to use would require money and there's not too much of that around lately. At least not in the right places.

    2. big_D Silver badge

      It is a password field, just fill it in with asterisk.

    3. JohnFen Silver badge

      I use long, randomly generated passwords. If I had to do something like this (and it would have to be a great discount for me to even consider it!), I'd change the password prior to the transaction to something like "P@ssw0rd", do the transaction, then change it back afterwards.

  3. This post has been deleted by its author

  4. Blockchain commentard

    And to improve the customer service, please give your bank details and PIN.

    1. Kane Silver badge
      Trollface

      We'll also need those three little digits on the backs of all your cards.

      1. Tigra 07 Silver badge
        Trollface

        RE: Kane

        And your mother's maiden name...For marketing of course...

    2. Tigra 07 Silver badge
      Facepalm

      RE: Blockchain Commentard

      Someone posted a Twitter thread over the weekend showing that Virgin Media can send you a copy of your forgotten password on a letter in the post...When questioned how this was secure, that they store passwords in clear text, they stated that since it is a crime to open someone else's post this is secure.

      --Exploding head emoji

      1. 0laf Silver badge
        FAIL

        Re: RE: Blockchain Commentard

        Yes I've also read (here I think) that Virgin ask for full passwords when you request support

        1. krivine
          WTF?

          Re: RE: Blockchain Commentard

          I've left Virgin Media. While with them, my frequent complaint was that if they rang me, their second question was to ask me to prove who I was.

          1. Tigra 07 Silver badge
            Pint

            Re: RE: Blockchain Commentard

            Can't you just ask them to prove that you're not who you claim to be?

          2. TeeCee Gold badge
            Coat

            Re: RE: Blockchain Commentard

            Why? Who were you?

      2. Anonymous Coward
        Anonymous Coward

        Re: RE: Blockchain Commentard

        Can we get the link to the actual thread, please?

        Because, well, not to say I don't trust fully every and each comment on ElReg, but that's "somebody said something about someone", aka hearsay. Which is plenty on the web, and however satisfying to read, isn't evidence.

        1. IGotOut Silver badge

          Re: RE: Blockchain Commentard

          You're new here aren't you?

        2. MrKrotos

          Re: RE: Blockchain Commentard

          SUre, if you could just give me your password I would be happy to help :P

        3. Tigra 07 Silver badge
          Facepalm

          Re: RE: Blockchain Commentard

          It was actually easier to find than i expected.

          Here:

          https://twitter.com/virginmedia/status/1162756227132198914

  5. Gonzo wizard Bronze badge
    FAIL

    Not even new

    I remember when my oyster card broke being asked to supply my password, back in 2012. I was stunned then, I'm even more stunned now. Almost as stunned as when my domain reseller asked me to email in part of my password to 'prove who I am' last week...

  6. Test Man

    Poor, poor, poor, POOR.

    The normal way is for staff to have special access to the database that the Oystercard data sits on (with specific "admin" logins) that let them add it to customer accounts, with every transaction logged against the staff account.

    Of course, this sounds too much like work for the likes of TfL.

    1. Psmo Silver badge

      Smells like a work-around

      Smells like a management-mandated procedural fix to allow production deployment that became accepted practice.

      Despite the issues being obvious (allows shoulder-surfing, discouraging password managers), unless they are challenged on this by someone with weight nothing will change.

      I assume their admin interface and/or access control is broken and would cost Money to fix.

      1. Doctor Syntax Silver badge

        Re: Smells like a work-around

        "I assume their admin interface and/or access control is broken"

        You also presume it exists.

        1. Psmo Silver badge

          Re: Smells like a work-around

          You also presume it exists.

          Access control of a sort exists, as each user isn't seeing the other users' data.

          Maybe there's only one type of admin access (or one admin account, as mentioned elsewhere), which they don't want to give to their subcontracted support staff.

          A quick form sending a REST or batch load request is traditional for this sort of problem. Ho hum.

    2. Drew Scriver Silver badge

      Uhoh. Let's home they don't read your suggestion. More likely than not they'll use a single admin account. But not to worry, they'll probably use l33t to make it secure.

      admin

      p@ssword123

      In six months El Reg will have another article on TfL along those lines, I'm afraid.

      With a reply from the company like, "You NEVER say anything good about us. We even followed the advice from one of your experts that we found below the article back in August, and you're STILL on our case!"

  7. NonSSL-Login

    Badly designed system

    Obviously not a well thought out system!

    The article mentions you can put a Two together discount on the Oyster card which intrigued me but checking their official site (twotogether-railcard.co.uk) it says you cannot use this discount for London Oyster fares in London, which I thought was the only place Oyster cards worked?

