Welcome to London 2012...
...home to the black hat hacker Olympics.
Transport for London has confirmed that by the end of 2012 it will accept contactless credit and debit cards at the tube turnstiles, just after the Olympic tourists leave. Those tourists will be able to pay for bus journeys, as London's 8,000 buses will be equipped to accept PayWave, PayPass and ExpressPay before the July kick …
I'd worry more when they either withdraw the ability to pay cash, or, as in Germany with Dr Andrej Holm's "conspiratorial behavior" of travelling without his mobile phone, paying cash for ticket is regarded as suspicious.
IIRC they've headed a little that way by making it more expensive to pay in cash -- perhaps someone who doesn't avoid London could confirm this?
Here in Vienna you have to purchase your ticket first (single use, or weekly/monthly etc. plus you can buy via SMS), then there are no barriers or turnstiles, just the possibility of being nabbed for 70 euro by plain clothes ticket inspectors if you have no valid ticket.
Think about it - no turnstiles = no delay, and the staff get to travel around checking tickets instead of standing at the gate all day.
Add this to the ability to complete one journey using any combo of underground, bus and tram on one ticket, and you have a system that 'just works' without stupid, expensive turnstiles and bored/pissed off staff.
Far too sensible for the UK though!
Oh, parking is the same deal - you buy tickets first and then fill in arrival time/date and leave it in the window, like a universal pay-and-display, with no machines, meters or barriers to mess up the street or get vandalised.
Think of all the money saved on custom kit, and it makes even more sense. Jeez, it aint rocket science.
Not on the buses it doesn't.
Given that bus readers will need to verify "over the air" rather than having the benefit of a fixed link (tube stations), unless they accumulate and distribute a blacklist to all the vehicles, its going to be a point of vulnerability in terms of fraud, although it might not be worth the cost of plugging this particular hole.
From what I've read, the contactless cards don't get server authentication for all transactions of £15 or less, whether or not some <£15 transactions need authentication or not I don't know.
The banks have said that any stolen cards used to make those unchecked transactions will be refunded. The banks have also said the £15 limit is subject to review once the cards have been widely used and I guess they have a better idea of fraud rates.
So in theory contactless cards won't need authentication for most underground travel.
My concern is that regardless of who ultimately pays for the transaction, stealing these credit cards is useful for low-level street crime because they can immediately be used to pay for travel, food etc.
Even where server auth is required, it could just go as far as VISA or Delta or whoever who authorise it up to a limit, much the same as how cheque guarantees worked. No need to go all the way to the bank to find out.
I think this is how some foreign VISA payments work when abroad?
Stolen cards can be dealt with by a blacklist at VISA etc.
Just leaves the problem of stolen cards, but they can cover it on insurance and is it much different to a stolen Oyster or stolen cash?
It's when they crack the system that it gets tricky though, especially with the potential for cloning cards just by bumping into someone to get close enough for an NFC connection, which is very likely to happen on the tube!
Only at first sight. One of the prime user benefits of the oyster card is that there is a daily cap on the payments to ensure the user never pays more than the cost of a travel card no matter how many journeys they make.
This complicates the billing somewhat, because the billing software has to aggregate all the journeys for a particular day in order to apply the daily cap.
If the present software continues to determine the payment due and makes just one single daily charge to the credit card account that shouldn't be a problem -- but then, nor should the fact that tube journey costs are determined by distance, which the author claims to be the stumbling block.
Not just the exit swipe failing but I am regularly double billed for a single touch on Tramlink, two transactions for the same amount which are logged as exactly the same time on the report, for which there is no possible legitimate billing.
Of course the thieving asswipes could catch this the next time you offer your card to a reader to be robbed but they don't, why fix a system which is stealing from your customers so effectively?
The only remedy for this is a symmetric penalty fare, if we catch Thieving For London robbing us on ticket prices then we get to raise a £100 penalty fare against them, just a little incentive for the incompetent vermin to fix the pile of crap that is Oyster...
Here, if I accidentally get off a bus and try to get on it again, my touchcard won't let me, unless the driver recognises me, which is why it's important to look the driver in the eye and give a sinister, loud, "HYVÄÄ HUOMENTAA!!!" as you get on. System blocks that card, on that bus, for the journey, presumably to prevent me lobbing it out of the exit door so my mate can travel. Free.
As to 500ms, there's another longer-distance card that, depending on the bus, has to be either put into a slot by yourself, or handed to the driver so he can do it. Realistically, about 4 secs. per card. 'Course, this ain't London, but the buses are no smaller* and just as crowded.
Worse is the muppet who, when it's blowing a blizzard in -20, insists on being first on. So he/she can recharge her bus card on the bus. Takes a bloody age! 20 folks standing out in the weather while some dizzy git/gitess fumbles around in wallet/purse for money/credit card.
I'll swing for one of them one day, I really will!
