Translink #mlink Android app and FAQs updated

This entry was posted by on Monday, 12 March, 2012 at

With reference to my previous post about the security issues on the mlink application, it looks like there has been a lot of work done – the Android app version number has gone up from 1.54 to 2.22. The Arriva m-ticket application which was discussed has also increased version number to 2.20 which again leads me to believe it is based off the same codebase.

No update as yet for the iOS version but I’m sure this has been submitted and will be available shortly.

I’ll hopefully get a chance to look at the communication between the app and the server soon.

More interesting is that the FAQs previously stated:

 

Q – Will my credit card / bank account details be held on Translink’s server?

A – No, Translink does not hold any credit/debit card details; these are encrypted and held securely within the application on your phone. 

They now state:

Once registered, Credit and Debit card details are encrypted and held securely within the mLink app and then used when customer seeks to purchase an mLink ticket. There is no commitment for the customer to purchase a ticket but it is assumed that everyone who downloads the app does so because they wish to purchase a ticket in the near future. For this reason the customer is asked to register their payment card details at the earliest opportunity.
 
No-one, including Translink, can see the customer’s payment card details as they are held encrypted within the mLink app on mobile phone handsets and are only sent encrypted to the payments service provider each time a customer purchases a ticket.  The only details passed to Translink at time of registration are the mobile phone number and the customer’s personal details (Name, Postcode, Date of Birth etc). The security around this process has been audited by an external PCI DSS qualified security assessor.

Previously, all the information was sent to the servers upon registration and also seemed to be sent again when purchasing a ticket. This is something I’ll be checking shortly.

The obvious deduction is that the PCI DSS assessor has come up with a number of changes which have been implemented by Concept Data Technologies/Trapeze over the past 6 weeks. It would be really interesting to see what these are but I’m guessing that we won’t be seeing a changelog released anytime soon.

I’ve sent a couple of FOI requests here and here to see what sort of information is available from Translink themselves but I don’t hold out a lot of hope.