Myki security scare 'offers nothing' to fraudsters

Powered by SC Magazine
 

Limited credit card number and expiry date not enough for fraud.

Updated: At least one credit card expert has poured cold water on an apparent ‘security flaw’ within Victoria’s Myki train and tram ticketing system, which saw portions of credit card numbers printed on receipts.

The receipts contained nine digits of a credit card, an expiry date and customer names, and thanks to a glitch were printed regardless if a customer opted to not receive it, The Age reported

The receipts were routinely not collected by customers and had piled up in ticket machines.

Voluntary guidelines from Australian Security and Investments Commission covering electronic transactions (EFT) (pdf) require that receipts must not include a full credit card number and the customer’s name or address.

But the TTA said the guidelines relate to electronic payment facilities provided by banks, credit unions, building societies and other financial institutions, and not the TTA.

"TTA's electronic payment facilities are provided by Westpac and throughout the development of myki, TTA has sought direction from its banking provider as to the level of information that should or shouldn't be included on EFTPOS receipts,"

The Public Transport Users Association president Daniel Bowen in a blog called for the details to be scrapped from the receipts so that passenger privacy was not compromised.

"... these receipts should not reveal full names, card expiry dates and so much of the card number," Bowen said in a statement.

“The government must fix this – and in the meantime, passengers should be wary and check the collection tray at vending machines before leaving.”

Mastercard stated in its card security guidance that "all printed ATM receipts must omit the card expiration date" and "must reflect only the last four digits of the PAN (permanent account number)".

But the credit card digits would be “totally useless” to a would-be fraudster, according to a veteran fraud chief formerly at a major card issuer.

“Those numbers could not be used for anything,” the expert told SC on the condition of anonymity.

“In fact I wish more organisations had done that.”

The information was in line with the Payment Card Industry Data Security Standard which imposes minimum requirements on card issuers like Mastercard and Visa for transaction data security.

Expiry dates were typically published on receipts to assist users to identify the credit card used in the transaction and posed no risk to consumers.

The state’s Transport Ticketing Authority had already planned to overhaul the system more than 12 months ago and fix the printing glitch.

"The TTA is investigating the possibility of reducing the amount of personal information that is provided on myki machine receipts, provided this can be achieved within the current EFT code of conduct."

Cheif executive Bernie Carolan said customers were not at risk from the printed card information.

"It would be impossible for someone who found a Myki machine receipt to ever discover the missing card information, such as remaining card number digits or CVV number, which is required for the majority of online purchases,” Carolan said in a statement to SC.

"[The authority] believed that the majority of customers would want to have an EFTPOS receipt to verify their transaction.

"Real-world experience has shown that many customers do not collect the receipt and leave it in the machine."

The $1.35 billion Myki system is replacing the previous Melbourne Metcard travel system and is in use by about 90 percent of tram and train users.

The news comes as the Transport Ticketing Authority revealed it was forced to refund some $620,000 since 2010 in overcharged fares caused by a separate glitch.

Last year, security researchers detailed a side-channel cryptographic hack against the Myki card which would expose a user’s fare transaction data, but no personal information.

Updated with comment from the Public Transport Users Association and the TTA.

Copyright © SC Magazine, Australia


Myki security scare 'offers nothing' to fraudsters
 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  20%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1499

Vote