Article: Go card hacked: user says funds transferred without consent

[ozbob]

From the Brisbanetimes click here!

Go card hacked: user says funds transferred without consent

Go card hacked: user says funds transferred without consent
DARREN CARTWRIGHT
January 9, 2010 - 4:12PM

Queensland's Transport Minister Rachel Nolan has again been called on to defend paperless public transport ticketing go cards after a security breach, with funds transferred without the owner's consent.

A commuter says the entire balance of his go card was transferred to another account without his permission.

Nick Smith, 27, who is a Nine Network cameraman, told Ms Nolan that that his go card had never left his wallet yet someone accessed his account.

After he discovered the problem yesterday, he called TransLink and was advised his funds had been transferred over the phone the night before, he told the minister.

"I had to give my name, address and my password when I was talking to TransLink over the phone," Mr Smith told AAP.

"If someone transferred the money how did they have my password and my card number? The card has never left my wallet."

The go cards can be linked to bank accounts and sensitive personal data.

Ms Nolan initially put the error down to a computer glitch until she realised the seriousness of the problem and the potential theft of funds.

She said the system was secure and commuters should not be alarmed by Mr Smith's predicament.

"We have to check this out as I can't explain the specific software problem in this case," she said.

"The system has a great deal of protocol to make this secure."

A TransLink spokesman said Mr Smith's complaint was the first of its kind.

"The transfer of one card to another is not something that I have heard of before and one I will look into it," he said.

Ms Nolan has been under pressure over the ticketless system following a 40 per cent increase in paper tickets this year.

The price spike was to force people to switch to go cards which only rose 20 per cent.

But, it has been revealed that 110 out of 144 railway stations across the southeast do not sell go cards making it extremely difficult for commuters to use the system.

AAP

[ozbob]

I think it is possible operator error.  Do they keep recordings of the phone calls for ' quality assurance purposes ' ...

?

(quickly checking my go card account .. LOL  My money is still there    )

[#Metro]

Here we 'Go' again.
This is like the "its not a systemic problem, but we have no idea what the cause of the problem is yet and we are still yet to get people to look at it".

Ms Nolan initially put the error down to a computer glitch until she realised the seriousness of the problem and the potential theft of funds.

She said the system was secure and commuters should not be alarmed by Mr Smith's predicament.
"We have to check this out as I can't explain the specific software problem in this case," she said.

Is this the truth? How can one be so confident that the system is still secure given the shortness of time and that investigations are still ongoing and the cause has not been located?

And why isn't Translink doing the talking? The error occurred within their organization, not the government.

[O_128]

Here we 'Go' again.
This is like the "its not a systemic problem, but we have no idea what the cause of the problem is yet and we are still yet to get people to look at it".

Ms Nolan initially put the error down to a computer glitch until she realised the seriousness of the problem and the potential theft of funds.

She said the system was secure and commuters should not be alarmed by Mr Smith's predicament.
"We have to check this out as I can't explain the specific software problem in this case," she said.

Is this the truth? How can one be so confident that the system is still secure given the shortness of time and that investigations are still ongoing and the cause has not been located?

And why isn't Translink doing the talking? The error occurred within their organization, not the government.

I agree. How can Translink do there job with the minister taking over every 5 minutes. Im sure it was you tramtrain who said that translink is supposed to be an impartial company free from government influence so what is she doing.

"The transfer of one card to another is not something that I have heard of before and one I will look into it,"

I thought it was common knowledge that you can transfer funds from onec card to another.

[dwb]

I worked in a bank for many years and I have to say this doesn't on the face of it sound like such a large problem. Often the back ends of these kinds of systems are mainly concerned with balance as the person with physical access to the system has access through certain levels of security in order to achieve their job... every credit must be accompanied by a debit, that is how everything adds up at the end of the day. In this case it would seem that it could have been a mistyped number and it sounds like it could be rectified. If it was fraud (which I'm thinking highly unlikely) then again, I don't see the big deal, each card can only have a maximum of $250 loaded on to it, and if you know anything about banking, then you take a bit of fraud with your systems before you spend bucket loads increasing the system security... that's why Australia is only slowly moving towards PIN+chip credit card accounts... The banks don't throw out the idea of a credit card simply because one person is defrauded! I'm not saying its not an issue, I'm just saying the response needs to be appropriate to the issue, and to me it just sounds like a newsman digging for a story... you never know he could have left his diary on his desk and got his mate to ring up and pretend to be him... if he wrote down the card no in his diary - who knows!

[longboi]

I agree too. It seems like an operator may have typed the wrong number but we shall wait for the "investigation" to unfold.

[#Metro]

Lets look at the Transport Operations (TransLink Transit Authority) Act 2008 for answers:
www.legislation.qld.gov.au/LEGISLTN/ACTS/2008/08AC032.pdf

One purpose of TL is to keep 'government regulation' to a minimum.
Though now it is hard to tell who was responsible for what. (Were the ticket prices TL's idea or the ministers'? What about the 400 000 taxpayer funded cards? The 301 000 new services?)

