Myki security scare 'offers nothing' to fraudsters

Powered by SC Magazine
 

Limited credit card number and expiry date not enough for fraud.

Updated: At least one credit card expert has poured cold water on an apparent ‘security flaw’ within Victoria’s Myki train and tram ticketing system, which saw portions of credit card numbers printed on receipts.

The receipts contained nine digits of a credit card, an expiry date and customer names, and thanks to a glitch were printed regardless if a customer opted to not receive it, The Age reported

The receipts were routinely not collected by customers and had piled up in ticket machines.

Voluntary guidelines from Australian Security and Investments Commission covering electronic transactions (EFT) (pdf) require that receipts must not include a full credit card number and the customer’s name or address.

But the TTA said the guidelines relate to electronic payment facilities provided by banks, credit unions, building societies and other financial institutions, and not the TTA.

"TTA's electronic payment facilities are provided by Westpac and throughout the development of myki, TTA has sought direction from its banking provider as to the level of information that should or shouldn't be included on EFTPOS receipts,"

The Public Transport Users Association president Daniel Bowen in a blog called for the details to be scrapped from the receipts so that passenger privacy was not compromised.

"... these receipts should not reveal full names, card expiry dates and so much of the card number," Bowen said in a statement.

“The government must fix this – and in the meantime, passengers should be wary and check the collection tray at vending machines before leaving.”

Mastercard stated in its card security guidance that "all printed ATM receipts must omit the card expiration date" and "must reflect only the last four digits of the PAN (permanent account number)".

But the credit card digits would be “totally useless” to a would-be fraudster, according to a veteran fraud chief formerly at a major card issuer.

“Those numbers could not be used for anything,” the expert told SC on the condition of anonymity.

“In fact I wish more organisations had done that.”

The information was in line with the Payment Card Industry Data Security Standard which imposes minimum requirements on card issuers like Mastercard and Visa for transaction data security.

Expiry dates were typically published on receipts to assist users to identify the credit card used in the transaction and posed no risk to consumers.

The state’s Transport Ticketing Authority had already planned to overhaul the system more than 12 months ago and fix the printing glitch.

"The TTA is investigating the possibility of reducing the amount of personal information that is provided on myki machine receipts, provided this can be achieved within the current EFT code of conduct."

Cheif executive Bernie Carolan said customers were not at risk from the printed card information.

"It would be impossible for someone who found a Myki machine receipt to ever discover the missing card information, such as remaining card number digits or CVV number, which is required for the majority of online purchases,” Carolan said in a statement to SC.

"[The authority] believed that the majority of customers would want to have an EFTPOS receipt to verify their transaction.

"Real-world experience has shown that many customers do not collect the receipt and leave it in the machine."

The $1.35 billion Myki system is replacing the previous Melbourne Metcard travel system and is in use by about 90 percent of tram and train users.

The news comes as the Transport Ticketing Authority revealed it was forced to refund some $620,000 since 2010 in overcharged fares caused by a separate glitch.

Last year, security researchers detailed a side-channel cryptographic hack against the Myki card which would expose a user’s fare transaction data, but no personal information.

Updated with comment from the Public Transport Users Association and the TTA.

Copyright © SC Magazine, Australia


Myki security scare 'offers nothing' to fraudsters
 
 
 
Top Stories
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
Photos: iTnews Benchmark 2015 finalists revealed
Awards alumni gather to celebrate.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  4%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1747

Vote
Do you support the abolition of the Office of the Information Commissioner?