[BreachExchange] Transport for London Oyster system pulled offline after credential-stuffing crooks board customers' accounts

Destry Winant destry at riskbasedsecurity.com
Fri Aug 9 10:25:41 EDT 2019 

https://www.theregister.co.uk/2019/08/08/tfl_oyster_card_outage_online_topup/

Transport for London's online Oyster travel smartcard system has been
accessed by miscreants using stolen customer login credentials, The
Reg can reveal, forcing IT bods to pull the website offline for a
second day.

The UK capital's transport authority has blamed the intrusions on
passengers who have used email address and password combinations for
their Oyster accounts that were also used for one or more hacked
websites: criminals who have nicked login details from other sites can
use that information to get into the Oyster accounts of people who
reuse the same usernames and passwords everywhere. This technique is
known as credential stuffing.

A TfL spokesperson told us: "We believe that a small number of
customers have had their Oyster online account accessed after their
login credentials were compromised when using non-TfL websites. No
customer payment details have been accessed, but as a precautionary
measure and to protect our customers' data, we have temporarily closed
online contactless and Oyster accounts while we put additional
security measures in place."

In fiscal year 2018/19 nearly a billion rail, tram and bus journeys
were made using Oyster cards, netting TfL a cool £2.3bn in revenue,
according to its own statistics.

Over the past couple of days, increasing numbers of users noticed that
they could not log in online and check their smartcards' balances or
top them up with cash.

In tweets from Londoners asking why they can't access their online
accounts and do things like cancel standing orders or change card
details, TfL repeatedly insisted that the problem was "performance
issues impacting users".

TfL's response to the attack on the accounts included taking down
staff access to Oyster systems as well, though Londoners using ticket
machines to top up at stations seem unaffected so far.

TfL also told us: "We will contact those customers who we have
identified as being affected and we encourage all customers not to use
the same password for multiple sites.”

The transport authority did not say how many users had been affected. ®

Updated to add at 1629 UTC 8 August

TfL got in touch to tell The Reg: "We have identified around 1,200
accounts that have been accessed maliciously.

"While this is a very small proportion of our 6 million online Oyster
card account holders, we want to be absolutely safe and to protect our
customers’ accounts so have temporarily suspended online contactless
and Oyster accounts while we put additional security measures in
place."

In short, don't use the same username and password combination across
multiple websites.

More information about the BreachExchange mailing list