Add a discount using -your- password?
Sounds like maybe there's a backdoor for adding it yourself?
Transport for London is looking at ways to improve its processes after a Register reader queried why he was being asked to write down his password on a paper form for railway staff to read. London-dwelling Alfie Fresta wanted a National Rail travelcard discount added to his London Oyster card so the discount would work …
I added a railcard to my non-registered oyster PAYG card (therefore no password) at a TfL ticket window (some still exist): they just needed the two cards.
I presume this is because the network rail staff don't have access to the Oyster systems so there is some workaround - it does sound like a backdoor may be possible...
It's probably some cack-handed way of trying to preventing scams, because TfL couldn't come up with another way of stopping staff applying discounts to whatever Oyster account they wanted.
Presumably installing a card reader at the ticket office window for the passenger to use would require money and there's not too much of that around lately. At least not in the right places.
This post has been deleted by its author
Someone posted a Twitter thread over the weekend showing that Virgin Media can send you a copy of your forgotten password on a letter in the post...When questioned how this was secure, that they store passwords in clear text, they stated that since it is a crime to open someone else's post this is secure.
--Exploding head emoji
Can we get the link to the actual thread, please?
Because, well, not to say I don't trust fully every and each comment on ElReg, but that's "somebody said something about someone", aka hearsay. Which is plenty on the web, and however satisfying to read, isn't evidence.
Poor, poor, poor, POOR.
The normal way is for staff to have special access to the database that the Oystercard data sits on (with specific "admin" logins) that let them add it to customer accounts, with every transaction logged against the staff account.
Of course, this sounds too much like work for the likes of TfL.
Smells like a management-mandated procedural fix to allow production deployment that became accepted practice.
Despite the issues being obvious (allows shoulder-surfing, discouraging password managers), unless they are challenged on this by someone with weight nothing will change.
I assume their admin interface and/or access control is broken and would cost Money to fix.
You also presume it exists.
Access control of a sort exists, as each user isn't seeing the other users' data.
Maybe there's only one type of admin access (or one admin account, as mentioned elsewhere), which they don't want to give to their subcontracted support staff.
A quick form sending a REST or batch load request is traditional for this sort of problem. Ho hum.
Uhoh. Let's home they don't read your suggestion. More likely than not they'll use a single admin account. But not to worry, they'll probably use l33t to make it secure.
admin
p@ssword123
In six months El Reg will have another article on TfL along those lines, I'm afraid.
With a reply from the company like, "You NEVER say anything good about us. We even followed the advice from one of your experts that we found below the article back in August, and you're STILL on our case!"
Obviously not a well thought out system!
The article mentions you can put a Two together discount on the Oyster card which intrigued me but checking their official site (twotogether-railcard.co.uk) it says you cannot use this discount for London Oyster fares in London, which I thought was the only place Oyster cards worked?
--------------
Your Two Together Railcard discount WON'T apply to:
Season tickets, including Travelcard Season tickets
Oyster pay as you go fares in London
Eurostar tickets
Tickets for special excursions or Charter trains and some coach/bus links, including Railair services
Rail/sea journeys to Calais, Ireland, Northern Ireland and the Isle of Man
Most London Underground and Docklands Light Railway ticket
Two Together is one of the few (the only??) railcards which can't be added to an Oyster to apply off-peak discounts to Oyster fares - logical when you think about it as there's no obvious way to check the conditions are met by two linked peple travelling at the same time .
Was a bit surprised by this story, as I've been getting TfL (LUL) staff to apply my annual Senior Railcard discount onto my (registered) Oyster for several years and never once been asked for a password or handed a form - they do it at any station Oyster Top-Up kiosk and it takes less than 30 seconds. Maybe the Overground / Arriva kiosks operate differently to the Underground ones, or maybe it's the (completely barmy..) process when trying to apply the discount to a new or unregistered Oyster card?
Adding National Railcard discounts to an Oyster is very badly publicised but absolutely worth doing - you get 1/3 off the off-peak PAYG rail (not bus) fares on all of the TfL / National Rail systems in the Oyster area AND 1/3 off the daily off-peak cap.
