szlwzl's posterous

Just stuff
About Me

Not sure how much stuff will end up here but useful for things too long for http://twitter.com/szlwzl

TwitterCounter for @szlwzl

View my FriendFeed

My Other Sites
Twitter
Tags
Archive
2012 (3)
2011 (3)
2010 (38)
2009 (16)
 

Translink #mlink Android app and FAQs updated

With reference to my previous post about the security issues on the mlink application, it looks like there has been a lot of work done - the Android app version number has gone up from 1.54 to 2.22. The Arriva m-ticket application which was discussed has also increased version number to 2.20 which again leads me to believe it is based off the same codebase.

No update as yet for the iOS version but I'm sure this has been submitted and will be available shortly.

I'll hopefully get a chance to look at the communication between the app and the server soon.

More interesting is that the FAQs previously stated:

 

Q – Will my credit card / bank account details be held on Translink’s server?

A – No, Translink does not hold any credit/debit card details; these are encrypted and held securely within the application on your phone. 

They now state:

Once registered, Credit and Debit card details are encrypted and held securely within the mLink app and then used when customer seeks to purchase an mLink ticket. There is no commitment for the customer to purchase a ticket but it is assumed that everyone who downloads the app does so because they wish to purchase a ticket in the near future. For this reason the customer is asked to register their payment card details at the earliest opportunity.
 
No-one, including Translink, can see the customer's payment card details as they are held encrypted within the mLink app on mobile phone handsets and are only sent encrypted to the payments service provider each time a customer purchases a ticket.  The only details passed to Translink at time of registration are the mobile phone number and the customer's personal details (Name, Postcode, Date of Birth etc). The security around this process has been audited by an external PCI DSS qualified security assessor.

Previously, all the information was sent to the servers upon registration and also seemed to be sent again when purchasing a ticket. This is something I'll be checking shortly.

The obvious deduction is that the PCI DSS assessor has come up with a number of changes which have been implemented by Concept Data Technologies/Trapeze over the past 6 weeks. It would be really interesting to see what these are but I'm guessing that we won't be seeing a changelog released anytime soon.

I've sent a couple of FOI requests here and here to see what sort of information is available from Translink themselves but I don't hold out a lot of hope.

 

 

 

 

Posted
 

Data leak on Translink mLink application

I was in two minds about whether to write this post but I received a phonecall today from the company mentioned below. While they're following what they assured me are their internal processes and procedures I think that they have let their users down by not notifying them of the potential leak of their personal data. They have assured me over the phone that Visa & Mastercard are investigating all patterns and users will be notified of any potential fraud but I don't believe this is satisfactory.

Firstly, this is not a “hack” in any way. It is simply looking at the data which is being sent by the application which we’re trusting with personal information and commenting on it. The below was proven to be an issue on version 1.47 for Android phones and for version 1.4* on the iPhone. 

Secondly, once I notified Translink of the issue on 25th January, they took the problem seriously and worked very hard to get it resolved with Trapeze. Translink also issued an email advising users to update but there was no mention of the potential for their personal data being compromised. I should also say that Translink donated a monthly ticket to me so I could test the updated version for them. 

Screen_shot_2012-02-08_at_20

Details

The mLink application is created by Concept Data Technologies Ltd which is now a part of trapeze and is designed to offer e-tickets for users of Translink in Northern Ireland. It seems like the same application is also used for a number of different applications, which I can only presume have or currently feature the same problems. The largest of these looks to be the Arriva m-ticket.

I’ve used the product and it is ok, most of the time it works well although I did encounter problems on my HTC Sensation due to the large screen size. This was resolved at the same time as the below issue.  

The problem being discussed here is the potential to leak personal information.

The smaller problem

Translink state in their FAQs that:

Q – Will my credit card / bank account details be held on Translink’s server?

A – No, Translink does not hold any credit/debit card details; these are encrypted and held securely within the application on your phone. 

Despite the above, the credit/debit card information is being sent to a remote server http://connection3.data.mblox.com/csp/transltest/Web.processAppStoreReg.cls. I would be really interested to discover if the information is actually being stored or if it’s just being used for identification purposes.

  • Why send the information if it’s not being stored? 
  • Why not be clearer in the FAQ?

The bigger problem

This information is being sent to the server using plain old http and isn’t encrypted in any way. This means that the owner of any wireless connection I am using or happen to join on the way past will be able to read the information using some very basic techniques which have been outlined previously using tools such as firesheep. Any wireless networks which proxy their traffic will be able to identify these details even more easily by simply greping for mblox.

In this case once I'd indentified that data was being leaked I used ZAP to identify the data being sent.

