We encourage all customers not to use the same password for multiple sites
If that's what they're doing, why not issue them all with unique user names?
Or ask for a couple of digits from the card serial number?
Transport for London's online Oyster travel smartcard system has been accessed by miscreants using stolen customer login credentials, The Reg can reveal, forcing IT bods to pull the website offline for a second day. The UK capital's transport authority has blamed the intrusions on passengers who have used email address and …
Agreed. I remember maybe two decades ago reading something about not ever using email addresses as the username for an account, because in doing so it means the attacker has at least 50% of the information needed to get into the account.
So it's such a pity that since then, in the name of convenience this is exactly what pretty much every website goes with.
This is easily fixable, but only if websites support it.
rather than use: email@example.com, Where websites support it, I use firstname.lastname@example.org (I think you can use underscore to perform the same task)
I started originally using email@example.com but realised that was easily exploitable.
Of course, you can use a password manager and different password per website too to reduce to attack surface even further
Of course, you all know this, but...
If you own firstname.lastname@example.org can I offer my sincere apologies for the sheer amount of spam you must have received over the years. That's always been my go to f*ck you you ain't getting my email address email address.
It also means that if the
idiotuser has used the same password for their e-mail account, the attacker has 100% of the information he needs to get into any accounts the user may have, even those that have a different password, by means of requesting a password reset.
I remember coming under pressure from the owner of an e-commerce site a long time ago who felt he'd lose business if there were the slightest barrier to someone making a transaction - such as having to remember a username. The same retailer lost a significant sum of money by sending orders to Eastern Europe on what turned out to be dodgy credit cards because they'd underestimated the risks of online trading and were keen to show sales growth.
Ease-of-use issues are very much overblown (and, indeed, online retailers will often put deliberate obstacles in the way of an immediate checkout to encourage further impulse buying) and, in the case of TfL, where else are people going to go for their tube travel?
With the caveat that I've no idea what happened in this instance, that isn't always a good protection against credential stuffing.
Most attacks will be of the form of the attackers getting a list of usernames (either confirmed if they can enumerate them or a download of what is basically guesses) and will try all of them with 1 - 3 of the most common passwords. The idea is to avoid detection from locking out the accounts or hitting "excessive failed login" thresholds.
If TfL are saying that this is an attack where a list of pwnd email/pw combos from another site have been used in the attack, then thats a different story (and unique UIDs would have helped). But that isn't really credential stuffing (IMHO of course).
To be perfectly honest, if these really are reused email/password combinations then I have no sympathy for those people by this point. I really don't. Let them lose some money, probably not a lot considering this is a transport system, just to learn not to do this anymore.
You suspect the Google Authenticator passes on the details? Actually, that would be a defensible argument not to use it, and there are plenty other options. I have a load of them for iOS, list below, mainly for educational and backup purposes.
OTP Auth (also has Safari plugin, but it's not very good with dark mode) - paid for
Step Two (has MacOS desktop app - simple and good, desktop also picks up QR codes from websites) - paid for
Authy - free
Authenticator - free
FreeOTP - free (duh)
My favourite at present is Step Two, with OTH Auth running a close second. The former has a VERY simple UI, good for end users, less for volume users - which is why I then like OTH Auth :).
I don't trust Google not to be evil, but I do use their 2FA tool. You can audit the code (and recompile) at
(Android at https://github.com/google/google-authenticator-android/ )
I hope people have audited the build tools... :-O
People have to maintain dozens of different credentials for all the websites they access and this will only increase.
It’s no surprise that people use the same credentials and it’s unreasonable to expect them to remember that many.
Businesses need to stop shifting blame and get their act together.
Sites keep email address only for SPAM.
To use email as a username they could keep a hash instead of the plain text. This would work for login and password resets and not risk exposing it if the db gets nicked.
If everyone did that credential stuffing would be a thing of the past.
And of course it would be impossible for them to send you unsolicited email.
Using SMS is only one 2FA solution. There are much better ones, with the RFC 6238 based TOTP being so well spread that it's very easy to find a library to implement it, and there are apps aplenty for clients so you don't need any hardware token investment either.
The only thing you may need to guard against is key replication if you don't want multiple windows opened - you do that by, post login, barring the UID/TOTP pair used from reuse for about t times four (so it's timed out in both precise and more tolerant time windows).
TFL: "Hi Dan, Oyster online is currently unavailable whilst we investigate performance issues impacting users."
Was the Twitter rep lying or did someone else in TFL higher up the chain lie to their frontline staff?
It's a bit of a stretch from "performance issues" to the actual problem.
was anyone else reading this thinking there is much more to it? Like they have been compromised perhaps.
