Yes, TfL asked people to write down their Oyster passwords – but don't worry, they didn't inhale

Aside from the security issues, it is also quite a usability issue if you use a passwprd manager and a generated password like $7iwz1bo9Rmw@6U7...

And to improve the customer service, please give your bank details and PIN.

Poor, poor, poor, POOR.

The normal way is for staff to have special access to the database that the Oystercard data sits on (with specific "admin" logins) that let them add it to customer accounts, with every transaction logged against the staff account.

Of course, this sounds too much like work for the likes of TfL.

Badly designed system

Obviously not a well thought out system!

The article mentions you can put a Two together discount on the Oyster card which intrigued me but checking their official site (twotogether-railcard.co.uk) it says you cannot use this discount for London Oyster fares in London, which I thought was the only place Oyster cards worked?

--------------

Your Two Together Railcard discount WON'T apply to:

Season tickets, including Travelcard Season tickets

Oyster pay as you go fares in London

Eurostar tickets

Tickets for special excursions or Charter trains and some coach/bus links, including Railair services

Rail/sea journeys to Calais, Ireland, Northern Ireland and the Isle of Man

Most London Underground and Docklands Light Railway ticket

Phone-based tickets

National Rail tickets are paper-based with a magnetic stripe as local storage

You can finally buy tickets using apps (although not National Rail's).

Infuriatingly Great Western's app makes you enter your credit card details in for each transaction; this is more secure than storing the details I guess, but having to get a card out in public as you enter all the digits again is just asking for someone to snatch the card and/or phone...

I commute into London from outside the Oyster zone which is great as far as I'm concerned as I can still get good old-fashioned cardboard weekly season tickets. Wouldn't touch Oyster with a bargepole. Apart from all the security and privacy aspects I've heard too many horror stories of people getting billed huge amounts for a three hop tube trip because it didn't beep at them at the other end or somesuch, leaving the metaphorical meter running.

Mad

"The password is always entered in the presence of the customer and the form is returned to them to ensure it can be disposed of securely. Customers are advised to change the password on first login, if setting up an online Oyster account. We recognise that where possible this process could be improved and work is under way to identify options."

What good does it do, "entered in the presence of the customer and the form is returned" ???? It's still compromised, which a password should never be.

Process improved ? Yes, morons, hand over the keyboard to the customer, like in every cash machine ! They're really tools, those ones !

an oyster rich for the taking? (can't remember how that saying goes, I may have got it mixed up, oops) :)

Thank goodness I hardly ever go to London despite being in possession of an Oyster card. Do you they expire after not being used for a couple of years?

One of the advantages of living in Dundee is that London is not a common destination of choice. We do have flights from our little airport to London City Airport. But they are expensive and it's only a little turboprop job. Sure I can get on a train to London, though the train I got on to come back last time terminated in Edinburgh meaning I had to walk across the platform at Waverley and get on a local train for local people to Dundee.

My old boss used to take the sleeper the night before for meetings in London, coming back the next night. Though there have been big problems with the new sleeper trains I understand. I would also still need a reason to go and the funds, long distance train travel, even booked well in advance is not cheap.

TfL and WiFi

https://tfl.gov.uk/corporate/privacy-and-cookies/wi-fi-data-collection

"Wi-Fi connection data can provide us with a far better understanding of how customers move through stations. It is not used to identify specific individuals or monitor browsing activity. ... We are putting up signs at every station explaining the Wi-Fi data collection that is taking place and how to opt-out."

"However, if you would like to opt-out, you can do this by turning off Wi-Fi on your device, turning your device off or putting your device into airplane mode while at our stations."

normal?

Is this normal UK security?

Its worse then that ;)

I did a small contract for TFL a while back, can't say too much as that would give me away, but imagine my surprise while looking through their data to see peoples full names, addresses, credit card numbers and 3 digit cvv codes stored in plain text for any operator to see, and lets not even get into the tracking info the oyster card gives them and the fact they store it.

Insecurity

It's horribly insecure, but Is this any worse than a card telephone transaction, where the underpaid sales person carefully makes a personal copy of your name, address, card number, expiry date and PIN to sell down the pub later?

Discounts outside Oyster zone¿

"If you know how to navigate the arcane National Rail ticket system and precisely what to ask ticket clerks to sell you, train journeys entering or leaving the capital's Oyster fare zones can be discounted quite significantly too; in some cases halving the price of an Anytime fare to some non-London destinations."

So what is the secret please?

The Secret Industry Code (cf. Flight of the Conchords) is a "Boundary Zone Fare" which can be used in conjunction with a Z1-6 Travelcard, Freedom Pass or (arguably...) PAYG cap between a station outside the Oyster Z6 area and anywhere within the area. They're not advertised or available online and can only be bought from NR Ticket Offices and certain, seemingly random Ticket Vending Machines. Sample discussion from a quick online search is here:

https://www.railforums.co.uk/threads/boundary-zone-tickets.166875/

They're a bit like Split Ticketing, with the important difference that the train does NOT need to stop at the station on the Z6 Boundary to be valid.

This may have been said

My interpretation of the form is that if you haven't created a web access account at tfl.etc then you need to (1) create a password on this form and then (2) use that password to create your web account, or you won't be able to. In other words, this process and the web account process need to hash (let's hope) the same password. But still... it's not good.

What you might do before submitting the form is change your actual password to "temporarily somer andom texts" (for example) and write that on the form, then change it back after the transaction. Or just "gosh this is stupid 34345687".

In other news, office penetration testers got my password, but apparently mine is the only one got that wasn't on the lines of "letmein123". It was more like "Zvchwk43" with each letter or number random of its kind, but cased as shown. And not used elsewhere. So this now is notgo odeno ughok - but (3) not my actual new password and (4) number and/or case variation is still compulsory, and a pain in the typist - it turns out that I can remember nonsense words, up to a point, but not case at the same time. Well, then, my next compulsory password change will have an A or a 1 in it, probably, just to meet that requirement (as I was doing already). "A notgo odeno ughok" for instance. And so, probably, will all my others. Unless I don't have to.

My password is Ifu*kinghateTFL

That's how they got Ian Watkins!

and no I don't use the asterisk in the real password.