Bluetooth permissions on updated Translink mLink application

Wednesday, October 14, 2015 Posted by
Comments closed

I contacted Translink about the new bluetooth permissions required for their mLink application on Android and received the following response:

The Bluetooth permissions are part of the location services support pack and is used to increase the speed of initial location fixes that we employ in finding your nearest station.

Furthermore change builds in support for Bluetooth Low Energy (BLE) that may be used in future with BLE beacon technology.

In the future, we’ll be implementing the new Android Marshmallow granular permissions mechanism so that users can select which features they are happy for the app to use, however this will likely not happen until the API’s for this are more mature and have a higher adoption rate across devices.

They also responded later with this:

Can I ask however, as a user, do you feel that this specific information or information of this nature should be published/made available to all mLink users either in-app or on the web as a matter of course  – as opposed to hearing about it from a third party source?

We are always keen to learn if there are any areas that we can improve upon particularly communicating technical information of  this nature.

Excellent work from Translink in coming back with a useful response in a timely manner.

Top 50 tesco passwords

Wednesday, February 12, 2014 Posted by
Comments closed

According to pastebin and the twitters there has been a compromise of some part of Tesco’s online presence. This possibility was blogged about by @TroyHunt last year. It’s an interesting blog, some of the issues may be resolved by now but it looks like there are still many fatal flaws.

Some basic analysis of the password list reveals the following top list:

charlie 9
sophie 6
chester 5
elizabeth 5
george 5
louise 5
barney 4
benjamin 4
jessica 4
joshua 4
liverpool 4
november 4
shopping 4
arsenal 3
cameron 3
caravan 3
connor 3
dexter 3
dragon 3
francesca 3
hannah 3
harvey 3
jasper 3
jessie 3
kipper 3
manchester 3
marmite 3
michael 3
rachel 3
rebecca 3
shannon 3
smudge 3
thomas 3
tigger 3
tinkerbell 3
william 3
willow 3
123456 2
airport 2
alexander 2
angels 2
annie2 2
archie 2
bananas 2
beetle 2
benson 2
bertie 2
bigbird 2
billy1 2
brighton 2

There seem to be a large amount of people’s names here(presumably partners or children) but I guess that’s what comes from having terrible password procedures in place.

The full password list and count of matches (with no email addresses associated) is also available here.

WordPress Brute Force Attacks

Friday, April 12, 2013 Posted by
Comments closed

Cloudflare have released a blog post discussing a spate of wordpress  brute force attacks currently taking place. Their post mentions the mitigation put in place by Cloudflare to stop these attacks and how all sites using their service are now protected which is really great news for those sites using their service.

If you’re not using their service however there are still some very easy things you can do to help protect your system, in order below from trivial to easy they are as follows:

  1. Have a decent password or passphrase – this site will create some complex and easy to remember passphrases for you.
  2. Change* your default user from admin to something else (*Change is maybe the wrong word – check here for further details)
  3. Install some plugins to help, for simplicity I like:
  4. Use a .htaccess file to block your important directories like wp-admin – there’s a great plugin for this as well though it also requires Allowoverride All in Apache configuration.

There are a great deal of other steps to take which are very well documented but the above will help mitigate against today’s problem. For further reference, this site is very useful while the wordpress hardening document from wordpress themselves is very detailed.

Events calendar for Invest Northern Ireland

Thursday, February 21, 2013 Posted by
Comments closed

I missed an event the other day which I think would have been really useful for me to attend because I hadn’t heard about it. When I contacted Invest NI I was advised to go and visit their boosting business events page. As I thought the page wasn’t much use I decided to convert it into something more useful so I can see the events easily on my phone and any other calendar app I want.

I’ve made this available here in the hope that someone else will find it useful. There are no guarantees of accuracy or that it will even be updated correctly should page style etc change on the source site but hopefully it will be of use to someone. I think there may be a DST issue in Outlook which I haven’t located yet and I might get round to updating it another time.

URL is

BBC Complaints department responded to my question about The View vs Question Time

Monday, October 22, 2012 Posted by

I wrote to the BBC to complain that the local politics programme replaced Question Time.

Download this file

Translink #mlink Android app and FAQs updated

Monday, March 12, 2012 Posted by
Comments closed

With reference to my previous post about the security issues on the mlink application, it looks like there has been a lot of work done – the Android app version number has gone up from 1.54 to 2.22. The Arriva m-ticket application which was discussed has also increased version number to 2.20 which again leads me to believe it is based off the same codebase.