The following information about my account was sent off to the server upon registration completely unencrypted and using insecure http rather than https.

Screen_shot_2012-01-20_at_15

As you can see from the above screenshot, the following information is available in the clear.

  • Mobile Number
  • Title
  • Forename
  • Surname
  • Date of Birth
  • Email
  • Post Code
  • Card Number
  • Card Name
  • Expiry month
  • Expiry year

Summary

  • The way in which data is transferred from phone to server was completely insecure.
  • Data is transferred and presumably stored which appears to me to be against the terms and conditions and FAQs of using the application.
  • If you use the mLink application on Android or iPhone and it is version 1.4*, upgrade it straight away.

I've just been told about @robelkin's investigations into some similar and potential new issues with the new version, it is great to see that there are some other curious people around. He's shared this on his twitter and we might update this post with further information as we find it.

 

Filed under  //  mlink   security   translink   trapeze  
Posted
 

BBC Newsbeat and use of dodgy statistics

I made a complaint to the BBC last week about an article they were running on blackberry users being unsatisfied. I'm not currently a blackberry user satisfied or otherwise, I'm not a RIM employee/shareholder or anything to do with the company - I just found the blatantly bad use of statistics really, really annoying. 

"I found the article at http://www.bbc.co.uk/newsbeat/16740008 to be very misleading, the article states that: "Newsbeat's been in touch with hundreds of users and nearly three-quarters say they want to change their handsets." On the radio show, this was changed to "hundreds of users have contacted us". This has been compressed into a headline used on your site as: "Three-quarters of BlackBerry users want to switch phones". This is deeply inaccurate, it may be the case that 71% of the "hundreds" of people that contacted newsbeat were unhappy with their blackberries but to then scale this up to a %'age of all blackberry users is wrong. I also fail to see how this is a story, the figures themselves show that there is only a small drop in sales(100,000 per quarter). I look forward to hearing back from you."

I got a response from them yesterday:

Many thanks for getting in touch. We take comments and complaints about our output seriously so your feedback is welcome. You're absolutely right to say the headline on this story was misleading - we should not have extrapolated the 'three-quarters' figure and applied it to the entire population of Blackberry users. As a result of this, and some of the other issues you talk about in the statistics, I have reminded the entire team of the importance of fully understanding how to apply research statistics to stories. As to your further point about sales figures, we have run a follow up piece to the item today, in which we have reported a further set of sales figures which apply to Blackberry which the company itself claims shows sales are holding up.

The problem with bad statistics like this is that they stick - the first page of search results show that this has been discussed in a number of forums and repeated on other news/tech sites. We should expect more of the BBC - they should all read @bengoldacre's book Bad Science to understand more about dodgy stats and the dangers that come with them.

The updated story mentioned is here and they have updated the story here. The original article has been archived on another site here and I've taken a screenshot of it here in case that disappears as well.

Filed under  //  BBC  
Posted
 

Translink & Open Data #opengov

In mid-September I went to a great conference organised by Brian Cleland. The amount of gov.uk organisations was reasonably heartening although their message was less so. Essentially it boiled down to "don't call us, we'll call you". GIS data being released in 2019 for instance and everything waiting on the publication of a report from Whitehall.

One of the local organisations which I, and I believe many others, feel is really dragging in terms of open data is Translink who operate the trains/buses etc here in Northern Ireland on behalf of the Northern Ireland Transport Holding Company which is a Public Corporation(essentially, I believe, a company owned by our government). There have been efforts in the past by some brave local individuals to access the data from Translink but with very little success, I believe some PDFs were acquired at one point but nothing which was easily machine readable. I wrote to Translink on the day of the event and received the following in response:

Thank you for your email of 22 September 2011 to our Feedback facility. Prompted by your e-mail I checked across our organisation and have not been able to confirm that any of the Translink team received an invitation to the event to which you refer.

That said, it would be wrong to conclude that Translink is not actively involved in the task of making its data more available to the public. The following lists some of the areas where Translink is making a valuable contribution in this sphere:

  1. We are working with the EU Inspire team to ensure Translink is fully compliant in the area of data share
  2. We have an ongoing programme in place to update our data across Metro, Goldline, Ulsterbus and NIR services  
  3. We are working with our sponsor department (DRD) and with representatives from DETI to explore ways in which we can make our data available to mobile apps developers I trust this brief response serves to assure you that Translink is playing an active role in this area.

The note I received highlights what I believe are some of the problems with Translink's view on open data:

  1. Fully Compliant - why be fully compliant when you can exceed the standards required easily. Open the data up and you will be fully compliant.
  2. Programme in place to update the data - the data is there, open it up and the community will probably help you to keep it up to date. 
  3. Exploring ways to make the data available - It seems they have been exploring for a while. Why not check out this and more specifically this from the MTA in NYC? Free data available for developers to use.

