Many passengers are concerned about the data security and safety aspect of Transport for London's (TfL's) plans to introduce contactless ticketing, and the project may not deliver the financial savings expected, the London assembly's transport committee has concluded. In a report titled, The Future of Ticketing, the committee …
If it ain't broke ....
........ why try to fix it ?
There is zero need to do away with the Oyster card - its cheap, it works, its safe and all the system needs is a few tweaks. I can top up with cash and TFL have no bank details of mine to lose, be stolen or leak. There's no way anyone at TFL is getting me to use a contactless bank card on one of their machines - its difficult enough with banks protecting their ATM's from skimmers so somehow I doubt TFL are going to have the money, inclination or skill to protect their machines as well. Some rather clever Eastern European gang will soon have figured out a way to get money out of folks cards and as TFL cannot make large predictable boxes move on fixed tracks with any predictability, I somehow doubt they will have a snowballs chance in h*ll of protecting folks bank cards.
I'll be one of the 'disadvantaged' still using Oyster as longa s it continues to exist.
II'm one of the even more disadvantaged without an Oyster card cos I only travel in London rarely. Have you seen the undiscounted prices? Pity the poor tourists
I only go to london about once a year, but I picked up an oyster card just to save a bit of money. You can buy one with cash, and without ID if you like, and then mix it up using it with a (also cash bought) cheap day travel card, just to really make sure that the data is really messed up :)
I only go to London once or twice a year and I have an Oyster card. Get one. You'll not regret it.
It is a point that I have made before that public transport is only cheap if you fully commit to it.
The best deals are to be had from seasonal passes which ironically the low income bracket cannot afford. I can see the business case for offering discounts on bulk purchase but it does make public transport look very expensive for those just trying it out for the first time.
It's probably related to this..
Oyster brand bought for £1m by Transport for London
Monday, 12 April 2010
Transport for London (TfL) has bought the rights to the Oyster Card brand for £1m.
It means TfL can look at other uses of the Oyster electronic smartcard system, which is currently used as a pre-pay ticketing service.
It has said it had already undertaken a trial of Oyster on bank cards and mobile phones.
TfL has bought the rights from TranSys, whose contract to run the service expires this August.
See more here:
What about us season ticket holders?
We travel by national rail and underground, but have to keep a paper ticket flawless for a month or more!
Allow us to get season ticket contact less cards please! I dont care if its via an oyster/bank card or integrated into our photo card!
Pity the poor fules with an annual "Gold Card"
They bugger up every 6 weeks or so and it takes at least 10 minutes getting a replacement...
They are right. It's not safe..
At best it's pointless..
At the moment, with my Oyster, when I get to a ticket barrier, I have to get the little plastic wallet out and swipe it over the reader. Takes a couple of seconds. I have an annual travelcard, which takes around 30 seconds to renew (thanks to TFL's website), but I only need to do that once a year then swipe the card..
If I switch to a NFC bank card, I have to either get my wallet out (not a good idea in some of the areas I travel to, even though I am rather large), or remove the card from my wallet. Both of which take longer than a couple of seconds.
I also have the problem that someone could run a reader over my card, and transfer money from my bank account.
Yes, I know about the limits, but I also know that it may take several transactions to trigger the security. Even if it does, bank security isn't always that reliable. Last year, when I renewed my travel card, the sudden large debit on the account triggered Santander's security and the transaction was declined. I got a text from the security system advising me to call a certain number.
The computer on the other end of the line confirmed the amount and told me it would allow the transaction. So, I went to my local branch. Their advice? Wait 48 hours to see if the transaction went through, then try again.
Thankfully, it didn't, else I would (temporarily at least) have been £1000 down. Something which I cannot afford.
So, as I am sure you can understand, I am not entirely convinced by the claims by the various authorities that NFC equipped bank cards are safe.
But, my main concern is safety. People have to get their Oyster cards out to swipe in some very dodgy places. If I get attecked and they take my Oyster card, yes, it will be incoveniant, but all I will have lost is whatever pay as you go balance I had on it (usually around £10) and a travelcard (which TFL will transfer to the new card anyway). No biggie, apart from it not being very nice if you have something stolen.
