I was in two minds about whether to write this post but I received a phonecall today from the company mentioned below. While they’re following what they assured me are their internal processes and procedures I think that they have let their users down by not notifying them of the potential leak of their personal data. They have assured me over the phone that Visa & Mastercard are investigating all patterns and users will be notified of any potential fraud but I don’t believe this is satisfactory.
Firstly, this is not a “hack” in any way. It is simply looking at the data which is being sent by the application which we’re trusting with personal information and commenting on it. The below was proven to be an issue on version 1.47 for Android phones and for version 1.4* on the iPhone.
Secondly, once I notified Translink of the issue on 25th January, they took the problem seriously and worked very hard to get it resolved with Trapeze. Translink also issued an email advising users to update but there was no mention of the potential for their personal data being compromised. I should also say that Translink donated a monthly ticket to me so I could test the updated version for them.
The mLink application is created by Concept Data Technologies Ltd which is now a part of trapeze and is designed to offer e-tickets for users of Translink in Northern Ireland. It seems like the same application is also used for a number of different applications, which I can only presume have or currently feature the same problems. The largest of these looks to be the Arriva m-ticket.
I’ve used the product and it is ok, most of the time it works well although I did encounter problems on my HTC Sensation due to the large screen size. This was resolved at the same time as the below issue.
The problem being discussed here is the potential to leak personal information.
The smaller problem
Translink state in their FAQs that:
Q – Will my credit card / bank account details be held on Translink’s server?
A – No, Translink does not hold any credit/debit card details; these are encrypted and held securely within the application on your phone.
Despite the above, the credit/debit card information is being sent to a remote server http://connection3.data.mblox.com/csp/transltest/Web.processAppStoreReg.cls. I would be really interested to discover if the information is actually being stored or if it’s just being used for identification purposes.
- Why send the information if it’s not being stored?
- Why not be clearer in the FAQ?
The bigger problem
This information is being sent to the server using plain old http and isn’t encrypted in any way. This means that the owner of any wireless connection I am using or happen to join on the way past will be able to read the information using some very basic techniques which have been outlined previously using tools such as firesheep. Any wireless networks which proxy their traffic will be able to identify these details even more easily by simply greping for mblox.
In this case once I’d indentified that data was being leaked I used ZAP to identify the data being sent.
The following information about my account was sent off to the server upon registration completely unencrypted and using insecure http rather than https.
As you can see from the above screenshot, the following information is available in the clear.
- Mobile Number
- Date of Birth
- Post Code
- Card Number
- Card Name
- Expiry month
- Expiry year
- The way in which data is transferred from phone to server was completely insecure.
- Data is transferred and presumably stored which appears to me to be against the terms and conditions and FAQs of using the application.
- If you use the mLink application on Android or iPhone and it is version 1.4*, upgrade it straight away.
I’ve just been told about @robelkin‘s investigations into some similar and potential new issues with the new version, it is great to see that there are some other curious people around. He’s shared this on his twitter and we might update this post with further information as we find it.