It's about time that the data was opened so that something can be done with it - there are some great apps out there already which have been pulled together from a screenscraping session but there should be more.

Why not tweet @translink_ni or write to them and ask them to open up the data?

 

Update 24th Oct 21:56: I have just done an FOI request  to ask for a bit more information from NITHC.

Filed under  //  opendata    opengov   translink  
Posted
 

Dexter spoiler alert(but a fricking great image)

Fonbt

Update 09/02/11 - 16:00

Thanks to @moonpo we now know it was created by Shahed Syed - brilliant work Shahed! Article on it is here

I'm not sure who created this image so can't credit them - whoever it
was - great work!

Posted
 

Dublin Marathon pictures are now online

Screenshot-17

Dublin Marathon pictures are now available - thought I'd screengrab the one which shows we actually completed it(in case this was in doubt!!)


Posted
 

The Dublin Marathon route and times

I use Google's myTracks a lot and found it really useful today while running the Dublin Marathon to keep track of times and distances. It seems to be slightly inaccurate today as it is saying that we actually did 26.9 miles but gives a good idea of what we did. You can click through to see the larger map and even times(the geek in me fricking loves this). 

We raised a great amount of cash for the MS Society - totals are on here and here - thanks to all of our sponsors!!


View Dublin Marathon in a larger map

Filed under  //  dublin marathon   marathon  
Posted
 

Paranormal Activity 2

I know a lot of people thought it was shit but I was terrified by Paranormal Activity last year - they've made another one and it doesn't look dreadful.

Posted
 

The Greggs croissant story

I made a quick comment to the BBC about this story highlighting the fact that it appeared to be just a press release and got a great reply back from the business editor. The link shows how the story was changed very quickly after publication.
On another note, newssniffer.co.uk looks like a very useful site.


---------- Forwarded message ----------
From: NewsOnline Comments <newsonline.suggestions@bbc.co.uk>
Date: 7 October 2010 17:20
Subject: FW: Feedback [NewsWatch]
To: <removed>

Dear Mr Whittaker

Many thanks for your e-mail.

I can only concur - when I spotted the story on Wednesday morning on the
website, I had it changed immediately.

The story now focuses on the company's results.

I believe it is ok to mention that Gregg's is now selling croissants and
similar fare, not least as this is not the kind of food that one would
associate with this store chain.

But the original headline and lead of the story was clearly not in
order.

I have had words with both the author and the sub editor who published
the story.

Regards

Tim Weber
Business editor
BBC News - interactive + radio   http://bbc.co.uk/business
<direct phone etc removed>

-----Original Message-----
From: <removed
Sent: 06 October 2010 09:45
To: NewsOnline Comments
Subject: Feedback [NewsWatch]


From:           Simon whittaker
Email address:  <removed>
Country:        UK

COMMENTS: This is not a news story, it is a regurgitated press release.
Absolutely ridiculous...
Simon whittaker, UK

URL:    http://www.bbc.co.uk/news/business-11482293

Posted
 

FOIA - Internal Review - IR2010026

Received the attached from the BBC foi team today(they left it right to the limit and required a reminder, maybe they thought I'd forget ;))
It is interesting that the emails are originally talking about how the BBC could help out the developer "chuck him some cash" but that the eventual step was to force beebplayer to be shut down. 
I think that there is very little chance of getting the information about how the decision to shut down beebplayer was made but I still think the beeb have screwed up. Why not make the streams available and let the community build apps for different platforms? 

Begin forwarded message:

From: "FOI Enquiries" <foi@bbc.co.uk>
Date: 6 September 2010 16:10:31 GMT+01:00
Subject: FOIA - Internal Review - IR2010026

Please find attached the response to your internal review request considered under the terms of the Freedom of Information Act. 

Information Policy and Compliance Team 

BBC Freedom of Information
Room 2252
BBC White City
201 Wood Lane
London W12 7TS, UK

Website: www.bbc.co.uk/foi/
Email: mailto:foi@bbc.co.uk
Tel: 020 8008 2883
Fax: 020 8008 2398


http://www.bbc.co.uk
This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.

Click here to download:
IR2010026 - dislcoure emails.pdf (80 KB)
(download)

Click here to download:
Internal Review Decision Note - 2010-09-02.pdf (63 KB)
(download)

Click here to download:
IR2010026 - disclosure - RFI20100948 - final response.pdf (112 KB)
(download)

Filed under  //  beebplayer   foi  
Posted