Following reported instances of a number of accounts being accessed maliciously earlier this year, all Oyster and contactless customers are being required to reset their website account passwords.

TfL says that it’s a purely precautionary measure, and that there’s no reason to think that the earlier attack has been repeated.

The background is that back in August, TfL became aware that a small number of customers had had their Oyster online accounts accessed maliciously, which TfL believes that this occurred when people used the same password on several websites, and one of those other websites was hacked into, letting hacker into their TfL account using the same password.

Fortunately, no customer payment details were accessed and all affected customers were contacted and informed about this at the time.

TfL says that it is working with the British Transport Police to investigate who is behind the earlier attack, with one person already arrested, and the Information Commissioners Office has been notified.

As a precautionary measure, TfL has now decided to ask all customers to reset their passwords via the TfL website, and the reset will be sent to their registered email account.

Using a different password on every website is a pain, but it’s about the only way of preventing a hacked website letting someone log-in to your account on an otherwise secure website. A password manager tool, which generates random passwords for each website you log into is a good way of reducing that risk, and ianVisits makes use of LastPass as a web browser plug-in. Other password managers exist.

Shashi Verma, Chief Technology Officer at Transport for London said: “Protecting our customers’ data is paramount and we want to help our customers to ensure their personal accounts remain safe. As part of this continuing work, we have recently begun making all Oyster and Contactless online account holders reset their passwords when they next sign in.”

Travel using an Oyster or Contactless care wont be affected, only using the website to check customer account details.

Tagged with: ,
SUPPORT THIS WEBSITE

The ianVisits website has been running now for just over a decade, initially as a news blog, later adding the events listings guide to the offbeat and geeky events in London.

Advertising revenue contributes to funding the website, but doesn't cover the costs. That is why I have set up a facility with DonorBox where you can contribute to the costs of the website and time invested in writing and research for the news articles.

It’s very similar to the way The Guardian and many smaller websites are now seeking to generate an income in the face of rising costs and declining advertising.

Whether its a one-off donation or a regular giver, every additional support goes a long way to covering the running costs of the ianVisits website, and keeping you regularly topped up doses of Londony news and facts.

If you like what IanVisits provides, then please support the website here.

Thank you

4 comments on “TfL forcing all Oyster card users to reset their passwords
  1. John B says:

    I’m going to continue using the same password on unimportant websites, as having tried password managers, they are just to hard to maintain across different devices and browsers. Organisations that force password resets are a PITA, especially if they prevent you re-entering the password you want.

    • Ben says:

      And you’re the type to scream bloody murder when something goes wrong because of your own lack of security — I’ve been using password managers for years. They just sync across all platforms so your excuse is at best ignorance. If you don’t know how to use them, ask someone, read up on the internet, or pick an alternative password manager that is better designed. LastPass is mentioned in the article which is brilliant.

Leave a Reply

Your email address will not be published. Required fields are marked *

*