NB - not a London resident so can't get a Freedom Pass :-(
</TfL Fares nerd mode>
It's the process when you go to a ticket office rather than at an underground top up point. They don't have direct access to the Oyster system as it's managed by TfL so their work around requires a password because they need to log in to the TfL account or create a new TfL account as a part of the process. All the guidance on how to apply the discount to your Oyster says to go to a person at an underground station which doesn't require the password.
National Rail tickets are paper-based with a magnetic stripe as local storage
You can finally buy tickets using apps (although not National Rail's).
Infuriatingly Great Western's app makes you enter your credit card details in for each transaction; this is more secure than storing the details I guess, but having to get a card out in public as you enter all the digits again is just asking for someone to snatch the card and/or phone...
Dashlane can enter your card details into most browsers and other apps for you, then you just need to enter your fingerprint. I don't know if other password managers can do the same? Obviously you need to trust your password manager app, but it's probably safer than waving your card round in public.
Er - memorise the thing so you don't have to wave your card around in public?
I worked out some while ago that the first two quartets of my credit card numbers are always the same (or number+1) whenever the card is replaced. So, that means I only need to remember the second two quartets whenever I get a new card.
Or maybe it's just the muscle memory from typing it into too many forms.
"... I can't think of a single thing they've done that shows the remotest sign of intelligent planning..."
Well you've obviously never lived in a major UK city outside London then.. Compared to the near-total fustercluck of other urban transport provision, mainly instigated by Nick Ridley's disasterous policy of bus deregulation, transport planning and innovation in London is pretty much a model of how things ought to work. TfL's introduction of the whole zonal / smartcard consistent fares system (along with Hong Kong) is a structure now being copied across the world, their retention of control over the bus network (in the teeth of opposition from Ridley and the Treasury) saved the whole thing from certain meltdown and the creation of the Overground network from the ashes of some near-defunct suburban lines has transformed public transport in swathes of outer London.
They're certainly not perfect - Crossrail overspend, recent bus network cutbacks come to mind - but many of the problems have come from ill-advised political interference and grandstanding (Boris Routemasters, crazy no-fares-increase promise from Khan at a time when the central Government subsidy was being withdrawn, deep-seated mutual hatred and rivalry between Khan and Failing Grayling).
I'm seldom a fan of public bodies but TfL are, overall, one of the better ones and it seems highly likely that much of their thinking on contract structure and overall control of strategic planning will and should find its way into the Williams review of national rail provision.
(disclaimer - I've never worked for TfL, just willing to recognise a rare example of an organisation which gets more right than wrong)
"TfL's introduction of the whole zonal / smartcard consistent fares system (along with Hong Kong) is a structure now being copied across the world"
Including Melb.Aus, where it was used to protect the jobs of tram conductors and station staff, replacing a whole-of-city travelcard that threatened to, and was intended to, make them all redundant.
The zonal fares system copied from London also shifted the power from the sub-urban private bus operators, who were collecting the cash for the whole-of-city fares, to the transport unions of the government-operated urban hub.
Given the public spending on transport infrastructure in London - multiples per head of anywhere else - and the cost of travel within London despite that, and despite the economies of scale available to them, I think TfL are borderline criminally incompetent.
Seldom seen so continuous and excessive a waste of money.
I commute into London from outside the Oyster zone which is great as far as I'm concerned as I can still get good old-fashioned cardboard weekly season tickets. Wouldn't touch Oyster with a bargepole. Apart from all the security and privacy aspects I've heard too many horror stories of people getting billed huge amounts for a three hop tube trip because it didn't beep at them at the other end or somesuch, leaving the metaphorical meter running.
"The password is always entered in the presence of the customer and the form is returned to them to ensure it can be disposed of securely. Customers are advised to change the password on first login, if setting up an online Oyster account. We recognise that where possible this process could be improved and work is under way to identify options."
What good does it do, "entered in the presence of the customer and the form is returned" ???? It's still compromised, which a password should never be.