If I am attacked while swiping my bank card, they've potentially got access to my bank account. Not good at all.
"...I also have the problem that someone could run a reader over my card, and transfer money from my bank account...."
How many more times: Where would the cash go? That's right - into a merchant account - that's the only place that it could go, to get a merchant account you need to be a bank registered merchant. They need to know all sorts of information about you, crucially including name and address. It's not going to happen.
As more and more bank cards issued are becoming contactless, how will I know which card will be charged when I pass my wallet over the reader as I currently do with my Oyster card? I know, I'll just stop at the gate whilst I rummage through my wallet to find the correct card I want to use, therefore creating an impatient queue behind me. Oyster sped things up (apart from the numpties that still stand at the gate whilst fishing an Oyster out of whatever it's being kept in). This will surely slow passage down. FAIL.
If you have two NFC cards, neither will work. You'll need to select the one that you want to use.
"fraudsters would not be able to extract confidential information" but TfL would.
Of improving the system for users to ensure that EVERY reading tells you your balance so you know when you have or haven't touched in or out and also how about immediate refunds when you are mis-charged.
In fact there seems to be no part of this new plan that even mentions that there may be improvements for users in a system upgraded... improvements that would cut down the excessive over charging situations oyster users face every day.
Two things that astonish me about Oyster:
how rarely it goes wrong
how readily LT staff sort problems
For no particular reason, I have an unregistered PAYG - it failed. I took it to the ticket office merely expecting to avoid paying a deposit for a new one. They told me I still had £11 on it.
Walked on and off a main line station - that used to cost the minimum fare, a hit I was prepared to take. It's now £4.40, LT refunded that too
Not that I don't have a list of things that annoy me about LT but Oyster isn't one of them. And no I won't be using NFC on my bank card any decade soon for theme and variations on reasons stated above.
I am looking forward to being able to cut down on the amount of cards I carry.
It makes sense...
... to not have stacks of different cards all requiring you to keep some balance or credit or whatever on it topped up. Of course, it also enables better tracking of you by various middlemen processor companies. Which is probably why all those companies are so desperate to keep on pushing technology nobody wants.
And honestly, don't worry about privacy. Where it comes to electronic monies, you have none, and you won't get any back neither. Even asking for it would instantly label you a terrorist. So the companies don't complain about the requirements, they can sell that data they're gathering for a nice profit.
Me, I think I'd prefer cash even with the extra risk of getting extraordinarily rendered that comes with it these days, and if it must be electronicalised, then make sure your "solution" mimicks cash in anonymity as well as all the other ways nfc/pay-by-wave/oyster/whatever-du-jour try to mimick it. Provably so, yes, thanks. If that's too much effort for the companies pushing this, then it's too much effort for me to use their "innovations".
Ain't such a thing I'm afraid. If they said the "benefits outweigh the risks", then that's okay e.g. in terms of improving egress, shortening journey times, decongesting the entrances to subways, freeing up space to rent to concessions, reducing the amount of coins and money handled and gathering metrics to assist in optimizing service.
But not 100% safe.
The most obvious risk is thieves and pickpockets will mill around the barriers waiting to rob people. But also the nuisance of a system which requires somone pull out their phone / wallet multiple times for entry / exit & inspection, or which could whack them for charges if they forget to wave out properly, or prevents them waving out because their phone battery died. And of course if there is a large disconnect between the price of a journey and the journey it is an excuse for TfL to jack the prices up, or replace travel cards with more expensive per journey charges. And there are probably lots of points of failure where bogus cards, or replay attacks can get someone free travel.
So maybe it's worth it all told but it won't be 100% safe.
This is the point...
"...Will Judge, head of future ticketing at TfL, had told the committee in an evidence session in September that the contactless cards would be "100% safe"...
at which I stopped listening to what he said, and junked all his words, because they were written by a marketing droid.
The minute someone lies to me that what they're offering is "100% safe", I walk out of the room..