    --------------

    Your Two Together Railcard discount WON'T apply to:

    Season tickets, including Travelcard Season tickets

    Oyster pay as you go fares in London

    Eurostar tickets

    Tickets for special excursions or Charter trains and some coach/bus links, including Railair services

    Rail/sea journeys to Calais, Ireland, Northern Ireland and the Isle of Man

    Most London Underground and Docklands Light Railway ticket

    1. Flicker

      Re: Badly designed system

      Two Together is one of the few (the only??) railcards which can't be added to an Oyster to apply off-peak discounts to Oyster fares - logical when you think about it as there's no obvious way to check the conditions are met by two linked peple travelling at the same time .

      Was a bit surprised by this story, as I've been getting TfL (LUL) staff to apply my annual Senior Railcard discount onto my (registered) Oyster for several years and never once been asked for a password or handed a form - they do it at any station Oyster Top-Up kiosk and it takes less than 30 seconds. Maybe the Overground / Arriva kiosks operate differently to the Underground ones, or maybe it's the (completely barmy..) process when trying to apply the discount to a new or unregistered Oyster card?

      Adding National Railcard discounts to an Oyster is very badly publicised but absolutely worth doing - you get 1/3 off the off-peak PAYG rail (not bus) fares on all of the TfL / National Rail systems in the Oyster area AND 1/3 off the daily off-peak cap.

      NB - not a London resident so can't get a Freedom Pass :-(

      </TfL Fares nerd mode>

      1. 2+2=5 Silver badge
        Pint

        Re: Badly designed system

        > </TfL Fares nerd mode>

        Everyone needs a hobby!

      2. Kientha

        Re: Badly designed system

        It's the process when you go to a ticket office rather than at an underground top up point. They don't have direct access to the Oyster system as it's managed by TfL so their work around requires a password because they need to log in to the TfL account or create a new TfL account as a part of the process. All the guidance on how to apply the discount to your Oyster says to go to a person at an underground station which doesn't require the password.

  8. big_D Silver badge
    Facepalm

    OmfG, how broken?

    Have TfL never heard of customer support / admin accounts?

    1. Yet Another Anonymous coward Silver badge

      Re: OmfG, how broken?

      So security would be improved by giving 10,000 ticket office staff admin access to everyone's card?

      Especially since the admin password would be written on a post-it note on the screen.

      This is almost a better solution

      1. big_D Silver badge

        Re: OmfG, how broken?

        Authorized users get access to perform certain admin tasks on accounts. That is the way it usually works.

        Certainly better than asking users for their passwords.

        1. Psmo Silver badge

          Re: OmfG, how broken?

          Or you provide card readers to the ticket desk.

          No card, no access to data or the modification interface for limiting fraud and unauthorised access.

    2. EnviableOne Silver badge

      Re: OmfG, how broken?

      ofc not, Crapita run their IT

  9. Korev Silver badge

    Phone-based tickets

    National Rail tickets are paper-based with a magnetic stripe as local storage

    You can finally buy tickets using apps (although not National Rail's).

    Infuriatingly Great Western's app makes you enter your credit card details in for each transaction; this is more secure than storing the details I guess, but having to get a card out in public as you enter all the digits again is just asking for someone to snatch the card and/or phone...

    1. Happy_Jack

      Re: Phone-based tickets

      Dashlane can enter your card details into most browsers and other apps for you, then you just need to enter your fingerprint. I don't know if other password managers can do the same? Obviously you need to trust your password manager app, but it's probably safer than waving your card round in public.

    2. batfink Silver badge

      Re: Phone-based tickets

      Er - memorise the thing so you don't have to wave your card around in public?

      I worked out some while ago that the first two quartets of my credit card numbers are always the same (or number+1) whenever the card is replaced. So, that means I only need to remember the second two quartets whenever I get a new card.

      Or maybe it's just the muscle memory from typing it into too many forms.

      1. Cederic Silver badge

        Re: Phone-based tickets

        Muscle memory does the trick for me.

        I have no idea what my debit card number is as I never enter that through a keyboard. Credit card number is hard to remember but easy to type without looking.

  10. Will Godfrey Silver badge
    FAIL

    I've got a little list

    (and they'll none of them be missed)

    I've long held the people behind TfL in utter contempt. I can't think of a single thing they've done that shows the remotest sign of intelligent planning.

    1. Flicker

      Re: I've got a little list

      "... I can't think of a single thing they've done that shows the remotest sign of intelligent planning..."

