Reply to post: Weak authentication

Transport for London Oyster system pulled offline after credential-stuffing crooks board customers' accounts

Michael 86

Weak authentication

For years I’ve been baffled and frustrated by the fact that their authentication mechanism prohibits the use of special characters in passwords, never mind any sight of MFA. Considering TFL’s weak password policy (e.g. 6 characters minimum), I wouldn’t imagine that credential stuffing is particularly hard.

With all of that sensitive travel history, along with personal data, at what point does this constitute a failure in their duty of care and become a GDPR breach due to inadequate controls?

Weak password policy.

No option for MFA.

Probably complete lack of bot mitigation or account takeover protection.

No risk based authentication (hey, you’ve logged in from Eastern Europe...). You know that the first sign of a problem was probably reported from customers rather than detected in their SOC.

Given that they probably have the personal details and travel history of more than the working population of London, their protection of this personal data is completely inadequate.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2019