Poor TfL, about to get a bout of my ire, and while they are not the only miscreants in this area, what I just saw is pretty high up the rankings of poor practice.

I have to change my Oyster prepay top up card details today, as my bank card has expired. So, for the first time in a year, I log-in to the Oyster website, or more accurately, after several attempts at retrieving a long lost password, I log in.

Then I am presented with a page asking me to update all my account details.

Not a problem — until I get to the security questions.


I need to provide them with a 6-digit passcode to use should I ever need to phone customer care. There is no option to say “no thanks”, I must enter a code.

Problem is, I am hardly ever going to phone up TfL, except in the most egregious of difficulties, and at that point in time, am I really likely to remember a 6-digit passcode I may have typed into a website a number of years ago?

Not a hope. Seriously, not a chance. I’ve nearly forgotten what I typed in a few minutes ago, as I just had to enter something, anything — junk in fact.

So, in order to be more secure, they have basically locked me out of the telephone customer care system. Which is one way of making my account secure!

Except that if I am phoning them up, then it’s because there is a damn serious problem, and the last thing I am going to want to do is waste time arguing about some damn fool passcode I wont have remembered.

It wouldn’t be so bad if it were a 4-digit code, as I could use a bank PIN, but that is probably why they decided not to allow such a code to be used.

But, it gets worse!


They also want a security question to be filled in — and worryingly, they require that I provide answers to their preset questions. I can’t type in a question of my own, and provide an answer, I have to answer their questions.

Fortunately, there is one, just the one, that I can answer in the list. However, I have often found websites mandating this sort of thing where I absolutely cannot answer any of the question options they present.

In that sense, by happy accident, I am able to fill in the TfL question — but honestly, how many people can remember their very first birthday? Seriously?

Apart from the sheer difficulty sometimes of answering questions to which I have no answer, a single (hopefully encrypted) answer in a database is less secure than a free text field with a user submitted question, and an encrypted answer. Two records being more hassle for hackers than one.

So, someone at TfL has decided that an Oyster account that has “limited useful to a hacker” information on it, is deemed so sensitive that it has to have both a 6-digit passcode AND a preset security question in case I ever need to phone up customer care.

I just hope I never have to do so, as I am sure I wont remember the answers I gave today.

As XKCD said recently, “Through 20 years of efforts, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess”

Finally though — it is very bad industry practice to ask people to tick a box on email contacts preference to opt-out of mailings.

The default should always be opted out, unless I tick to opt-in.

Not just good customer service, but actually good email policy, as people are less likely to mark unexpected emails as spam, so the email sender’s reputation score is protected against spam filters.

This is just poor email management by when practised by any organisation.


Curiously enough, I wasn’t asked if I would like to opt-in to the weekly email listing travel disruptions this coming weekend. It’s a very good email, and one I suggest everyone should get — but it wasn’t an option here.

I will be generous and presume their clever system knew that I already get the email, but sadly, I suspect that it doesn’t, and the option was simply missing.


Be the first to know what's on in London, and the latest news published on ianVisits.

You can unsubscribe at any time from my weekly emails.

Tagged with:

This website has been running now for over a decade, and while advertising revenue contributes to funding the website, it doesn't cover the costs. That is why I have set up a facility with DonorBox where you can contribute to the costs of the website and time invested in writing and research for the news articles.

It's very similar to the way The Guardian and many smaller websites are now seeking to generate an income in the face of rising costs and declining advertising.

Whether it's a one-off donation or a regular giver, every additional support goes a long way to covering the running costs of this website, and keeping you regularly topped up doses of Londony news and facts.

If you like what you read on here, then please support the website here.

Thank you

  1. I got this yesterday and was also incensed by the security questions. I think it is best to completely make up a first/favourite pet and use that like a password for all these stupid security questions.

    Where was your first birthday, I would imagine, is for many people, the same as place of birth. Don’t get what delaying it by a year adds.

  2. Martin says:

    that is a particularly stupid set of security questions. I had to call the Oyster helpline today to resolve an unfinished journey which couldn’t be done on the website – thankfully they only asked me a fairly standard question (and not one of the ones from the list in your screengrab.)

  3. Tom Jones says:

    I had a very similar problem when my oyster card stopped functioning at the end of last week. The chap said “you’ll need your password, do you know it” and I knew what sort of thing I might have had, but I was wrong.

    Eventually he handed me a oyster registration form opened to the password page with the questions and said “you will have filled in this at some stage, have a read and see whether you might remember your password”.

    He was clearly rather annoyed that no one could ever remember their password and had developed his own little system to prompt them.

  4. Use lastpass to generate and remember passwords. Simple and secure.

    • IanVisits says:

      I use that — which is good for some purposes, but less so for passcodes and drop down security questions which it can’t remember (or seems unable to).

  5. JJ says:

    Sarah Palin’s email was hacked because she answered the security questions accurately. Who is more likely to cause you real grief with hacking into your accounts, someone in China probing a million accounts, or an enraged ex-brother-in-law? Use fictitious answers.

  6. Gordon Ross says:

    Firstly, never, ever, tell the truth on any website or security question unless you *absolutely* have to. On many websites which don’t really need my details, I often register as, say, David Cameron, or Joan Collins. If it needs a date of birth to verify that you’re over 18, make one up!

