back to article Transport for London Oyster system pulled offline after credential-stuffing crooks board customers' accounts

Transport for London's online Oyster travel smartcard system has been accessed by miscreants using stolen customer login credentials, The Reg can reveal, forcing IT bods to pull the website offline for a second day. The UK capital's transport authority has blamed the intrusions on passengers who have used email address and …

  1. Warm Braw Silver badge

    We encourage all customers not to use the same password for multiple sites

    If that's what they're doing, why not issue them all with unique user names?

    Or ask for a couple of digits from the card serial number?

    1. Test Man

      Re: We encourage all customers not to use the same password for multiple sites

      Agreed. I remember maybe two decades ago reading something about not ever using email addresses as the username for an account, because in doing so it means the attacker has at least 50% of the information needed to get into the account.

      So it's such a pity that since then, in the name of convenience this is exactly what pretty much every website goes with.

      1. Oh Matron!

        Re: We encourage all customers not to use the same password for multiple sites

        This is easily fixable, but only if websites support it.

        rather than use: bob@bob.bom, Where websites support it, I use bob+fhfggdh@bob.bom (I think you can use underscore to perform the same task)

        I started originally using bob+websitename@bob.com but realised that was easily exploitable.

        Of course, you can use a password manager and different password per website too to reduce to attack surface even further

        Of course, you all know this, but...

        1. Anonymous Coward
          Anonymous Coward

          Re: We encourage all customers not to use the same password for multiple sites

          If you own bob@bob.com can I offer my sincere apologies for the sheer amount of spam you must have received over the years. That's always been my go to f*ck you you ain't getting my email address email address.

          1. NeilA

            Re: We encourage all customers not to use the same password for multiple sites

            always been a nope@noway.com guy myself

            1. Doctor Syntax Silver badge

              Re: We encourage all customers not to use the same password for multiple sites

              For the real win, the CEO's email address if you can get it, failing that marketing.

            2. FrogsAndChips Silver badge

              Re: We encourage all customers not to use the same password for multiple sites

              I tend to rely on mailinator.com (or one of its aliases if this domain is rejected). It has the benefit that you can access the address if they need to send you an activation link or confirmation code.

            3. Anonymous Coward
              Anonymous Coward

              Re: We encourage all customers not to use the same password for multiple sites

              fook@yoo.com has been mine, seems to be quite popular now!

              1. Unoriginal Handle

                Re: We encourage all customers not to use the same password for multiple sites

                I always put myself down as Michael Mouse, email address m.mouse@disney.com.

                If that doesn't work, then Michael Souris, m.souris@disney.com.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: We encourage all customers not to use the same password for multiple sites

                  Hey, that's my address !

                2. ocflyfish

                  Re: We encourage all customers not to use the same password for multiple sites

                  mickey@disney.com is my goto when they need an email.

          2. Tom 35 Silver badge

            Re: We encourage all customers not to use the same password for multiple sites

            I like to use the 'contact us" email address for sites that want an email address to download a driver or update.

            1. Doctor Syntax Silver badge

              Re: We encourage all customers not to use the same password for multiple sites

              Unfortunately all too often "Contact us" is a web form.

          3. Anonymous Coward
            Anonymous Coward

            Re: We encourage all customers not to use the same password for multiple sites

            I prefer things like spam@uce.com myself, saves me from having to forward spam to them myself..

            1. Tom Chiverton 1

              Re: We encourage all customers not to use the same password for multiple sites

              spam@google.com for the similar win

              1. Anonymous Coward
                Anonymous Coward

                Re: We encourage all customers not to use the same password for multiple sites

                Oh yes, these days their spy operations are joined at the hip anyway.

          4. Anonymous Coward
            Anonymous Coward

            Re: We encourage all customers not to use the same password for multiple sites

            Also...me@there.com

      2. Warm Braw Silver badge

        Re: We encourage all customers not to use the same password for multiple sites

        It also means that if the idiotuser has used the same password for their e-mail account, the attacker has 100% of the information he needs to get into any accounts the user may have, even those that have a different password, by means of requesting a password reset.

        I remember coming under pressure from the owner of an e-commerce site a long time ago who felt he'd lose business if there were the slightest barrier to someone making a transaction - such as having to remember a username. The same retailer lost a significant sum of money by sending orders to Eastern Europe on what turned out to be dodgy credit cards because they'd underestimated the risks of online trading and were keen to show sales growth.

        Ease-of-use issues are very much overblown (and, indeed, online retailers will often put deliberate obstacles in the way of an immediate checkout to encourage further impulse buying) and, in the case of TfL, where else are people going to go for their tube travel?

        1. Doctor Syntax Silver badge

          Re: We encourage all customers not to use the same password for multiple sites

          You know the Iron Triangle for development? Security is an Iron Line: Convenience, security, pick any one.

