Thread: Oystercard article
View Single Post
  #6   Report Post  
Old February 22nd 06, 05:02 PM posted to uk.transport.london
Paul Corfield Paul Corfield is offline
external usenet poster
  
First recorded activity at LondonBanter: Jul 2003
Posts: 3,995
Default Oystercard article
On 20 Feb 2006 15:54:54 -0800, "Chris!" wrote:

http://www.theregister.co.uk/2006/02...ecurity_flaws/

Based on what I have read in this group over the years this is not a
very accurate article.

Maybe Paul C would like to comment to them?

I've read the above and the linked IOS article. There are two statements
that I recognise as something that was specified when I was involved a
long time ago. One was the deliberate decision to split usage and card
holder details in the tracking system. The second is the ability to read
the last few journey details from the card at a ticket machine. I don't
see a problem with either feature.

A lot has happened since I was involved in terms of the Oyster website,
off system purchasing of cards / value / tickets etc. While I
understand the point that both articles are making I think this is a
classic case of making a mountain out a mole hill. I don't understand
what it is that TfL are supposed to do to seemingly stop people being
able to see what is on their cards or how their card has been used.
That feature is provided to allow users to see that the ticket and / or
pre-pay that they have purchased and used is being accounted for
correctly. In other words it is a way of providing reassurance - not
unlike being able to get a transaction slip or mini statement from a
cash machine.

The implication seems to be that access to card information has to be
much harder thus disadvantaging the average passenger and that somehow
TfL has to design systems to prevent people getting divorced or to
somehow foresee the current legislative position concerning terrorism. I
cannot recall us examining those risks in any detail at the time I was
on the team but whether they were subsequently I do not know.

Why is this something that TfL has to do with public funds when it is
the card holder that is the person who is most likely to reveal details
that would allow the standard security features to be compromised or
even basic information to be accessed by someone they know? I don't see
how this would be a good use of public funds. The articles seem to be
trying to stoke up "public fears" so that "something has to be done" - a
classic newspaper tactic so it can claim the credit for "doing something
for the public good" against an "unresponsive bureaucratic public sector
quango" or somesuch.

If Oyster becomes E Money then we are in an entirely different situation
and other legislation and controls come into play. I would agree that
security would need to be re-assessed as the desirability of the system
to criminals would increase hugely and thus the risk profile for
everyone involved with the system changes.
--
Paul C


Admits to working for London Underground!
Reply With QuoteReply With Quote