Despite the publicity around Myki receipts back in August, it seems people are still leaving them behind.
Remember, some of these receipts print even when you tell the machine you don’t want a receipt. And if you’re paying with a credit card, it will include 9 out of the 16 digits of your credit card number, the credit card expiry date, and your full name.
Those involved in identity fraud can and do make use of partial snippets of information — this prominent attack in August started with a name and partial credit card number, then made use of weaknesses in security at Amazon and Apple to spread from there.
So, always worth taking your receipt(s) with you.
12 replies on “I guess people haven’t got the message about collecting their #Myki receipts”
Gah! I had never paid enough attention to those reciepts to realise so much information was contained. From the simple environmental point of view it shits me that it prints receipts despite clearly having a ‘No’ option.
Ideally, the amount of information on all receipts should be reduced; the system should ask if you want a receipt; and the system should only print a receipt if you click ‘Yes’. However at a bare minimun the amount of information on receipts should be reduced, and the ‘Do you want a receipt’ option should be removed if it is printing receipts anyway, to be replaced with ‘Please wait for your receipt’ or something similar.
Also this process should certainly not take a few months of review. Just hire some competent staff and fix the damn problem. I swear the team that built Myki must really lack good expertise considering how glitchy everything is.
On a side note, the short term, 3 day pass I’ve been using in Montreal that includes some kind of RFID chip in a paper ticket works extremely well. Even through my wallet that thing responds at a fraction of the time of the typical Myki reader. According to this wikipedia page, it also uses the MIFARE technology (which myki is built on), but the page does not list the exact version that is being used. Once again, it looks like it is software causing the issues in Myki and not the hardware.
Whoops forgot the link before: According to this wikipedia page, OPUS in Montreal also uses the MIFARE technology.
Thanks for pointing this out Daniel. I always take the receipt (even the ones I didn’t ask for) but have never read them. Scary amount of information!
I understand that the rules on EFTPOS receipts is changing and that the TTA is considering only issuing receipts when requested. That’s good!
Apart from the potential for fraud, there’s the terrible litter problem.!
Sorry – that anonymous comment re the CC numbers was from me – I clicked Submit too early
Looks like my, previous comment might have disappeared into the ether…
Daniel, don’t forget that the first 6 digits of a credit card number (the Issuer Identification Number) is effectively irrelevant, as they will come from a very limited subset. In fact the word “Mastercard” above the number conveys exactly the same information as those 6 digits. So there are really only 3 digits of the actual unique credit card number, plus what sort of card it is.
The hack you linked to required the last 4 digits of the card – something which the Myki recipts do not show. Also, receipts from Service Stations show the same number of digits as these recipts, so this is not something Myki-specific.
Could they make those machines also dispense cyanide pills ? I don’t know what it is about Melbourne right now, but I am sick of the continuous disruption of the trains.
Thgis sort of litter can also be seen around most ATM machines too. Why anyone would leave a slip of paper with their bank balance and other personal info on it where anyone can pick it up is beyond stupid. In don’t ever litter paper or anything else for that matter. I always take my receipt with me. I won’t even put it into the little waste receipt slot provided at some ATM machines as the container is not secure (and I wouldn’t print a receipt I didn’t need to take with me in the first place).
@Mike, your initial comment was anonymous and therefore went to the moderation queue — but you reposted it in your own name before it got approved.
Indeed the hack involved the last 4 digits of a credit card number. But by knowing 3 of those 4, it would only take 10 goes maximum to guess it. Additionally Myki’s behaviour is much more dangerous than service stations that might print the same details, because of the Myki vending machine’s behaviour of printing 2 receipts when 1 is requested, and 1 when none are requested… thus what is seen in the pic above – lots of them get left behind.
Julian suggests “Also this process [of fixing Myki software] should certainly not take a few months of review. Just hire some competent staff and fix the damn problem. I swear the team that built Myki must really lack good expertise considering how glitchy everything is.”
Unfortunately, as someone who’s worked on software written by incompentant staff, I can tell you that that means it will take competent developers much longer than you think to fix it.
If anyone touched the source code, however small a change they’re making, there will be bugs and it will take some time to fix it; the code is fragile and held together with sticky-tape and bubblegum. Probably no-one knows what the ramifications of this change will be on that part of the code, because nothing’s isolated. The fact that it works at all is a pure fluke.
The software is buggy and the process is slow because it’s written hideously. Everyone who comes near it will be thinking, “let’s ditch this and start again”. They will be told “no”. Months will be spent rewriting (“refactoring”) the code anyway until finally the dev team can understand it well enough to make changes safely.
@Felix – I’ve dabbled a fair bit in coding so I can understand. However this is a fairly small part of the system we’re talking about and I can’t imagine receipt printing at top up machines is going to have too many knock-on effects.
Also, it seems its probably worth re-writing the whole thing. It may be working better now than it did 12 or 24 months ago, but it still is slow an unresponsive (and written for a Windows CE environment I’m told), and any new changes needed over the next 7-8 years (which I hope is the absolute minimum we’ll have Myki for considering the price we’ve paid) will encounter all the same sorts of problems we’ve already seen. Better to cut it clean and start again 3 years in then toil with all the bugs for another 8 years.
I topped up my Myki the other at Essendon Station. I said no to a receipt because I only wanted one of them, but, it did NOT print any. I waited until the next person used the machine and they got a receipt because they asked for one. I asked them to check and it was theirs and there was only one.
So, has this problem been fixed, I wonder
@PaulK, but did you pay with a credit or debit card? The problem only occurs when paying with a card.