Part 1: Preliminary
Division 1: Introduction

3 Purposes of the Act and their achievement
(1) The main purpose of this Act is to deliver in the TransLink area the best possible mass transit services at reasonable cost to the community and government, while keeping government regulation to a minimum.

Although there is a backdoor if the heat gets too much or things get too controversial. The pollies can never give up power absolutely. This could be a good or a bad thing depending on the situation. TL is only quasi-autonomous.

Part 3: Functions and Powers of TransLink
Division 2: Powers
18 Powers subject to Ministerial directions
The exercise of any of TransLink's powers is subject to Ministerial directions.

References
1. http://en.wikipedia.org/wiki/Quango

[p858snake]

I was expecting this to happen actually but I thought the RFID would come first.

If you had equipment to scan RFID cards it's not that hard especially since the data is kept on the card since you would just need to walk close to the where their card is to get it then you could easily duplicate it (and if you really wanted to be mean, it wouldn't be that hard to have it rewrite a whole pile of touch on and touch offs to use the cards credit).

[ozbob]

Minister for Transport
The Honourable Rachel Nolan

Saturday, January 09, 2010

Statement from Transport Minister regarding go card balance transfer

Transport Minister Rachel Nolan has ordered a full investigation into an incident in which a member of the public's go card credit was incorrectly transferred to another person's account.

Minister Nolan said initial investigations by TransLink had revealed that a person's credit was wrongly transferred to another person of the same name when an operator in the Milton call centre failed to follow long-established security protocols.

"I am extremely disappointed that this has happened," Ms Nolan said.

"The integrity of the balance transfer system is critical and a breach of security protocols like this is absolutely unacceptable.

"I have directed that the breach be fully investigated by both the call centre operator and by TransLink.

"The staff involved have been stood down pending the investigation."

The member of the public whose credit was wrongly transferred has been provided with a new fully-credited go card.

[ozbob]

The entire setup with the call centre has been the cause of much commuter angst.  Misinformation is common.  TransLink should employ their own operators, properly trained and equipped and authorised to act immediately, eg. reimbursements on go card.  This paper chain and administrative bureaucracy just encourages bungling like this.

The public perception of the TL call centre is one of a 'firewall' between TransLink and the public.

Needs a complete overhaul.

[ozbob]

Sent to all outlets:

10th January 2010

Comment on the go card funds transfer bungle

Greetings,

The recent bungle with the incorrect transfer of a go card user's funds just highlights the problems with the present call centre set-up.

The entire set-up with the call centre has been the cause of much commuter angst.  Misinformation is common.

TransLink should employ their own operators, properly trained and equipped and authorised to act immediately, e.g.. reimbursements on go card.  This distant outsourced  call centre paper chain and administrative bureaucracy just encourages bungling like this.

The public perception of the TransLink call centre is one of a 'firewall' between TransLink and the public.  Not conducive for good public relations.

Needs a complete rethink and overhaul.

Best wishes
Robert

Robert Dow
Administration
RAIL Back On Track

[dwb]

As far as I'm aware Serco provide the call centre services to Translink. (http://www.serco-ap.com.au/capabilities/capabilities.html)

In most of my dealings with them they have been fantastic - they are generally polite, well informed, and give accurate information.

I can only think of one or two incidences where they have not met my expectations. The one that sticks in mind was in regards to a complaint about a driver threatening me with physical harm - the call centre called me and started reading a badly written script about the outcome of their investigation. I had asked for a written not telephone response, and the telephone response was sort of like 'shut up and let me read this to you I don't want to listen to your concern about how we are responding to your concern'.  The whole organisation's response should have been better, more customer-focused and responsive to my needs.

The cubic call centre staff are probably different, I assume this is part of the contract of provision of the payment system. I assume Cubic subcontracts this to a call centre (perhaps Serco) or they may do it themselves. Either or, this is why they have to redirect you. I don't see this as a major issue - in effect it is their (cubic's) responsibility to deal with the ticketing issues including customer enquiries. In some cases the interface could be better, for example in the above complaint I had told them I had used my go card for the service and its number, as BT were consistently arguing there was no service scheduled at the time I told them (it wasn't, it was about half an hour late - however from my perspective they should have been able to sort that all out at TL and not have to ask me 5 (yes - five!) times what service I was on... route time, and stop I boarded.

[ozbob]

Yes, we have had a lot of feedback re call centre issues, and often mentioned in dispatches on the blogs and letters and so forth. Sometimes fine, other times ...