    Next, get a password manager. There are many out there both free and paid for. Then set a *very* secure password on your password manager, and let it store and manage your passwords, security questions, etc. (A long sentence is actually quite a good password/phrase)

    If you don’t want to use a password manager, go the old fashioned route: Pencil & paper. The instructions about not writing down passwords are rubbish. And paper is *very* difficult to hack remotely 😉

  7. Gordon Ross says:

    PS You don’t have to give a sane/sensible answer to security questions. What’s to say you can’t give your place of birth as “Cabbage”, or your favourite colour as 9753?

    • IanVisits says:

      The issue is less what you type in to the form in 2014, than if you can remember it when you phone TfL in 2017.

  8. These systems also often insist that the answers are more than five characters. Tough if you spent your first birthday in York or Rye, or your first pet was called Boo. Or your first childhood friend was called Ian.

  9. Lisa Hirsch says:

    I have a password safe for this kind of crap – on my phone. There is also the Bruce Schneier solution: write stuff down on a piece of paper that is in a secure or hard-to-find place. My variant of this is that you could have two pieces of paper: one is the key for which password or phrase or security question goes with which site – and you keep them in separate locations. Yeah, inconvenient, but pretty secure.

  10. Greg Tingey says:

    They also want a security question to be filled in — and worryingly, they require that I provide answers to their preset questions. I can’t type in a question of my own, and provide an answer, I have to answer their questions. THIS ONE is getting commoner, too & it’s a real pain.

    In fact, it’s all a real pain

  11. Francesca Fenn says:

    I was popping on and off the DLR a couple of weeks back, researching for a new Step Outside Guide, and my Oyster was charged £17 for off peak in zones 2,3 & 4. When I phoned, I was eventually allocated £10 credit, provided I used it in the next week. Since I was driving up to Sheffield, this wasn’t going to happen. I am very cross about it! And it should have been more than £10! Hrmph.

  12. dave_in_chiswick says:

    I got a new Oyster card yesterday, and even though I registered it online, you still cannot add a monthly travelcard without taking it to the ticket office (I thought they were getting rid of those?) and registering in-person.

    To my amazement, the member of staff insisted I had to provide them my online password that I used for my Oyster account. Considering I use the same password for some other accounts, this is totally unacceptable and ridiculously amateurish.

  13. Harry (not my real name) says:

    I use the phone text method of selecting a passcode. Remember a six letter word (easier, surely than a six-digit number) and when you need to give the number, recall the word letter-by-letter and associate each letter with the number on a phone keypad that the letter appears on.

    So if your word was visits, your passcode would be 847487.

  14. Harry (not my real name) says:

    (I’ll get my coat..)

  15. STC says:

    A few years ago a new system was brought in at my work for resetting passwords. Everyone had to register and answer several security questions from a preset list. That list makes the ones above seem sensible. The worst and most memorable was “What is your weight?”…..cause that never changes?! I was forced to answer “what is your favorite book?” but when needed I couldn’t remember what I had put. About a year after this was set up there was some sort of issue with the email system and all passwords needed to be reset…..I think the IT phone lines were jammed for days with people locked out for incorrectly guessing the questions! The questions have since been changed…!

  16. Gerry says:

    My favourite gripe is that vast numbers of organisations just ask for Date of Birth and Mother’s Maiden Name.

    How stupid can they get? This practice obviously breaks the golden rules.

    Firstly, always using the same two questions means sharing passwords, which is obviously a No-No. If you give such personal information to someone in an Indian call centre on starvation wages, don’t be surprised if you then become a victim of identity theft !

    Secondly, this information is often easily available. Friends and acquaintances often know a DoB, and buying cakes on a birthday is a widespread practice in offices. Similarly, a maiden name is often known to others; some ladies even keep using it if their husband is well known.

    Another obvious weakness is asking for full password information over the phone. Calls can be overheard in open plan offices, voice logging systems are not unknown, crossed lines aren’t impossible…

  17. David S says:

    I lost my oystercard a while ago but I had a spare, so called them up and asked them to transfer the balance onto my exsisting card. I was told I had to call back after 7 pm ,which I did but they still could not change it, after 3 days of trying they said they would have to send me a new card instead. Even more silly they cannot just transfer the auto top up or balance over the phone I have to log into the website and then set it all up again. This is ok but I have not been travelling in London by train for a few weeks and the only way to can activate it is making a journey so they tell me. This all seems far too complex and outdated. What it will be like when cashless comes in and buses are stranded at busstops for 10 miniutes at a time with people arguing.

  18. Aish says:

    I locked myself out of my oyster account as I couldn’t remember what password I’d entered years ago. In the end, I had to fax them a copy of my passport so they were sure I was who I said I was!

  19. Sean says:

    I COULD NOT BELIEVE the stupidity of the requirement to leave a 6 digit passcode and of the pre-set questions. So much so that I searched online the term “Where was your first birthday” to see if anyone thought the same. That’s how I winded up here. Glad it’s not just me…

  20. Allan says:

    I got new oyster yesterday, but dont know the security question.
    I am trying to register it online and it says you oyster is already registered.
    When I purchased the Oyster I just paid 5pounds for card and 5pounds for recharge.
    I would like to register my account online, however dont know the security question because no one asked me that info while purchasing the card.
    Do I need to call customer care to get the same?

Home >> News >> rants