      3. DontFeedTheTrolls Silver badge
        Facepalm

        Re: We encourage all customers not to use the same password for multiple sites

        I know a Challenger Bank that used the PAN number as the Customer ID. System coded, built and tested, then all went wrong very quickly when they realised lost and stolen cards get issued a new PAN.

    2. macjules Silver badge

      Re: We encourage all customers not to use the same password for multiple sites

      "..transport authority has blamed users who recycled their login creds with other websites."

      Talk about "chutzpah".

    3. PrivateCitizen
      Black Helicopters

      Re: We encourage all customers not to use the same password for multiple sites

      With the caveat that I've no idea what happened in this instance, that isn't always a good protection against credential stuffing.

      Most attacks will be of the form of the attackers getting a list of usernames (either confirmed if they can enumerate them or a download of what is basically guesses) and will try all of them with 1 - 3 of the most common passwords. The idea is to avoid detection from locking out the accounts or hitting "excessive failed login" thresholds.

      If TfL are saying that this is an attack where a list of pwnd email/pw combos from another site have been used in the attack, then thats a different story (and unique UIDs would have helped). But that isn't really credential stuffing (IMHO of course).

      1. Hooda Thunkett

        Re: We encourage all customers not to use the same password for multiple sites

        To be perfectly honest, if these really are reused email/password combinations then I have no sympathy for those people by this point. I really don't. Let them lose some money, probably not a lot considering this is a transport system, just to learn not to do this anymore.

      2. teknopaul Silver badge

        Re: We encourage all customers not to use the same password for multiple sites

        It is credential stuffing per wikipedia's definition

        https://en.m.wikipedia.org/wiki/Credential_stuffing

    4. Jove Bronze badge

      Re: We encourage all customers not to use the same password for multiple sites

      IIRC the original Oyster system did use a unique ID but they later switched over to using the email address as the ID.

  2. Vulture@C64

    Most people are too thick to understand the issue or even think about the issue and even if they did think about it and understand it, would be too lazy to do anything about it.

    So make everybody use 2fa on every login in. Sorted.

    1. GnuTzu Silver badge

      Still looking for stronger and easier 2FA, which I'm hoping an increase in use will drive development. (P.S. I'm not the one that voted you down, time to move forward. Clearly, some people aren't liking the way 2FA works with the current technology.)

      1. PeeKay

        I use OTP Auth and have 26 distinct sites with 2FA (Google Auth) on it. They are out there...

        1. DougS Silver badge
          Thumb Down

          Sorry, no way am I trusting Google for something as important as authentication.

          1. Anonymous Coward
            Anonymous Coward

            You suspect the Google Authenticator passes on the details? Actually, that would be a defensible argument not to use it, and there are plenty other options. I have a load of them for iOS, list below, mainly for educational and backup purposes.

            OTP Auth (also has Safari plugin, but it's not very good with dark mode) - paid for

            Step Two (has MacOS desktop app - simple and good, desktop also picks up QR codes from websites) - paid for

            Authy - free

            Authenticator - free

            FreeOTP - free (duh)

            My favourite at present is Step Two, with OTH Auth running a close second. The former has a VERY simple UI, good for end users, less for volume users - which is why I then like OTH Auth :).

          2. dfsmith

            Trusting Google

            I don't trust Google not to be evil, but I do use their 2FA tool. You can audit the code (and recompile) at

            https://github.com/google/google-authenticator

            (Android at https://github.com/google/google-authenticator-android/ )

            I hope people have audited the build tools... :-O

    2. Anonymous Coward
      Anonymous Coward

      And you are undoubtedly a British Airways-certified security consultant. and I claim my 500 free Avios and an Oyster card.

    3. werdsmith Silver badge

      People have to maintain dozens of different credentials for all the websites they access and this will only increase.

      It’s no surprise that people use the same credentials and it’s unreasonable to expect them to remember that many.

      Businesses need to stop shifting blame and get their act together.

      1. teknopaul Silver badge

        Sites keep email address only for SPAM.

        To use email as a username they could keep a hash instead of the plain text. This would work for login and password resets and not risk exposing it if the db gets nicked.

        If everyone did that credential stuffing would be a thing of the past.

        And of course it would be impossible for them to send you unsolicited email.

    4. Stumpy

      Use Bitwarden Password manager. Has built-in OTP-Auth capabilities for each site.

    5. EBG

      yeh. right.

      So when they get hacked, every **** out there has my mobile number. Nope. Never happening.

      1. Anonymous Coward
        Anonymous Coward

        Re: yeh. right.

        Using SMS is only one 2FA solution. There are much better ones, with the RFC 6238 based TOTP being so well spread that it's very easy to find a library to implement it, and there are apps aplenty for clients so you don't need any hardware token investment either.

