This article is more than 1 year old
Transport for London Oyster system pulled offline after credential-stuffing crooks board customers' accounts
Public sector bods blame users recycling logins
Exclusive Transport for London's online Oyster travel smartcard system has been accessed by miscreants using stolen customer login credentials, The Reg can reveal, forcing IT bods to pull the website offline for a second day.
The UK capital's transport authority has blamed the intrusions on passengers who have used email address and password combinations for their Oyster accounts that were also used for one or more hacked websites: criminals who have nicked login details from other sites can use that information to get into the Oyster accounts of people who reuse the same usernames and passwords everywhere. This technique is known as credential stuffing.
A TfL spokesperson told us: "We believe that a small number of customers have had their Oyster online account accessed after their login credentials were compromised when using non-TfL websites. No customer payment details have been accessed, but as a precautionary measure and to protect our customers' data, we have temporarily closed online contactless and Oyster accounts while we put additional security measures in place."
In fiscal year 2018/19 nearly a billion rail, tram and bus journeys were made using Oyster cards, netting TfL a cool £2.3bn in revenue, according to its own statistics.
Over the past couple of days, increasing numbers of users noticed that they could not log in online and check their smartcards' balances or top them up with cash.
@TfL trying to report my Oyster card lost and the website keeps crashing. I can’t find a number to call either. Please advise?— Christina x (@teehebron) August 7, 2019
In tweets from Londoners asking why they can't access their online accounts and do things like cancel standing orders or change card details, TfL repeatedly insisted that the problem was "performance issues impacting users".
Hi Dan, Oyster online is currently unavailable whilst we investigate performance issues impacting users. Our mobile app can still be used to make purchases and view payment and journey history etc. Sorry about the inconvenience caused, Tariq— Transport for London (@TfL) August 7, 2019
TfL's response to the attack on the accounts included taking down staff access to Oyster systems as well, though Londoners using ticket machines to top up at stations seem unaffected so far.
Hi Mark. Im not struggling with the contact Us page. I actually called and spoke to a lady. She said that the system is down internally too so she couldn't cancel my card either. I want to know when the system itself will no longer be under maintenance.— Elise Maile (@e_maile) August 8, 2019
It's not just Oyster Online that isn't working though. I called earlier only to be told the systems were down. So it's all of oyster servicing not just online. Really annoying as I need to report my Oyster card lost and transfer my credit etc.— Dean Sharpe (@deanj89) August 7, 2019
TfL also told us: "We will contact those customers who we have identified as being affected and we encourage all customers not to use the same password for multiple sites.”
The transport authority did not say how many users had been affected. ®
Updated to add at 1629 UTC 8 August
TfL got in touch to tell The Reg: "We have identified around 1,200 accounts that have been accessed maliciously.
"While this is a very small proportion of our 6 million online Oyster card account holders, we want to be absolutely safe and to protect our customers’ accounts so have temporarily suspended online contactless and Oyster accounts while we put additional security measures in place."
In short, don't use the same username and password combination across multiple websites.