Oyster System Pulled Offline After Miscreants Enter Customers' Accounts
Arthur T Knackerbracket has found the following story:
Transport for London's online Oyster travel smartcard system has been accessed by miscreants using stolen customer login credentials, The Reg can reveal, forcing IT bods to pull the website offline for a second day.
The UK capital's transport authority has blamed the intrusions on passengers who have used email address and password combinations for their Oyster accounts that were also used for one or more hacked websites: criminals who have nicked login details from other sites can use that information to get into the Oyster accounts of people who reuse the same usernames and passwords everywhere. This technique is known as credential stuffing.
A TfL spokesperson told us: "We believe that a small number of customers have had their Oyster online account accessed after their login credentials were compromised when using non-TfL websites. No customer payment details have been accessed, but as a precautionary measure and to protect our customers' data, we have temporarily closed online contactless and Oyster accounts while we put additional security measures in place."
Read more of this story at SoylentNews.