http://www.theregister.co.uk/2006/02...ecurity_flaws/

Based on what I have read in this group over the years this is not a
very accurate article.

Maybe Paul C would like to comment to them?

--
Chris

Chris! wrote:
http://www.theregister.co.uk/2006/02...ecurity_flaws/

Based on what I have read in this group over the years this is not a
very accurate article.

Maybe Paul C would like to comment to them?

--
Chris


TfL claims that they keep the data for a few months and then discard
it. There are some obvious reasons for this which actually protect
"customers", such as if there is a dispute or if the card is lost.

But the intentions of TfL, whether or not this article is true, are not
really relevant.

Given that the information necessarily is being stored, the policy
could change or someone else could get hold of it.

This was also true with paper season tickets but, like the plan for ID
cards, Oysters are being forced on a higher proportion of travellers by
making it difficult to travel without them (maybe NR is holding out in
the name of civil liberties?).

MIG wrote:

Chris! wrote:
http://www.theregister.co.uk/2006/02...ecurity_flaws/

Based on what I have read in this group over the years this is not a
very accurate article.

Maybe Paul C would like to comment to them?

--
Chris


TfL claims that they keep the data for a few months and then discard
it. There are some obvious reasons for this which actually protect
"customers", such as if there is a dispute or if the card is lost.

But the intentions of TfL, whether or not this article is true, are not
really relevant.

Sorry, my fault for not explaining well in the original post. By
talking about accuracy I was refering to things such as the article
saying our journey history is available online... it isn't

In reply to news post, which Chris! wrote on
Mon, 20 Feb 2006 -
http://www.theregister.co.uk/2006/02...ecurity_flaws/

Based on what I have read in this group over the years this is not a
very accurate article.

Maybe Paul C would like to comment to them?

The article indicates you can see where you have travelled with your
Oyster card via the web site. I have never found this feature, does it
exist?
--
Matthew P Jones - www.amersham.org.uk
My view of the Metropolitan Line www.metroland.org.uk - actually I like it
Don't reply to it will not be read
You can reply to knap AT Nildram dot co dot uk

http://www.theregister.co.uk/2006/02...ecurity_flaws/

Based on what I have read in this group over the years this is not a
very accurate article.

Maybe Paul C would like to comment to them?

The article indicates you can see where you have travelled with your Oyster card via the web site.
I have never found this feature, does it exist?

No. You can request a statement via the email feature in "Ask Oyster".
You have to provide your Oyster Card number, security answer and
home address. They send you the statement in the post.

On 20 Feb 2006 15:54:54 -0800, "Chris!" wrote:

http://www.theregister.co.uk/2006/02...ecurity_flaws/

Based on what I have read in this group over the years this is not a
very accurate article.

Maybe Paul C would like to comment to them?

I've read the above and the linked IOS article. There are two statements
that I recognise as something that was specified when I was involved a
long time ago. One was the deliberate decision to split usage and card
holder details in the tracking system. The second is the ability to read
the last few journey details from the card at a ticket machine. I don't
see a problem with either feature.

A lot has happened since I was involved in terms of the Oyster website,
off system purchasing of cards / value / tickets etc. While I
understand the point that both articles are making I think this is a
classic case of making a mountain out a mole hill. I don't understand
what it is that TfL are supposed to do to seemingly stop people being
able to see what is on their cards or how their card has been used.
That feature is provided to allow users to see that the ticket and / or
pre-pay that they have purchased and used is being accounted for
correctly. In other words it is a way of providing reassurance - not
unlike being able to get a transaction slip or mini statement from a
cash machine.

The implication seems to be that access to card information has to be
much harder thus disadvantaging the average passenger and that somehow
TfL has to design systems to prevent people getting divorced or to
somehow foresee the current legislative position concerning terrorism. I
cannot recall us examining those risks in any detail at the time I was
on the team but whether they were subsequently I do not know.

Why is this something that TfL has to do with public funds when it is
the card holder that is the person who is most likely to reveal details
that would allow the standard security features to be compromised or
even basic information to be accessed by someone they know? I don't see
how this would be a good use of public funds. The articles seem to be
trying to stoke up "public fears" so that "something has to be done" - a
classic newspaper tactic so it can claim the credit for "doing something
for the public good" against an "unresponsive bureaucratic public sector
quango" or somesuch.

If Oyster becomes E Money then we are in an entirely different situation
and other legislation and controls come into play. I would agree that
security would need to be re-assessed as the desirability of the system
to criminals would increase hugely and thus the risk profile for
everyone involved with the system changes.
--
Paul C


Admits to working for London Underground!

In message .com, at
16:32:07 on Mon, 20 Feb 2006, Chris! remarked:
By talking about accuracy I was refering to things such as the article
saying our journey history is available online... it isn't

I think what they mean is that you can get the information by going
online (needing access to the person's email) and having the information
sent to you (if necessary by changing the registered address too):

"access to the individual's email account would probably be
enough for a snooper to change passwords and gain access to the
account itself."
--
Roland Perry