Transport For London Locks Oyster, Contactless Accounts As ‘Precaution’

Transport for London said it has locked all Oyster and contactless online accounts as a precaution, after funds were stolen by hackers in August.

Users will not be able to carry out online transactions until they reset their passwords, but are able to travel using Oyster cards and recharge the cards at machines as usual.

Oyster and contactless cards can be used without an online account, but accounts give customers another way to top up balances or renew travelcards.

In August TfL discovered that about 1,200 Oyster cards had been “accessed maliciously” via online accounts, most likely using password and username combinations that had been reused elsewhere.

‘Precaution’

Criminals who obtain username and password combinations stolen from one website can use automated systems to try out the credentials on other sites, an attack known as “credential stuffing”.

TfL emphasised that its own systems had not been compromised and that no customers had lost funds.

The agency said it locked all accounts on Thursday of last week and warned customers not to reuse credentials on multiple online accounts.

“This is a precautionary measure due to earlier reported instances of a very small number of accounts being accessed maliciously using data obtained from non-TfL websites,” said TfL chief technology officer Shashi Verma in a statement.

“Protecting our customers’ data is paramount and we want to help our customers to ensure their personal accounts remain safe.

Police investigation

“As part of this continuing work, we have recently begun making all Oyster and Contactless online account holders reset their passwords when they next sign in.”

British Transport Police said its investigation of the hack was “ongoing” and that one person had been arrested and released.

“The BTP Cyber Crime Unit is currently undertaking detailed forensic analysis of material secured during the course of their enquiries,” police said.  “This work is being undertaken in collaboration with TfL.”

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

3 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

5 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

7 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

8 hours ago