        The only thing you may need to guard against is key replication if you don't want multiple windows opened - you do that by, post login, barring the UID/TOTP pair used from reuse for about t times four (so it's timed out in both precise and more tolerant time windows).

  3. John Brown (no body) Silver badge

    Who's lying?

    TFL: "Hi Dan, Oyster online is currently unavailable whilst we investigate performance issues impacting users."

    Was the Twitter rep lying or did someone else in TFL higher up the chain lie to their frontline staff?

    It's a bit of a stretch from "performance issues" to the actual problem.

    1. Anonymous Coward Silver badge

      Re: Who's lying?

      Most likely whatever company they've outsourced social media to weren't told about the problem so they were just doing their usual: bullshit the customer until they go away.

      1. Jove Bronze badge

        Re: Who's lying?

        It was Capita - and I think the contract got renewed recently

    2. Anonymous Coward
      Anonymous Coward

      Re: Who's lying?

      More like a failure to perform security function properly. So it is a performance issue.

  4. SIP My Drink
    Mushroom

    That Means The City...

    Will fall to its knees... "Sorry Boss, cant come to work - TFL is having a meltdown..."

    1. Jove Bronze badge

      Re: That Means The City...

      Ah - sounds like a version of the British Rail excuses for delays:

      "Delays due to hackers on the line"

  5. gojump

    overkill?

    was anyone else reading this thinking there is much more to it? Like they have been compromised perhaps.

    Mainly because shutting a system down entirely seems a little overkill if they are simply saying that users passwords are being recycled. In my mind you would just update all passwords to random strong passwords and then force people to reset if it was just that. Plus have a security review, not take the whole system down (internally too).

    1. FrogsAndChips Silver badge

      Re: overkill?

      It's not unreasonable to put your system offline while you make sure that nothing else than password recycling has been going on.

      1. Anonymous Coward
        Anonymous Coward

        Re: overkill?

        For many this is step one in the security incident playbook.

  6. Anonymous Coward
    Anonymous Coward

    a small number of customers

    why is it that every time I see "a small number of customers", I become VERY suspicious...

    1. Chris King Silver badge

      Re: a small number of customers

      I feel the same way when someone says they were subject to a "sophisticated attack".

      TRANSLATION: I got phished, but I'm not going to admit it.

    2. Anonymous Coward
      Anonymous Coward

      Re: a small number of customers

      I wish there was a smaller number of customers on the Northern line this morning.

  7. vir

    Oyster Accounts Shucked

    TfL's response just vinegar in the wound.

    1. Charlie van Becelaere

      Re: Oyster Accounts Shucked

      vinegar in the wound?

      I prefer a bit of mignonette myself.

  8. sitta_europea Bronze badge

    Nah, I believe everything they say.

  9. Anonymous Coward
    Anonymous Coward

    Who logs in to an Oyster card?

    I'm old. I just top my Oyster card up with a few quid at the machine and jump on the tube. Is there some value in associating with a web logon?

    Also what does stealing an Oyster account achieve? Track my exciting movements around London and add up to £50 to my travel card for me?

    1. katrinab Silver badge

      Re: Who logs in to an Oyster card?

      To download your journey history for the day to use as a receipt for an expense claim?

    2. Kernel Silver badge

      Re: Who logs in to an Oyster card?

      "Also what does stealing an Oyster account achieve? Track my exciting movements around London and add up to £50 to my travel card for me?"

      Yes to this - because everyone is exactly like you and what is good for you is good for everyone (your name's not Milo, is it?).

      I bet you don't fear anything because you've got nothing to hide, as well.

    3. Jove Bronze badge

      Re: Who logs in to an Oyster card?

      Credentials:

      - Home address,

      - Contact number,

      - Debit card details

      - Security questions and answers that may also be used elsewhere

      In short access to sufficient details to secure transactional clearance on other sites.

      1. FrogsAndChips Silver badge

        Re: Who logs in to an Oyster card?

        From your account, you can read the security question but not access the answer. You can also only see the last 4 digts of your debit/credit cards, with the expiry date.

    4. FrogsAndChips Silver badge

      Re: Is there some value in associating with a web logon?

      By registering your Oyster card, you can;

      - get a refund if you lose your card or transfer your balance to another one

      - get a refund if you ar overcharged after forgetting to touch out

      - download a receipt for expense purposes

      - set up an auto top-up when your balance approaches 0

      You may not find all of this useful, but I'm a regular user of 2 and 3. I protect my account with a password as strong as the website will allow me, but I wouldn't mind having 2FA for operations that involve transfers of value.

  10. Michael 86

    Weak authentication

    For years I’ve been baffled and frustrated by the fact that their authentication mechanism prohibits the use of special characters in passwords, never mind any sight of MFA. Considering TFL’s weak password policy (e.g. 6 characters minimum), I wouldn’t imagine that credential stuffing is particularly hard.

