Privacy fixes for Myki machine receipts

Back in August 2012 the big Myki story was the flaw in receipt printing that risked users credit card security – it got a run in The Age and I posted about how the security hole put users at risk of further identity theft. Fast forward to today, and it appears that the Transport Ticketing Authority has finally done something about the issue.

Myki machine at Flinders Street Station still spitting out unwanted receipts

Their solution is a software change to the Myki CVMs (ticket machines) themselves, coupled with an upgrade to the firmware of the EFTPOS terminal integrated into the machine.

The most visible change is the elimination of the previously-disabled ‘Buy short term ticket’ button on the home screen, with the ‘top up’ option being split into separate Myki money and Myki pass options.

Home screen of a Myki CVM running the latest software version

The second change is to the receipt printing format – the Myki logo on the top of the printout has been removed, and the cryptic ‘Location ID’ (tram stop) or ‘Station ID’ (railway station) line has been replaced with the much more understandable tram stop or railway station name.

The final change is to the monospaced text that appears on the EFT receipts – personal information such as the cardholder’s name and card expiry date have been removed, and instead of nine digits of the card number being printed out, only the last four digits appear.

From what I have been determine, the first two changes occur together when a Myki machine is upgraded to the new software, but the change to the card information on receipts is dependent on the EFTPOS terminal itself being upgraded – I’ve received EFT receipts with the new header formatting but still with my personal details included.

I’ve been told that for security reasons card readers everywhere – vending machines and in retail stores – are standalone piece of software, with the communications between them and the ‘client’ machine being very basic – it says ‘debit $X from the customer’ and the card reader spits out a receipt (edit: or the data needed to print a receipt), and a yes/no authorisation.

As for the unwanted Myki receipts littering the streets of Melbourne, it looks like that issue will be with us for a while longer, as this Herald Sun report from a few days ago reports:

Mr Darwent said PTV was working on improvements that would result in no banking receipt being printed for customers who opt not to get one.

The more things change…

Liked it? Take a second to support Marcus Wong on Patreon!
Become a patron at Patreon!
You can leave a response, or trackback from your own site.

5 Responses to “Privacy fixes for Myki machine receipts”

  1. Daniel says:

    “card readers everywhere

    • Marcus says:

      I guess I could have worded it better – when I meant to get across is that the demarcation between client device and card reader is very defined.

      I’ve since clarified that the EFTPOS terminal either prints the receipt or returns the information needs to print a receipt back to the client via the data connection. The demarcation would also mean that the client device (eg: Myki machine) never communicates with the bank directly, or sees the PIN entered by the user.

      In the case of an EFTPOS terminal that passes the receipt via the data connection, the logic in the client can either send it to the printer or throw it away – just like the supermarket self checkout example.

  2. Evan says:

    I get the impression from TTA/PTV’s comments that their merchant provider has thus far instructed them that they are required to provide a receipt for every EFTPOS transaction. Before you say, “But Woolworths/Coles/McDonalds/etc” don’t – those very large chains act as their own merchant providers, which gives them a lot of extra freedom in how they work with EFTPOS. I would hope that they’re working on the arm twisting – I’d have to assume that myki is a substantial enough customer to hold some weight.

    There is one exception I know of to the “EFTPOS is separate from the POS terminal” rule – credit cards can be accepted via a software solution that uses a standard magstripe reader, and requires signature (not PIN) as authentication. Crown use this in some of their bars.

  3. […] last wrote about unwanted myki receipts way back in January 2013, but unfortunately the problem still hasn’t been fixed – instead money is spent on […]

  4. […] 2013 saw that vulnerability fixed, but the “print a receipt even if I don’t want one” bug wasn’t addressed […]

Leave a Reply

Your email address will not be published. Required fields are marked *