Still, €49/month for unlimited travel in the city** ain't bad.
*Yeah, we don't have double-deckers, nor 'bendy-buses here but in rush-hour, two with the same number follow each other in tandem. When the first is full - and I mean full - he only lets folks off, not on. By that, we know the second one is along in less than a minute.
** Ok, Londoners would call Oulu a town. Or a hamlet.
I have had several incomplete journeys where I have definitely touched at both ends, most of the time it happens at rail stations. The oyster helpline will not give you a refund unless you call them within 6 weeks, so you still need to check your account at a station every few weeks, the online webapp does not show you incomplete journeys.
But hey, by the time most people receive their credit card bill and scrutinise it, the 6 weeks will be up and TFL will be quids in!! trebles all round
You can't actually bill the person until you know the journey length anyway so that means you have to wait for the exit tap so all you do is collect the card information at point of entry, check it against a known (locally held, ie by TFL) list of sketchy cards. During the journey you authorise against the maximum possible journey (just like oyster currently does at entry) and then when the person taps out you either compile and send the final bill to the bank or hold that person at the barrier for an embarrassing alternative payment request.
Seems a monkeyload easier than what has to happen on a bus, over wireless connection, as people are getting on a bus.
From my experience of ticket barriers, this is what often happens:
1. The person in front of you stands there until the barriers close
2. They then walk up to it and search every pocket for their ticket
3. They touch it to the reader or feed it through the slot, as they should, and then look around for 30 seconds to see where it's gone
4. Meanwhile the barrier opens and closes in front of them and they have to go to the manned barrier so they can get through
Of course this assumes the barrier is working. If it isn't they'll try passing the ticket through 4 - 5 times, ignoring any message that might appear (such as "out of order", "invalid ticket" or "seek assistance"), and eventually give up when they realise there's a queue of 20+ people glaring at them to get a move on. With all that going on a delay of half a second or so is nothing.
It'll be interesting to see if using bank cards makes any difference when I've sometimes seen people forget to take their tickets out of the machine before they pass through. Unfortunately I've also seen people forget their bank cards when they use self service machines in supermarkets. I know these systems "should" have safeguards such as not opening the barrier if there's still a ticket in there, but it doesn't always work like that.
It still surprises me that people don't realise the barrier doesn't open until they take out the ticket so they just stand there. Sometimes I've even seen someone at the next gate having to point it out to them. I use public transport a lot, but some people behave as if they've never even seen a bus or train before.
There are tourists, and there are those who don't travel much.
Singapore's much-superior system had me baffled a couple of times when I used it for for the first time last year. Once you get an Oyster-equivalent card, it is very simple, but the cash/token/token-refund system must generate quite a few stupid-tourist questions.
Or hey, maybe I am the only *stupid* tourist.
But ... just because you do something every day, do not label it *intuitive* and think that it must be obvious to those who don't.
So if they're going to get rid of Oyster cards, how will it work for weekly/monthly/annual travelcards that are on your Oyster card?
Or are they going to abolish travelcards altogether so everyone has to pay up front?
Wouldn't surprise me in the slightest.
How will this work on buses? Via 3G?
You're never going to get anywhere near 100-200ms round trip auth with that surely.
But as others have said, with contactless there's no auth phase for small transactions so that discussion is all a bit irrelevant.
So Melbourne, AUS, seems set to get their custom built Oyster-type system working at about the time it becomes obsolete.
It is worth asking if all the complexity of a tap-in tap-out system is worth it for the benefit it delivers?
In Melbourn, AUS the system requires tap-in, tap-out because it is based on a ticketing system which was specifically designed to protect the jobs of station staff and tram conductors.
BTW, the HK barriers work much better: they stand normally open, and only slam shut if you try to walk through without presenting your card. The process is much less unpleasent. Can't remember if they slam shut if you forget to take your card, but I do remember that you didn't have to pause to collect it.
Assuming this thing gets popular (and it seems that at least one bank is forcing this technology on people regardless of their wishes), what happens when you present a whole bunch of cards at the same time? Don't know about anyone else, but I tend to carry all my cards together in one card-holder, so if they are all NFC enabled, which gets billed? Or wil the w.. sorry B..ankers just apply the charge to all of them?
Paris, because I am definitely having a blonde moment trying to work this out.
I wonder if they have considered what will happen to the over 60s Freedom Pass which works as if it is an Oyster card. Perhaps a good time to phase it out and replace with a new system and a higher entry date. Or will Oyster cards still exist? since people without bank cards or new mobile phones are more likely to be public transport users.
Not sure about having to constantly take out a creit card to go on the tube. More change of people losing such an item. At least my Oyster is only good for what's left on the monthly travelcard and a few quid for PAYG. A credit/debit card would also be able to do its usual purchasing.
Biting the hand that feeds IT © 1998–2019