Process improved ? Yes, morons, hand over the keyboard to the customer, like in every cash machine ! They're really tools, those ones !
Thank goodness I hardly ever go to London despite being in possession of an Oyster card. Do you they expire after not being used for a couple of years?
One of the advantages of living in Dundee is that London is not a common destination of choice. We do have flights from our little airport to London City Airport. But they are expensive and it's only a little turboprop job. Sure I can get on a train to London, though the train I got on to come back last time terminated in Edinburgh meaning I had to walk across the platform at Waverley and get on a local train for local people to Dundee.
My old boss used to take the sleeper the night before for meetings in London, coming back the next night. Though there have been big problems with the new sleeper trains I understand. I would also still need a reason to go and the funds, long distance train travel, even booked well in advance is not cheap.
https://tfl.gov.uk/corporate/privacy-and-cookies/wi-fi-data-collection
"Wi-Fi connection data can provide us with a far better understanding of how customers move through stations. It is not used to identify specific individuals or monitor browsing activity. ... We are putting up signs at every station explaining the Wi-Fi data collection that is taking place and how to opt-out."
"However, if you would like to opt-out, you can do this by turning off Wi-Fi on your device, turning your device off or putting your device into airplane mode while at our stations."
Glimpse of the future?
"Windows 10 may collect your Personal Data for any reason at any time. If you would like to opt out, simply stop using Windows 10 and any applications that rely on it, turn off your computer, or put your computer into the nearest recycling station."
With Windows S and especially that locked down ARM version of Windows, the first and last options were (are?) rather synonymous...
All those hours put in to training users to use passwords that aren't totally shit, to not use [pet][1..10], to not write it down, to not give it to anyone, to definitely not give it to IT, and you just give them a gods damned form demanding it.
Fuckin' thanks, you absolute shower of bastards.
I did a small contract for TFL a while back, can't say too much as that would give me away, but imagine my surprise while looking through their data to see peoples full names, addresses, credit card numbers and 3 digit cvv codes stored in plain text for any operator to see, and lets not even get into the tracking info the oyster card gives them and the fact they store it.
"If you know how to navigate the arcane National Rail ticket system and precisely what to ask ticket clerks to sell you, train journeys entering or leaving the capital's Oyster fare zones can be discounted quite significantly too; in some cases halving the price of an Anytime fare to some non-London destinations."
So what is the secret please?
This post has been deleted by its author
This post has been deleted by its author
The Secret Industry Code (cf. Flight of the Conchords) is a "Boundary Zone Fare" which can be used in conjunction with a Z1-6 Travelcard, Freedom Pass or (arguably...) PAYG cap between a station outside the Oyster Z6 area and anywhere within the area. They're not advertised or available online and can only be bought from NR Ticket Offices and certain, seemingly random Ticket Vending Machines. Sample discussion from a quick online search is here:
https://www.railforums.co.uk/threads/boundary-zone-tickets.166875/
They're a bit like Split Ticketing, with the important difference that the train does NOT need to stop at the station on the Z6 Boundary to be valid.
My interpretation of the form is that if you haven't created a web access account at tfl.etc then you need to (1) create a password on this form and then (2) use that password to create your web account, or you won't be able to. In other words, this process and the web account process need to hash (let's hope) the same password. But still... it's not good.
What you might do before submitting the form is change your actual password to "temporarily somer andom texts" (for example) and write that on the form, then change it back after the transaction. Or just "gosh this is stupid 34345687".
In other news, office penetration testers got my password, but apparently mine is the only one got that wasn't on the lines of "letmein123". It was more like "Zvchwk43" with each letter or number random of its kind, but cased as shown. And not used elsewhere. So this now is notgo odeno ughok - but (3) not my actual new password and (4) number and/or case variation is still compulsory, and a pain in the typist - it turns out that I can remember nonsense words, up to a point, but not case at the same time. Well, then, my next compulsory password change will have an A or a 1 in it, probably, just to meet that requirement (as I was doing already). "A notgo odeno ughok" for instance. And so, probably, will all my others. Unless I don't have to.