Wouldn't hurt to review the operations with a view to a more timely response re go card matters in particular.  TransLink did say on 612 ABC on 31st December they would attempt to accelerate the processing of reimbursements.  This latest operator error will also cause a review of sorts I suppose, although one error does not make a major go fraud conspiracy ... LOL, or wild hacking occurring. 

I feel perfectly secure with respect to the financial side of the go card.

[STB]

Operators stood down over Go Card breach
DARREN CARTWRIGHT
January 10, 2010 - 2:04PM

Two call centre operators have been stood down following an incident that cast doubts on the security of the Queensland government's paperless ticket system, the Go Card.

Acting Premier Paul Lucas said an investigation was under way to determine why a commuter's go card was stripped of funds and transferred to another commuter's account.

The incident brought into question the security arrangements protecting go cards, which can be linked to an individual's bank accounts and credit cards.

"For the instance to occur is not acceptable," Mr Lucas said.

"The operator did not ask the appropriate questions that one asks to verify one's identity.

"This person has been stood down and a full investigation is under way.

"The fact we have one incident like this is one too many."

A TransLink spokesman said a supervisor had also been stood down pending an investigation.

The problem occurred because the operator did run not through a list of questions to fully identify the caller and wrongfully withdrew funds from another commuter with the same name.

Opposition transport spokeswoman Fiona Simpson said the security breach proves that the go card has serious flaws.

"Unauthorised transactions such as occurred ... should never happen if the system had appropriate security measures in place," she said.

The rollout of the go card has been heavily criticised after it was revealed 110 of 144 railway stations across the southeast do not sell go cards, making it extremely difficult for commuters to use the system.

http://www.brisbanetimes.com.au/queensland/operators-stood-down-over-go-card-breach-20100110-m0hq.html

[ozbob]

Seems just like a mistake to me.  Doubt if it is an attempt to move funds around purposely to put in a 'mates account' or something.  Just frazzled or lazy employees.

The down side is creates a bit of FUD 'fear, uncertainity and doubt'  in the community.

Timing couldn't be worse with the all the go grief around at the moment.  Hopefully most see it for what it actually is.

Interesting that Mr Lucas has chimed in ...

[ozbob]

Courier Mail has put up an article and blog  --> http://www.news.com.au/couriermail/story/0,23739,26572376-952,00.html

Be interesting to see the comments ..

[ozbob]

Opposition Statement
http://www.fionasimpson.com.au/Pages/Article.aspx?ID=637

Minister can't be trusted to fix go card

Sunday, 10 January 2010

Bligh Labor Transport Minister Rachel Nolan should immediately remove the 40 per cent price penalty on paper tickets until the bungled go card system is sorted out.

Shadow Transport Minister Fiona Simpson made the call after a security breach was revealed in which a commuter had funds transferred without his permission from his go card account into another person's account.

"This latest debacle proves that go card has serious flaws despite Minister Nolan's assurances it is 'the best in Australia'," said Ms Simpson.

"The go card databank contains extremely sensitive details about people's bank accounts and personal information.

"Unauthorised transaction such as occurred on (Channel 9 cameraman) Mr Nick Smith's account should never happen if the system had appropriate security measures in place.

"Minister Nolan should immediately remove the price hike on paper tickets so Queensland commuters are no longer unnecessarily penalised while she and her department sort out this mess."

Ms Simpson said Transport Minister Rachel Nolan could not be trusted to ensure the system was safe in wake of all the other go card debacles and called for an independent investigation of the card's overall security.

"Minister Nolan is still in fantasy land claiming go card is the best in Australia," she said

"She hasn't delivered a secure system. How can she be trusted to ensure any security review of go card under her stewardship as the responsible Minister for go card will be anything more than Government spin?"

Minister Nolan came out of hiding yesterday after a week of public fury over the botched roll-out of go card, which saw thousands of public transport users paying higher fares and frustrated about the lack of easy access to go card retail facilities.

However, the Minister has steadfastly refused to apologise for the debacle, continuing to claim the go card system was 'the best in Australia'.

She also refused to say when all SEQ bus commuters, who outnumber rail commuters, will also be able to easily buy the go card and thus avoid the 40 per cent fare hike on paper tickets.

[ozbob]

From the ABC News click here!

Go card error an isolated incident: Nolan

Go card error an isolated incident: Nolan

By Chris Logan


Ms Nolan says the interim report suggests the two staff members involved knew each other, and did not go through the correct security protocols.

Queensland Transport Minister Rachael Nolan says it appears a recent security breach involving the Go Card ticketing system for south-east Queensland was an isolated incident.

It is believed the breach happened when a call centre worker wrongly transferred a person's Go Card credit to another person with the same name.

Ms Nolan says the interim report suggests the two staff members involved knew each other, and did not go through the correct security protocols.

"Translink are ensuring that their staff are properly trained, and the security protocols are in place, but this appears to be a case of completely unacceptable human error," she said.

She expects a final report by the end of the week.