anshar73 - stock.adobe.com

TfL locks down Oyster accounts to ward off credential stuffing

Mandatory password reset for all travellers who use Oyster and contactless payment systems follows minor breach incident earlier in 2019

Transport for London (TfL) has implemented a mandatory password reset for users of its Oyster and contactless payment services after a small number of passengers had their accounts accessed maliciously earlier this year.

The breach affected about 1,200 users of the service, and is thought to have happened not because of any failings on TfL’s part, but because the affected customers had reused their TfL account passwords on other websites that were themselves breached. No payment details were accessed during the incident.

Following this incident, to reduce the risk from credential stuffing to all users of the system, TfL locked every one of its six million or so user accounts on 28 November pending a user-initiated reset.

“Protecting our customers’ data is paramount and we want to help our customers to ensure their personal accounts remain safe,” said TfL CTO Sashi Verma. “As part of this continuing work, we have recently begun making all Oyster and contactless online account holders reset their passwords when they next sign in.

“This is a precautionary measure due to earlier reported instances of a very small number of accounts being accessed maliciously using data obtained from non-TfL websites. This is a routine step to enhance the security of our online accounts.”

Oyster users can regain access to their TfL accounts by visiting tfl.gov.uk/reset-password and following the steps outlined there. New passwords need to be at least eight characters long and contain a mix of numbers, upper- and lower-case letters, and special characters. Passwords should also be unique, and never reused across any other services.

Verma said passengers can still top up their Oyster cards as normal, and travel on TfL services, without having to reset their passwords.

TfL has enlisted the British Transport Police to help investigate who was behind the breach, and it is understood that one arrest has been made. The Information Commissioner’s Office has also been notified.

Read more about identity and access management

  • Cloud services are major players in most companies now and can have a major impact on the management of access and identity governance. Learn how to handle cloud IAM challenges.
  • Identity and access management processes and technologies play an important role in security strategies, but organisations and IT professionals need to ensure these strategies are robust.
  • IAM is foundational to cyber security, but the latest systems use biometrics and other personal data. Learn how to cope with the resulting compliance and privacy issues.

George Loukas, an associate professor in cyber security at the University of Greenwich, said that although it is often tempting to reuse passwords across different online services, the practice should be avoided, particularly now that password manager services are readily available.

“Every time you hear on the news that your favourite online shop, online gaming site or online storage provider has been hacked, you can consider the username and password pairing that you used there as practically public knowledge,” said Loukas.

“After cyber criminals get hold of your compromised credentials, they use inexpensive software that automatically checks where else you have used them. They then often sell these on to other cyber criminals that will benefit from impersonating you.”

Read more on Identity and access management products

CIO
Security
Networking
Data Center
Data Management
Close