Using Myki to pwn an iPhone

Yesterday morning the big Myki news story in the mainstream media was the revelation that Myki ticket machines spit out EFT receipts containing excessive amounts of personal details, even if the user doesn’t ask for one, leaving people open to identity fraud if they don’t collect their receipt.

Unwanted receipts build up in a Myki ticket machine

The story broke in The Age article ‘Myki flaw risks credit card security‘ by Adam Carey:

Passengers who decline a printed receipt after topping up at a vending machine with a credit or eftpos card are automatically issued one anyway, often unwittingly leaving behind a receipt that includes their full name, nine digits of their credit card and the card’s expiry date. Passengers who accept a receipt are automatically issued two copies.

The issue isn’t a new one: the ‘feature’ has been part of Myki since the machines were first rolled out, with the Transport Ticketing Authority being unwilling to fix the issue.

More abandoned Myki receipts, this time on top of the CVM

Soon after reading the article in The Age, I did my usual rounds of the technology news sites, and came across a seeming unrelated article in Wired titled ‘How Apple and Amazon Security Flaws Led to My Epic Hacking‘. Here reporter Mat Honan details how his entire digital life was destroyed when hackers gained access his Apple account using social engineering and a few key snippets of personal information.

It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud.

Credit card numbers out in the open? Full names that could be tied to a physical location? I put two and two together pretty quickly, and it seems like the rest of Twitter did the same thing:

I don’t use EFT to top up my Myki and don’t own an iPhone, but if you fall into either group, I hope these aren’t your receipts littering Melbourne, or you might be next.

Abandoned Myki receipts at a tram stop

Liked it? Take a second to support Marcus Wong on Patreon!
You can leave a response, or trackback from your own site.

3 Responses to “Using Myki to pwn an iPhone”

  1. josh says:

    I notified Myki of the problems with showing 9 digit of the card on receipts in March of this year and received the following response via email:


    Dear Joshua,
    We write in response to feedback we received, reference number 3114305, regarding the receipt issued when topping up with a credit card at a myki machine.
    We advise currently when topping up your myki card at a myki machine with a credit card, two receipts will be issued. The first receipt is issued by myki to confirm the top up amount has been successfully loaded onto your myki card. The second receipt is issued by the relevant financial institution to confirm the details of the transaction to be debited from your account.
    We like to thank you for your feedback regarding the information currently displayed on this receipt. We do value customer feedback as it plays a vital role in the assessment of our services. Your feedback has been passed onto the relevant business department for internal review. We recognise that maintaining the privacy of myki customers is crucial and we are confident the current system, when a receipt is issued does not divulge information that could be used by a third party for fraudulent purposes.
    As an alternative, you may wish to complete a credit card top up or set up auto top through your online account, where only the last four digits of your credit card number will be displayed for security purposes.
    If you need further information, please visit or call 13 6954 (13 myki) any day between 6.00am and 12.00am, quoting your new reference number, 82843.

    myki Customer Care Team


    To which I responded:

    Hi Customer Care,

    I understand your confidence, however this confidence is misplaced given the facts. I notice that you have not provided me with either your Full Name or 9 digits of your credit card in this email.
    Given this information, I have or can easily find:
    a) your full name
    b) your place of residence
    c) your contact details (email, phone number, etc.), facebook profile, etc.
    d) the exact type of card (amex, visa, mastercard, etc.)
    e) the bank which issued the card (this information is encoded in the first part of a credit card number)

    These are enough details about you to start a targeted social engineering attack.
    With using the EFT code’s suggested last 4 digits truncation, and not including the full name, a discarded receipt does not expose any of the above details.


    Dear Joshua,

    I refer to your escalated case (#82843) regarding the myki receipts supplied from a myki machine. The Transport Ticketing Authority (TTA) has investigated and can advise the following;

    The TTA appreciates your comments and your commitment to identifying potential improvements to the myki ticketing system.

    The TTA advises that at present there are no plans to change the current layout of the myki receipts. However, your feedback is appreciated and has been added to the customer services register for internal review.

    As an alternative to topping up at a myki machine, the TTA advises there is an online top up service available through the myki website ( This does not generate a receipt with the details supplied from a myki machine. Instead you are supplied a reference number once the payment has been made.

    Once again, thank you very much for your feedback.

    If you have any further queries regarding this issue, please do not hesitate to contact me directly via reply email or on (03) 9651 7550. All future enquires should be lodged in the first instance via the myki call centre on 13 6954 (13 myki) or the myki website feedback form at

    Kind regards,

    Pia Wood
    TTA Customer Services

  2. […] users credit card security – it got a run in The Age and I posted about how the security hole put users at risk of further identity theft. Fast forward to today, and it appears that the Transport Ticketing Authority has finally done […]

Leave a Reply

Your email address will not be published. Required fields are marked *