TfL Cyber Security Incident

[HandyHat]

Apologies if this has already been discussed but I didn't spot it.
I know someone who was one of the 5000 people whose bank account details were exposed. They got offered a free 12 month
Identity Plus Experian subscription to protect them against fraud, which I thought was quite interesting.

 

[jon81uk]

Apologies if this has already been discussed but I didn't spot it.
I know someone who was one of the 5000 people whose bank account details were exposed. They got offered a free 12 month
Identity Plus Experian subscription to protect them against fraud, which I thought was quite interesting.

Thats a fairly standard response to any data breach where GDPR issues may arise.

 

[James H]

when TfL Go eventually "absorbs" the Oyster app

This week the TfL Go app on iOS was updated to include Oyster/contactless account functionality, the rollout having been delayed by the cyber attack

 

[87 027]

This week I got a questionnaire from TFL asking about my familiarity with (1) multi-factor authentication and (2) passkeys, and how confident I would be about using either. It looks like they are sounding out their users about potential security enhancements. In my case I am entirely comfortable with both although I appreciate that others may have different views.

 

[35B]

This week I got a questionnaire from TFL asking about my familiarity with (1) multi-factor authentication and (2) passkeys, and how confident I would be about using either. It looks like they are sounding out their users about potential security enhancements. In my case I am entirely comfortable with both although I appreciate that others may have different views.

I received the same survey. It didn’t allow space for me to comment that their existing implementations are amongst the most user unfriendly and insecure I’ve encountered, and that they really need to improve the user journey to allow basic functions like accessing a statement.

 

[James H]

The TfL screens for entering an SMS confirmation code look nice but I'm sure they could cut down the number of taps required, especially the one after it confirms the code has been entered correctly.

 

[OscarH]

I received the same survey. It didn’t allow space for me to comment that their existing implementations are amongst the most user unfriendly and insecure I’ve encountered, and that they really need to improve the user journey to allow basic functions like accessing a statement.

There was an "other" free text box on the incorrectly mandatory question that suggested you must have an issue with app-based TOTP

The TfL screens for entering an SMS confirmation code look nice but I'm sure they could cut down the number of taps required, especially the one after it confirms the code has been entered correctly.

Yeah, the extra confirm click gets me every time, it's bizarre UX

 

[Blindtraveler]

A survey also received here. The irony is that in fact it's totally on screen reader friendly along with a lot of their account login etc. Stuff, I find any interaction I make with tfl online is slow and torturous and that they have really not made any provision whatsoever for people using assistive technology of any kind. So as a result, they are going to get it from both barrels from me in a very politely worded email. But I'll send tomorrow

 

[infobleep]

There was an "other" free text box on the incorrectly mandatory question that suggested you must have an issue with app-based TOTP

Is that an app based Top of the Pops?

== Doublepost prevention - post automatically merged: 19 Jan 2025 ==

A survey also received here. The irony is that in fact it's totally on screen reader friendly along with a lot of their account login etc. Stuff, I find any interaction I make with tfl online is slow and torturous and that they have really not made any provision whatsoever for people using assistive technology of any kind. So as a result, they are going to get it from both barrels from me in a very politely worded email. But I'll send tomorrow

Did you mean it's not screen reader friendly as you put, on screen reader friendly?

 

[bubieyehyeh]

I've not received the survey, but I find the app very annoying, particularly how you have to re-enter the password about once a month, always at the most inconvient times, not sure why it can't remember and just check the 2fa every month, it would be less annoying.

Also would prefer they use time-base one time password (TOTP) rather than the much less secure SMS.

 

[infobleep]

I've not received the survey, but I find the app very annoying, particularly how you have to re-enter the password about once a month, always at the most inconvient times, not sure why it can't remember and just check the 2fa every month, it would be less annoying.

Also would prefer they use time-base one time password (TOTP) rather than the much less secure SMS.

I agree an on your kaat point. Then one can use an authenticator app and they are not reliant on having reception to receive SMSs, which on parts of the underground is non-existant on O2 and that's even if you just include the stations, never mind the tunnels.

 

[Mikey C]

The TfL screens for entering an SMS confirmation code look nice but I'm sure they could cut down the number of taps required, especially the one after it confirms the code has been entered correctly.

It's very annoying to have to enter a SMS confirmation code EVERY time I access my TfL account from the same computer, with no way of declaring it "safe".

 

[Jimini]

Is it just me, or has the map on the real time disruption page been broken for at least a month?

Tube, Overground, Elizabeth line, DLR & Tram status updates

Realtime Tube, Overground, Elizabeth line, DLR & Tram travel updates.

tfl.gov.uk

 

[HandyHat]

Is it just me, or has the map on the real time disruption page been broken for at least a month?

Not to do with the cyber-attack!
Discussed on the forum here: https://www.railforums.co.uk/threads/tfl-status-updates-page-lack-of-status-map.278798/

 

[Blindtraveler]

Is that an app based Top of the Pops?

== Doublepost prevention - post automatically merged: 19 Jan 2025 ==


Did you mean it's not screen reader friendly as you put, on screen reader friendly?

Correct

 

[Jimini]

Not to do with the cyber-attack!
Discussed on the forum here: https://www.railforums.co.uk/threads/tfl-status-updates-page-lack-of-status-map.278798/

Aha -- thanks! Hadn't spotted that thread.

 

[infobleep]

Correct

In this day and age that isn't acceptable. I would have a law passed fhat requires companies of over a set size to provide accessible Wwb sites, with fines if they don't.

 

[35B]

In this day and age that isn't acceptable. I would have a law passed fhat requires companies of over a set size to provide accessible Wwb sites, with fines if they don't.

There is legislation of that kind, and for an organisation the size of TfL not to comply would not be reasonable.

 

[londonbridge]

It's very annoying to have to enter a SMS confirmation code EVERY time I access my TfL account from the same computer, with no way of declaring it "safe".

In the same manner, there are certain websites where, every time I make a purchase, my bank requires verification through the app or by texting me a code, despite the fact I’ve purchased regularly from said sites for years.

 

[jon81uk]

In the same manner, there are certain websites where, every time I make a purchase, my bank requires verification through the app or by texting me a code, despite the fact I’ve purchased regularly from said sites for years.

When doing this, my credit card has the option to not require codes for this retailer in the future and a yes/no selection.

 

[OscarH]

In the same manner, there are certain websites where, every time I make a purchase, my bank requires verification through the app or by texting me a code, despite the fact I’ve purchased regularly from said sites for years.

Some of the banks are far more aggressive than others with 3DS challenges. One of my cards didn't challenge a significant IKEA purchase the other day (and I go there very rarely), whereas my partners card frequently challenges the same £14 train ticket she buys 4 days a week every week from the same retailer

 

[bubieyehyeh]

You think they could allow you to check todays travel and view maps etc even if your login had expired, and only require a login if you want to looks further back in journey history or request a refund

 

[Edvid]

You think they could allow you to check todays travel and view maps etc even if your login had expired

One week of contactless journey / payment history can be reviewed on the TfL website without registration (URL link). Maps on the TfL Go app don't require an account either.

 

[bubieyehyeh]

One week of contactless journey / payment history can be reviewed on the TfL website without registration (URL link). Maps on the TfL Go app don't require an account either.

useful to know, I didn't realise there was two tfl apps, I'm using Tfl oyster one which I'm pretty sure doesn't work until you login when its expired.