      Well you've obviously never lived in a major UK city outside London then.. Compared to the near-total fustercluck of other urban transport provision, mainly instigated by Nick Ridley's disasterous policy of bus deregulation, transport planning and innovation in London is pretty much a model of how things ought to work. TfL's introduction of the whole zonal / smartcard consistent fares system (along with Hong Kong) is a structure now being copied across the world, their retention of control over the bus network (in the teeth of opposition from Ridley and the Treasury) saved the whole thing from certain meltdown and the creation of the Overground network from the ashes of some near-defunct suburban lines has transformed public transport in swathes of outer London.

      They're certainly not perfect - Crossrail overspend, recent bus network cutbacks come to mind - but many of the problems have come from ill-advised political interference and grandstanding (Boris Routemasters, crazy no-fares-increase promise from Khan at a time when the central Government subsidy was being withdrawn, deep-seated mutual hatred and rivalry between Khan and Failing Grayling).

      I'm seldom a fan of public bodies but TfL are, overall, one of the better ones and it seems highly likely that much of their thinking on contract structure and overall control of strategic planning will and should find its way into the Williams review of national rail provision.

      (disclaimer - I've never worked for TfL, just willing to recognise a rare example of an organisation which gets more right than wrong)

      1. Will Godfrey Silver badge

        Re: I've got a little list

        The others being even more crap doesn't make TfL look any better. Besides, I've not yet heard about any of them pulling a stunt like this.

      2. david 12

        Re: I've got a little list

        "TfL's introduction of the whole zonal / smartcard consistent fares system (along with Hong Kong) is a structure now being copied across the world"

        Including Melb.Aus, where it was used to protect the jobs of tram conductors and station staff, replacing a whole-of-city travelcard that threatened to, and was intended to, make them all redundant.

        The zonal fares system copied from London also shifted the power from the sub-urban private bus operators, who were collecting the cash for the whole-of-city fares, to the transport unions of the government-operated urban hub.

      3. Cederic Silver badge

        Re: I've got a little list

        Given the public spending on transport infrastructure in London - multiples per head of anywhere else - and the cost of travel within London despite that, and despite the economies of scale available to them, I think TfL are borderline criminally incompetent.

        Seldom seen so continuous and excessive a waste of money.

  11. Anonymous Coward
    Anonymous Coward

    I commute into London from outside the Oyster zone which is great as far as I'm concerned as I can still get good old-fashioned cardboard weekly season tickets. Wouldn't touch Oyster with a bargepole. Apart from all the security and privacy aspects I've heard too many horror stories of people getting billed huge amounts for a three hop tube trip because it didn't beep at them at the other end or somesuch, leaving the metaphorical meter running.

  12. Anonymous Coward
    Anonymous Coward

    Mad

    "The password is always entered in the presence of the customer and the form is returned to them to ensure it can be disposed of securely. Customers are advised to change the password on first login, if setting up an online Oyster account. We recognise that where possible this process could be improved and work is under way to identify options."

    What good does it do, "entered in the presence of the customer and the form is returned" ???? It's still compromised, which a password should never be.

    Process improved ? Yes, morons, hand over the keyboard to the customer, like in every cash machine ! They're really tools, those ones !

    1. Timo

      Re: Mad

      Does "disposed of securely" include dropping the paper into the bin next to the desk? If that it true there may be a goldmine of accounts right there.

    2. Doctor Syntax Silver badge

      Re: Mad

      "We recognise that where possible this process could be improved and work is under way to identify options."

      The proper way of doing things is to get all the technical underpinning in place before launching the service. Could marketing have been involved in this?

  13. Anonymous South African Coward Silver badge

    an oyster rich for the taking? (can't remember how that saying goes, I may have got it mixed up, oops) :)

    1. ArrZarr
      Coat

      The world is your mollusc, as they say.

  14. Muscleguy Silver badge

    Thank goodness I hardly ever go to London despite being in possession of an Oyster card. Do you they expire after not being used for a couple of years?

    One of the advantages of living in Dundee is that London is not a common destination of choice. We do have flights from our little airport to London City Airport. But they are expensive and it's only a little turboprop job. Sure I can get on a train to London, though the train I got on to come back last time terminated in Edinburgh meaning I had to walk across the platform at Waverley and get on a local train for local people to Dundee.

    My old boss used to take the sleeper the night before for meetings in London, coming back the next night. Though there have been big problems with the new sleeper trains I understand. I would also still need a reason to go and the funds, long distance train travel, even booked well in advance is not cheap.

    1. Cederic Silver badge

      Mine is over a decade old and has worked successfully after a period of 5-6 years without use.

      It's also not attached to an account.

  15. Anonymous Coward
    Anonymous Coward

    TfL and WiFi

    https://tfl.gov.uk/corporate/privacy-and-cookies/wi-fi-data-collection

    "Wi-Fi connection data can provide us with a far better understanding of how customers move through stations. It is not used to identify specific individuals or monitor browsing activity. ... We are putting up signs at every station explaining the Wi-Fi data collection that is taking place and how to opt-out."

