A security flaw has been discovered in the Myki vending machine , a contactless smartcard ticketing system being rolled-out on public transport in Victoria, Australia.
According to The Age, when travelers pay for their tickets with credit or eftpos cards, the vending machines ask them if they want a receipt. Due to a bug, even if the individual chooses not to receive one, the machine prints one anyway.
On the other hand, those who ask for receipts are served two copies.
The receipts contain the customer’s full name, nine digits from their credit card number and its expiry date, information that, according to Australian Securities and Investment Commission and credit card companies, should be handled with care in order to minimize the potential risks.
A worst-case scenario is one in which a passenger selects “no” and rushes off before the receipt is printed. The person that uses the machine next can end up with pieces of information that could be highly valuable to a skilled social engineer or an identity thief.
The Transport Ticketing Authority admitted yesterday that the manner in which its myki vending machines issue receipts is flawed and says it is working to fix the problem.
“The TTA originally believed that the majority of customers would want to have an eftpos receipt to verify their transaction. Real-world experience has shown that many customers do not collect the receipt and leave it in the machine,” TTA Chief Executive, Bernie Carolan, explained.
According to The Age, when travelers pay for their tickets with credit or eftpos cards, the vending machines ask them if they want a receipt. Due to a bug, even if the individual chooses not to receive one, the machine prints one anyway.
On the other hand, those who ask for receipts are served two copies.
The receipts contain the customer’s full name, nine digits from their credit card number and its expiry date, information that, according to Australian Securities and Investment Commission and credit card companies, should be handled with care in order to minimize the potential risks.
A worst-case scenario is one in which a passenger selects “no” and rushes off before the receipt is printed. The person that uses the machine next can end up with pieces of information that could be highly valuable to a skilled social engineer or an identity thief.
The Transport Ticketing Authority admitted yesterday that the manner in which its myki vending machines issue receipts is flawed and says it is working to fix the problem.
“The TTA originally believed that the majority of customers would want to have an eftpos receipt to verify their transaction. Real-world experience has shown that many customers do not collect the receipt and leave it in the machine,” TTA Chief Executive, Bernie Carolan, explained.