Myki security scare 'offers nothing' to fraudsters

Updated: At least one credit card expert has poured cold water on an apparent ‘security flaw’ within Victoria’s Myki train and tram ticketing system, which saw portions of credit card numbers printed on receipts.

The receipts contained nine digits of a credit card, an expiry date and customer names, and thanks to a glitch were printed regardless if a customer opted to not receive it, The Age reported. 

The receipts were routinely not collected by customers and had piled up in ticket machines.

Voluntary guidelines from Australian Security and Investments Commission covering electronic transactions (EFT) (pdf) require that receipts must not include a full credit card number and the customer’s name or address.

But the TTA said the guidelines relate to electronic payment facilities provided by banks, credit unions, building societies and other financial institutions, and not the TTA.

"TTA's electronic payment facilities are provided by Westpac and throughout the development of myki, TTA has sought direction from its banking provider as to the level of information that should or shouldn't be included on EFTPOS receipts,"

The Public Transport Users Association president Daniel Bowen in a blog called for the details to be scrapped from the receipts so that passenger privacy was not compromised.

"... these receipts should not reveal full names, card expiry dates and so much of the card number," Bowen said in a statement.

“The government must fix this – and in the meantime, passengers should be wary and check the collection tray at vending machines before leaving.”

Mastercard stated in its card security guidance that "all printed ATM receipts must omit the card expiration date" and "must reflect only the last four digits of the PAN (permanent account number)".

But the credit card digits would be “totally useless” to a would-be fraudster, according to a veteran fraud chief formerly at a major card issuer.

“Those numbers could not be used for anything,” the expert told SC on the condition of anonymity.

“In fact I wish more organisations had done that.”

The information was in line with the Payment Card Industry Data Security Standard which imposes minimum requirements on card issuers like Mastercard and Visa for transaction data security.

Expiry dates were typically published on receipts to assist users to identify the credit card used in the transaction and posed no risk to consumers.

The state’s Transport Ticketing Authority had already planned to overhaul the system more than 12 months ago and fix the printing glitch.

"The TTA is investigating the possibility of reducing the amount of personal information that is provided on myki machine receipts, provided this can be achieved within the current EFT code of conduct."

Cheif executive Bernie Carolan said customers were not at risk from the printed card information.

"It would be impossible for someone who found a Myki machine receipt to ever discover the missing card information, such as remaining card number digits or CVV number, which is required for the majority of online purchases,” Carolan said in a statement to SC.

"[The authority] believed that the majority of customers would want to have an EFTPOS receipt to verify their transaction.

"Real-world experience has shown that many customers do not collect the receipt and leave it in the machine."

The $1.35 billion Myki system is replacing the previous Melbourne Metcard travel system and is in use by about 90 percent of tram and train users.

The news comes as the Transport Ticketing Authority revealed it was forced to refund some $620,000 since 2010 in overcharged fares caused by a separate glitch.

Last year, security researchers detailed a side-channel cryptographic hack against the Myki card which would expose a user’s fare transaction data, but no personal information.

Updated with comment from the Public Transport Users Association and the TTA.

Copyright © SC Magazine, Australia