[LINK] myki

Tue Oct 16 19:13:34 AEDT 2012

Frank and Jan write,

>> You see, here in Victoria we have the Bailleau government which is
>> based in the Stone Ages of electronic ticketing systems, civil
>> liberties, and privacy, and energy generation and town planning and ...
> 
> Couldn't have said it better, Frank .. It is bad for occasional users
> and visitors, but spare a thought for the people who live here and have
> to put up with it all the time!

"Myki flaw risks credit card security"

August 8th, 2012 By Adam Carey <http://www.theage.com.au/it-pro/security-
it/myki-flaw-risks-credit-card-security-20120807-23s9f.html#ixzz29RnBZBH0>

Fears have emerged that Myki vending machines could compromise the credit 
card security of thousands of public transport users, because of a flaw 
in how the machines issue receipts.

Passengers who decline a printed receipt after topping up at a vending 
machine with a credit or eftpos card are automatically issued one anyway, 
often unwittingly leaving behind a receipt that includes their full name, 
nine digits of their credit card and the card's expiry date. 

Passengers who accept a receipt are automatically issued two copies.

The information on the receipts exceeds the guidelines that the 
Australian Securities and Investment Commission, and credit card 
companies.

The Transport Ticketing Authority admitted yesterday that the manner in 
which its Myki vending machines issue receipts is flawed and says it is 
working to fix the problem.

But consumer and commuter advocates say the authority has failed to do 
all it could to protect Myki users' privacy and financial security, and 
should fix the system urgently.

Gerard Brody, of the Consumer Action Law Centre, said ASIC's voluntary 
guidelines for electronic payments were the best protection Australian 
consumers had when using credit cards, and a government-sponsored system 
such as Myki ought to meet them. 

The guidelines warn against including card expiry dates on receipts. 

''If the information [on the receipts] did result in an unauthorised 
transaction then I think a consumer would have a good claim against Myki 
for any loss that was incurred,'' Brody said.

Public Transport Users Association president Daniel Bowen said the system 
was illogical.

''In many cases, people don't realise a receipt has been issued and 
simply walk away … The way the receipts work is completely illogical. It 
is at odds to what people expect, and what is common practice for other 
retailers. If someone says they don't want a receipt, the system should 
not print them a receipt. If there is a requirement to print a receipt, 
then don't offer people the choice,'' Bowen said.

Transport Ticketing Authority chief executive Bernie Carolan said the 
information on the receipts complied with the electronic funds transfer 
code of conduct, but that it was ''investigating the possibility of 
reducing the amount of personal information that is provided''.

Carolan said the authority was working to change the system so that no 
receipt is printed when a passenger selects ''no''. 

''The TTA originally believed that the majority of customers would want 
to have an eftpos receipt to verify their transaction. Real-world 
experience has shown that many customers do not collect the receipt and 
leave it in the machine,'' he said.

The Myki ticketing system now accounts for 85 per cent of public 
transport validations. About 90 per cent of train and tram travellers use 
Myki. The system has encountered numerous technical problems since 
inception.

Update: The Acting Victorian Privacy Commissioner has confirmed he wants 
answers regarding the potential compromise of commuters' privacy as a 
result of the Myki receipt flaw.

--

Cheers,
Stephen