Yesterday morning the big Myki news story in the mainstream media was the revelation that Myki ticket machines spit out EFT receipts containing excessive amounts of personal details, even if the user doesn’t ask for one, leaving people open to identity fraud if they don’t collect their receipt.
The story broke in The Age article ‘Myki flaw risks credit card security‘ by Adam Carey:
Passengers who decline a printed receipt after topping up at a vending machine with a credit or eftpos card are automatically issued one anyway, often unwittingly leaving behind a receipt that includes their full name, nine digits of their credit card and the card’s expiry date. Passengers who accept a receipt are automatically issued two copies.
The issue isn’t a new one: the ‘feature’ has been part of Myki since the machines were first rolled out, with the Transport Ticketing Authority being unwilling to fix the issue.
Soon after reading the article in The Age, I did my usual rounds of the technology news sites, and came across a seeming unrelated article in Wired titled ‘How Apple and Amazon Security Flaws Led to My Epic Hacking‘. Here reporter Mat Honan details how his entire digital life was destroyed when hackers gained access his Apple account using social engineering and a few key snippets of personal information.
It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud.
Credit card numbers out in the open? Full names that could be tied to a physical location? I put two and two together pretty quickly, and it seems like the rest of Twitter did the same thing:
— Daniel Bowen (@danielbowen) August 8, 2012
I don’t use EFT to top up my Myki and don’t own an iPhone, but if you fall into either group, I hope these aren’t your receipts littering Melbourne, or you might be next.