I would like some form of hardware disable for the 'wave pay' technology that seems to be in all the new cards I'm getting. A pull tab that exposes the chip to UV and wipes it maybe. Because I don't want to be waiting in the queue at Tesco or at a ticket barrier, with some guy reading my card and wirelessly transmitting it to his mate who's buying a half-bottle of Scotch with my dosh, or topping up his Oyster card with £15.
I've cut a 0.5mm slot about 2 mm above the Chip, as viewed when holding the card to read the numbers, to sever the RFID induction loop/ariel running the lenght of the chip.
I know the chip and pin still works but haven't yet had a chance to test whether the PayWave functionality has been completely disabled although I've definately severed copper wires so I can't see how it could unless there 2 seperate coils entering the chip in different places.
My biggest concern about this 'mod' is that I've structurally weakened the card, although Chip and Pin still works sometimes (1% of attempts) I have to reinsert the card to get the machine to communicate with the chip properly. I think this is caused because the chip can now bend slightly out of place because some of the plastic surrounding it is missing. I never had this problems before modding the card.
Apart from that it's all good.
OK. I used a torch and a magnifying glass to locate the antenna wires and removed their connection to the chip with a spot face cutter.
I don't know if it works or not, but I feel much better for having done it.
You could try home trapaning, it gets the government out of your head. No more need to worry about remembering your foil hat.
Oh, I don't mind the government being in my head, at least I can keep an eye on them there.
I'm not worried about being tracked or anything, it's just that:
(1) I don't want someone with a RFID relay picking my pocket
(2) It interferes with my travelcard (as does the Hertz Connect card I have, but there's a valid reason for having RFID in that as it needs to work through a van windscreen!)
(3) I didn't ask for it, and when I phoned up to ask if I could have one without it, they said NO.
(4) I'm not planning on using it, and if I do want to use it, I can always ask for it.
The fact that you keep saying RFID suggests that you don't know enough about the subject to actually have any opinions about it. The trouble is that you'll think that you know enough, probably more than most, because you are incapable of recognising that this is the case.
1) Your pocket can't be picked, except by someone with active merchant equipment linked to a bank.
2) It doesn't interfere with RFID, that must be something else
3) do you think that banks should produce special hardware for each customer? Are you seriously willing to pay for that, because I'm not and I would object to having to do so.
4) Do you always break things that you don't plan on using?
As a PS - The card is not your property, it belongs to the bank, they would be well within their rights to stop issuing cards to you if they find out that you intentionally break them.
"the potential lost revenue for the 4,000 small retailers that sell Oyster top-ups"
This is probably where most of the "savings" will comes from. No doubt the banks will decide to only charge Tfl half what the local shops do (for now).
Question: who would you rather make that small profit? The local shop that you sometimes also need to buy a bottle of water from, or the well loved, honest banks?
Then what happens when the banks say that they have to raise the fees for contactless charging (like they have done with everything else)? Oyster will be dead; the small shops selling top-ups and bottle of water will be closed, burnt out crack dens.
Oh yes, this is an excellent scheme. (Sorry if I missed out the bit where the bloke behind you also empties your bankaccount by remote control)
No thanks Boris
Since any supposed savings (yeah sure) form Waft 'n' Cough won't come back to passengers in the form of lower ticket prices, I struggle to see the point other than the acquisition of yet more data to be sold on without our consent.
Using a bank card also compromises physical security. I certainly wouldn't normally wave my credit card around in my scumbag infested corner of East London at midnight, and would resent being forced to do so. My wife recently lost her oyster with annual season (dropped on the bus), but it was quick and painless to get it replaced. That was all she dropped as she's smart enough not to keep it with her credit cards. If travel pass and credit card had been the same thing, it would have been a much greater - and almost certainly more expensive - pain in the rectum.
Multiplying the theft opportunity for crooks and data pimps sounds like serious FAIL to me.
If they are convinced that the system is "100% safe" then they must obviously have had an external security audit done, or it would be ludicrous to make such a comment.
Could they please provide a pointer to the report they commissioned from Ross Anderson, confirming that his students have not yet been able to stroll through the security system like a hot knife through butter?
His students may be able to stoll through security systems, but only in a lab, never in the real world.