Mainly because shutting a system down entirely seems a little overkill if they are simply saying that users passwords are being recycled. In my mind you would just update all passwords to random strong passwords and then force people to reset if it was just that. Plus have a security review, not take the whole system down (internally too).
I'm old. I just top my Oyster card up with a few quid at the machine and jump on the tube. Is there some value in associating with a web logon?
Also what does stealing an Oyster account achieve? Track my exciting movements around London and add up to £50 to my travel card for me?
"Also what does stealing an Oyster account achieve? Track my exciting movements around London and add up to £50 to my travel card for me?"
Yes to this - because everyone is exactly like you and what is good for you is good for everyone (your name's not Milo, is it?).
I bet you don't fear anything because you've got nothing to hide, as well.
By registering your Oyster card, you can;
- get a refund if you lose your card or transfer your balance to another one
- get a refund if you ar overcharged after forgetting to touch out
- download a receipt for expense purposes
- set up an auto top-up when your balance approaches 0
You may not find all of this useful, but I'm a regular user of 2 and 3. I protect my account with a password as strong as the website will allow me, but I wouldn't mind having 2FA for operations that involve transfers of value.
For years I’ve been baffled and frustrated by the fact that their authentication mechanism prohibits the use of special characters in passwords, never mind any sight of MFA. Considering TFL’s weak password policy (e.g. 6 characters minimum), I wouldn’t imagine that credential stuffing is particularly hard.
With all of that sensitive travel history, along with personal data, at what point does this constitute a failure in their duty of care and become a GDPR breach due to inadequate controls?
Weak password policy.
No option for MFA.
Probably complete lack of bot mitigation or account takeover protection.
No risk based authentication (hey, you’ve logged in from Eastern Europe...). You know that the first sign of a problem was probably reported from customers rather than detected in their SOC.
Given that they probably have the personal details and travel history of more than the working population of London, their protection of this personal data is completely inadequate.
It wasn't that sophisticated. I am down to using a password manager and a random password for each site, they still managed to lock o.ut my Oyster account, so they weren't trying to hide the attack in any way. Happily its been a couple of years since I lived in London, so basically none of my detalis are probably correct any more.
Whilst I don't doubt that any comments or musings on technical issues related to the attack given by commentards here are likely to be pertinent, whenever anything like this crops up, the first thing that occurs to me is "Why have a system that requires people to create yet another identity?"
Stating the bleedin' obvious, pre-internet no problem - you had whatever identity verification was required by the regime in which you lived, and goods were purchased with money. Many people could probably remember things like their National Insurance number, or their National Service ID or driving licence number. Remembering two or three identities isn't too difficult.
With the advent of the internet, it seems that every business thinks you should have an identity with them, if you wish to use their services. Which may seem entirely reasonable from the individual businesses point of view, but is utterly UNreasonable from a customers view, if you expect people to remember all those identities, all those login names and passwords. And some programmers recognised this and came up with things like password managers. Which notionally provide the solution. Except - now you have a system whereby if anything goes amiss with the password manager the individual cannot access their accounts because they do not know their login details. A potentially catastrophic single point of failure in the modern world.
In essence it's a situation designed to encourage failure (of security) and the solutions (relying on memory, relying on password managers, writing down login details in books etc) tend to do little more than create a choice of where you want your single point of failure to be. Too many people are willing to blame the customer if they've done things like re-use passwords and suchlike, and sure, it's bad to re-use usernames and passwords, but why are we expecting people to create so many different unique identities in the first place, when everything we know about human capability and nature says that that is a bad idea?
That unreasonable expectation points the finger firmly at the world of business which (a) has unreasonable expectations of customers and (b) dislikes accepting the blame for the failings of these systems (which are often poorly implemented by businesses anyway) and (c) all too often refuses to give any compensation to customers when things go wrong with their systems unless explicitly forced to by law.
This highlights something folk here have said many times - until there are very real and painful consequences in law for companies that do IT badly, things are not likely to improve. Why should any company put effort into seeing if they can think up a better way for customers to interact with them in an internet-connected world, if the consequences of things going amiss with current systems are so trivial? But IMHO the last people that should be blamed are customers. They did not create the unreasonable situation that is forced upon them by business. Business created the mess - business should clear up the mess - under duress from the legal system, if necessary. Ideally. Well, it;s a nice dream...
Forget the online option/app, etc. If the cards can be topped up with cash at a machine or staffed kiosk, that's going to be safer than having anything online that allows somebody to pwn your account no matter how they do it. Just don't put more than a week's worth of travel money on the card or less if you can't afford the loss.
Biting the hand that feeds IT © 1998–2019