    "However, if you would like to opt-out, you can do this by turning off Wi-Fi on your device, turning your device off or putting your device into airplane mode while at our stations."

    1. whitepines Silver badge
      Big Brother

      Re: TfL and WiFi

      Glimpse of the future?

      "Windows 10 may collect your Personal Data for any reason at any time. If you would like to opt out, simply stop using Windows 10 and any applications that rely on it, turn off your computer, or put your computer into the nearest recycling station."

      With Windows S and especially that locked down ARM version of Windows, the first and last options were (are?) rather synonymous...

  16. DasWezel
    Facepalm

    Thanks, TfL

    All those hours put in to training users to use passwords that aren't totally shit, to not use [pet][1..10], to not write it down, to not give it to anyone, to definitely not give it to IT, and you just give them a gods damned form demanding it.

    Fuckin' thanks, you absolute shower of bastards.

  17. Anonymous Coward
    Anonymous Coward

    normal?

    Is this normal UK security?

  18. Anonymous Coward
    Anonymous Coward

    Its worse then that ;)

    I did a small contract for TFL a while back, can't say too much as that would give me away, but imagine my surprise while looking through their data to see peoples full names, addresses, credit card numbers and 3 digit cvv codes stored in plain text for any operator to see, and lets not even get into the tracking info the oyster card gives them and the fact they store it.

    1. John G Imrie

      Re: Its worse then that ;)

      I believe that storing the cvv code is against the credit/debit card operators terms and conditions and can lead to the revocation of the license to take card payments. You should report this.

  19. Jan 0 Silver badge

    Insecurity

    It's horribly insecure, but Is this any worse than a card telephone transaction, where the underpaid sales person carefully makes a personal copy of your name, address, card number, expiry date and PIN to sell down the pub later?

  20. chas49

    Discounts outside Oyster zone¿

    "If you know how to navigate the arcane National Rail ticket system and precisely what to ask ticket clerks to sell you, train journeys entering or leaving the capital's Oyster fare zones can be discounted quite significantly too; in some cases halving the price of an Anytime fare to some non-London destinations."

    So what is the secret please?

    1. This post has been deleted by its author

    2. This post has been deleted by its author

  21. Flicker

    The Secret Industry Code (cf. Flight of the Conchords) is a "Boundary Zone Fare" which can be used in conjunction with a Z1-6 Travelcard, Freedom Pass or (arguably...) PAYG cap between a station outside the Oyster Z6 area and anywhere within the area. They're not advertised or available online and can only be bought from NR Ticket Offices and certain, seemingly random Ticket Vending Machines. Sample discussion from a quick online search is here:

    https://www.railforums.co.uk/threads/boundary-zone-tickets.166875/

    They're a bit like Split Ticketing, with the important difference that the train does NOT need to stop at the station on the Z6 Boundary to be valid.

  22. Geoff Heaton
    FAIL

    How about ...

    The form is not fit for purpose.

    "Customers must complete all fields. Write in capitals in each box"

    So if I have lower case letters in my password, what do i do?

    1. Drew Scriver Silver badge

      Re: How about ...

      Oh man - I would give your post ten upvotes if I could!

      BTW, the form states at the bottom that you can create an Oyster account at tfl.gov.uk/oyster. However, that's just a blank page... Proper 200 OK (HTTPS), cached by CloudFlare. Content length of 20.

  23. Robert Carnegie Silver badge

    This may have been said

    My interpretation of the form is that if you haven't created a web access account at tfl.etc then you need to (1) create a password on this form and then (2) use that password to create your web account, or you won't be able to. In other words, this process and the web account process need to hash (let's hope) the same password. But still... it's not good.

    What you might do before submitting the form is change your actual password to "temporarily somer andom texts" (for example) and write that on the form, then change it back after the transaction. Or just "gosh this is stupid 34345687".

    In other news, office penetration testers got my password, but apparently mine is the only one got that wasn't on the lines of "letmein123". It was more like "Zvchwk43" with each letter or number random of its kind, but cased as shown. And not used elsewhere. So this now is notgo odeno ughok - but (3) not my actual new password and (4) number and/or case variation is still compulsory, and a pain in the typist - it turns out that I can remember nonsense words, up to a point, but not case at the same time. Well, then, my next compulsory password change will have an A or a 1 in it, probably, just to meet that requirement (as I was doing already). "A notgo odeno ughok" for instance. And so, probably, will all my others. Unless I don't have to.

  24. Topedge@hotmail.com

    My password is Ifu*kinghateTFL

    That's how they got Ian Watkins!

    and no I don't use the asterisk in the real password.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021