I'm really surprised that he doesn't get more stick here- somewhere that people should understand IT/Security - many senior academics do - but I guess he spends most of his time saying that MS are teh evils and banks are all incompetent. If he just presented his work for what it is, rather than hyping it up, he would be far more credible. Lots of it is important work, but that it is hyped up does him a disservice.
"Any new ticketing system must provide the highest possible security for passengers' personal information."
Any new ticketing system must provide absolute security for passengers' personal information.
There, fixed it for them.
Not too fast Boris!
Why do we need the fancy, dancy digital swipe card system when a bare minority of users even use this technology yet? No wonder why people don't have any confidence in it because they don't understand it.
What I don't understand is why can they not put in the tech (new ticket barriers) that will accept or can be upgraded to use the contactless tech and continue to use the oyster system? Get rid of the crappy paper based cards us communters have to guard with our lives and deploy the oyster system across the whole rail network? It's proven to work, it doesn't confuse people, it's quick and an online based purchasing system could mean we get a better deal closer to our travel day not having to pay overheads for our tickets to arrive. That means we can shove the awful national rail ticket machines into the dump as they are ridiculously poor and don't give you an efficient way of purchasing tickets quickly.
Common sense is over looked 99% of the time in these upgrade to digital plans.
There will always be some form of RFID on LU...
because that's what the staff are issued with to operate the barriers when the punters get it wrong. Not sure where they hide the buggers... I hear that they fitted some inside company issued wrist watches.
And before anyone says anything about staffless ticket halls, if there's a barrier there it needs a fleshy thing to look after it - the number of times I've seen some moron get a wheely bag caught in the barrier is untrue, the barrier won't reopen for normal cards/tickets more than once in every five minutes and I've even seen one idiot wrench the barrier (before a staffer got to it) so hard, that it broke the machine!
I have a couple of contactless cards already.
If I continue to swipe my wallet at the reader, it might randomly take £2.50 off Card A (PAYG) instead of using the season ticket on Card B.
Will we all have to start having lead-lined wallets to shield Card A from the Oyster reader?
I'm not having a second wallet or faffing about waving my credit card to everyone in the ticket hall/ bus stop! Perhaps I should shout out my PIN Number as I pass down the bus as well, just in case someone's got their eyes on a PS3 or iPad!
I found it a lot quicker to get through before they installed al those barriers. Ah the good old days when I was trusted not considered a possible thief, and the chap at the gate merely had to see the ticket in your hand..
The Japanese solved this aeons ago...
...by making their equivalent of Oyster (Suica and Pasmo) usable in vending machines and newsagents and convenience stores. Admittedly, debit/credit card usage is still quite rare in Japan, but people trust using their transit card for payments for up to about £20. Oh, and the two schemes (one from the rail operator and one the Tokyo subway) are compatible so you need only hold one.
And doesn't VISA have cards with contactless VISA and a separate Oyster chip? If TfL just stick to Oyster, then such single cards (which will cost banks a little more to make, natch) will use Oyster for transit, and VISA Wave (or the new HFC rivals) for micropayments elsewhere. Simple.
Why the bloomin hell did TfL sign the huge Oyster outsource deal, only to blow another £1m of taxpayers money because they forgot to demand the intellectual property of the brand name....and then want to slowly kill that brand by introducing a new rival? Classic myopic British penpusher mentality, I guess.
Of course, this has NOTHING to do with improving customers lives (oh, the STRESS of having two 1mm thick cards in my pocket!), or saving the public sector money and it's another huge IT project waiting to bleed the taxpayers dry. Until you can close every ticket office and the entire Oyster ticket machine fleet, this is waste of time.
But, being public sector droids, TfL need something to keep their staff busy until they go home at 16:59 every day. Nothing like bit IT projects to keep that final salary pension scheme topping up for another year...
- Opportunity selfie: Martian winds have given the spunky ol' rover a spring cleaning
- Spanish village called 'Kill the Jews' mulls rebranding exercise
- Reddit users discover iOS malware threat
- Pics R.I.P. LADEE: Probe smashes into lunar surface at 3,600mph
- Ex–Apple CEO John Sculley: Ousting Steve Jobs 'was a mistake'