3aIT Blog

London Underground Sign

We should (hopefully) all know by now that giving out a password in almost any circumstances is generally a really bad idea. A rail user has discovered that it seems that no-one at Transport for London got this memo.

According to an article on The Register, upon asking for a National Railcard discount to be applied to his Oyster card, this passenger was handed a paper form upon which he was expected to write down his password for the Oyster service so that staff could apply the discount to it. Assuming that this must be a mistake, he tried again at another station, only to be presented with exactly the same form.

In its defence, TfL pointed out that customers can use a self-service machine to apply this discount themselves. It therefore seems that the purpose of this form is basically to allow the person in the ticket office to complete exacty this process on the customer's behalf - they don't have a separate method to do this that doesn't require the user's password. They also point out that the paper form is handed back to the customer at the end of the process (or, at least, should be). This glosses over the fact that the TfL employee could copy the customer's details down to reuse if they were that way inclined. Given how prone people are to reusing passwords between services, this could mean handing over information that could seriously compromise one's online data.

While TfL are "looking at ways to improve this process", we would suggest that anyone having to follow the current process use a unique password that they later change via the Oyster website. As ever, in general, always be extremely wary of anyone asking for any of your passwords.