London-dwelling Alfie Fresta wanted a National Rail travelcard discount added to his London Oyster card so the discount would work automatically with his pay-as-you-go smartcard.
He was startled when London Overground staff at New Cross Gate station handed him a paper form with a box on it asking for his online Oyster account password.
“I was in utter disbelief,” Fresta told El Reg, having just read about Oyster online accounts being breached by credential-stuffing crooks. “Having worked on a number of web apps, I know storing passwords in clear text is, for lack of a better word, a ginormous no-no.”
The Arriva Rail London form handed to Fresta. ARL is the outsourced operator for TfL’s London Overground services. Click to enlarge
Just to check that this wasn’t a local misunderstanding by station staff, Fresta checked it out at other stations – and was again asked to write down his password in plain text for staff to read.
TfL did not deny that this is its standard procedure for staff adding discounts to Oyster cards, but insisted in a statement to The Register that it doesn’t store those passwords and lets customers take the completed form away afterwards.
A spokeswoman told us: “Customers can add discounts to their Oyster cards at all station ticket machines and our staff are on hand to support them with this process. If a customer prefers to do this via a ticket office rather than a machine, then a password is temporarily provided to the ticket office staff via a form.
“The password is always entered in the presence of the customer and the form is returned to them to ensure it can be disposed of securely. Customers are advised to change the password on first login, if setting up an online Oyster account. We recognise that where possible this process could be improved and work is under way to identify options.”
Fresta was not impressed with TfL’s customer service, telling us he wasn’t given “any explanation as to how the information [would] be handled or why”.