    With all of that sensitive travel history, along with personal data, at what point does this constitute a failure in their duty of care and become a GDPR breach due to inadequate controls?

    Weak password policy.

    No option for MFA.

    Probably complete lack of bot mitigation or account takeover protection.

    No risk based authentication (hey, you’ve logged in from Eastern Europe...). You know that the first sign of a problem was probably reported from customers rather than detected in their SOC.

    Given that they probably have the personal details and travel history of more than the working population of London, their protection of this personal data is completely inadequate.

    1. Anonymous Coward
      Anonymous Coward

      Re: Weak authentication

      They've now got Bot authentication logging in and logging out.

  11. David 155

    How do they know?

    How do they know that the accounts were compromised by people using the same passwords?

    1. Anonymous Coward
      Anonymous Coward

      Re: How do they know?

      Perhaps passwords are stored in clear text.

    2. FrogsAndChips Silver badge

      Re: How do they know?

      Presumably they only noticed a few login tentatives for each account, which excludes brute forcing. If some attemps are successful, it points to users having obvious passwords or reusing them.

      1. WookieBill

        Re: How do they know?

        It wasn't that sophisticated. I am down to using a password manager and a random password for each site, they still managed to lock o.ut my Oyster account, so they weren't trying to hide the attack in any way. Happily its been a couple of years since I lived in London, so basically none of my detalis are probably correct any more.

  12. Craigie

    What is there of value in an Oyster account?

    It strikes me that TfL are storing things that they shouldn't be if miscreants are trying to get in. What is there of value?

    1. FrogsAndChips Silver badge

      Re: What is there of value in an Oyster account?

      Your contactless card details, if you have registered them. You can also transfer balances or products from one card to another, so if you pwned my account, you could register your Oyster to it then transfer from my cards to yours.

  13. Esme

    Missing the point?

    Whilst I don't doubt that any comments or musings on technical issues related to the attack given by commentards here are likely to be pertinent, whenever anything like this crops up, the first thing that occurs to me is "Why have a system that requires people to create yet another identity?"

    Stating the bleedin' obvious, pre-internet no problem - you had whatever identity verification was required by the regime in which you lived, and goods were purchased with money. Many people could probably remember things like their National Insurance number, or their National Service ID or driving licence number. Remembering two or three identities isn't too difficult.

    With the advent of the internet, it seems that every business thinks you should have an identity with them, if you wish to use their services. Which may seem entirely reasonable from the individual businesses point of view, but is utterly UNreasonable from a customers view, if you expect people to remember all those identities, all those login names and passwords. And some programmers recognised this and came up with things like password managers. Which notionally provide the solution. Except - now you have a system whereby if anything goes amiss with the password manager the individual cannot access their accounts because they do not know their login details. A potentially catastrophic single point of failure in the modern world.

    In essence it's a situation designed to encourage failure (of security) and the solutions (relying on memory, relying on password managers, writing down login details in books etc) tend to do little more than create a choice of where you want your single point of failure to be. Too many people are willing to blame the customer if they've done things like re-use passwords and suchlike, and sure, it's bad to re-use usernames and passwords, but why are we expecting people to create so many different unique identities in the first place, when everything we know about human capability and nature says that that is a bad idea?

    That unreasonable expectation points the finger firmly at the world of business which (a) has unreasonable expectations of customers and (b) dislikes accepting the blame for the failings of these systems (which are often poorly implemented by businesses anyway) and (c) all too often refuses to give any compensation to customers when things go wrong with their systems unless explicitly forced to by law.

    This highlights something folk here have said many times - until there are very real and painful consequences in law for companies that do IT badly, things are not likely to improve. Why should any company put effort into seeing if they can think up a better way for customers to interact with them in an internet-connected world, if the consequences of things going amiss with current systems are so trivial? But IMHO the last people that should be blamed are customers. They did not create the unreasonable situation that is forced upon them by business. Business created the mess - business should clear up the mess - under duress from the legal system, if necessary. Ideally. Well, it;s a nice dream...

    1. IWVC

      Re: Missing the point?

      Well said I'm fed up of having to open a account to buy one thing, or get info from a web site / forum or whatever each time having to give email (for the inevitable log in code check) and a password, mothers name inside leg measurement etc etc

  14. Claverhouse Silver badge

    Transport for London

    What an utterly ridiculous name !

    Previous efforts fell a bit crap Wiki, London Passenger Transport Board being the most tolerable; but one really wants something with solidity and purpose, like: Grand Commissioners for Movement in the Capital.

  15. MachDiamond Silver badge

    More pedestrian/more secure

    Forget the online option/app, etc. If the cards can be topped up with cash at a machine or staffed kiosk, that's going to be safer than having anything online that allows somebody to pwn your account no matter how they do it. Just don't put more than a week's worth of travel money on the card or less if you can't afford the loss.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019