No update as yet for the iOS version but I’m sure this has been submitted and will be available shortly.

I’ll hopefully get a chance to look at the communication between the app and the server soon.

More interesting is that the FAQs previously stated:


Q – Will my credit card / bank account details be held on Translink’s server?

A – No, Translink does not hold any credit/debit card details; these are encrypted and held securely within the application on your phone. 

They now state:

Once registered, Credit and Debit card details are encrypted and held securely within the mLink app and then used when customer seeks to purchase an mLink ticket. There is no commitment for the customer to purchase a ticket but it is assumed that everyone who downloads the app does so because they wish to purchase a ticket in the near future. For this reason the customer is asked to register their payment card details at the earliest opportunity.
No-one, including Translink, can see the customer’s payment card details as they are held encrypted within the mLink app on mobile phone handsets and are only sent encrypted to the payments service provider each time a customer purchases a ticket.  The only details passed to Translink at time of registration are the mobile phone number and the customer’s personal details (Name, Postcode, Date of Birth etc). The security around this process has been audited by an external PCI DSS qualified security assessor.

Previously, all the information was sent to the servers upon registration and also seemed to be sent again when purchasing a ticket. This is something I’ll be checking shortly.

The obvious deduction is that the PCI DSS assessor has come up with a number of changes which have been implemented by Concept Data Technologies/Trapeze over the past 6 weeks. It would be really interesting to see what these are but I’m guessing that we won’t be seeing a changelog released anytime soon.

I’ve sent a couple of FOI requests here and here to see what sort of information is available from Translink themselves but I don’t hold out a lot of hope.





Data leak on Translink mLink application

Wednesday, February 8, 2012 Posted by

I was in two minds about whether to write this post but I received a phonecall today from the company mentioned below. While they’re following what they assured me are their internal processes and procedures I think that they have let their users down by not notifying them of the potential leak of their personal data. They have assured me over the phone that Visa & Mastercard are investigating all patterns and users will be notified of any potential fraud but I don’t believe this is satisfactory.

Firstly, this is not a “hack” in any way. It is simply looking at the data which is being sent by the application which we’re trusting with personal information and commenting on it. The below was proven to be an issue on version 1.47 for Android phones and for version 1.4* on the iPhone. 

Secondly, once I notified Translink of the issue on 25th January, they took the problem seriously and worked very hard to get it resolved with Trapeze. Translink also issued an email advising users to update but there was no mention of the potential for their personal data being compromised. I should also say that Translink donated a monthly ticket to me so I could test the updated version for them. 



The mLink application is created by Concept Data Technologies Ltd which is now a part of trapeze and is designed to offer e-tickets for users of Translink in Northern Ireland. It seems like the same application is also used for a number of different applications, which I can only presume have or currently feature the same problems. The largest of these looks to be the Arriva m-ticket.

I’ve used the product and it is ok, most of the time it works well although I did encounter problems on my HTC Sensation due to the large screen size. This was resolved at the same time as the below issue.  

The problem being discussed here is the potential to leak personal information.

The smaller problem

Translink state in their FAQs that:

Q – Will my credit card / bank account details be held on Translink’s server?

A – No, Translink does not hold any credit/debit card details; these are encrypted and held securely within the application on your phone. 

Despite the above, the credit/debit card information is being sent to a remote server I would be really interested to discover if the information is actually being stored or if it’s just being used for identification purposes.

  • Why send the information if it’s not being stored? 
  • Why not be clearer in the FAQ?

The bigger problem

This information is being sent to the server using plain old http and isn’t encrypted in any way. This means that the owner of any wireless connection I am using or happen to join on the way past will be able to read the information using some very basic techniques which have been outlined previously using tools such as firesheep. Any wireless networks which proxy their traffic will be able to identify these details even more easily by simply greping for mblox.

In this case once I’d indentified that data was being leaked I used ZAP to identify the data being sent.

The following information about my account was sent off to the server upon registration completely unencrypted and using insecure http rather than https.


As you can see from the above screenshot, the following information is available in the clear.

  • Mobile Number
  • Title
  • Forename
  • Surname
  • Date of Birth
  • Email
  • Post Code
  • Card Number
  • Card Name
  • Expiry month
  • Expiry year


  • The way in which data is transferred from phone to server was completely insecure.
  • Data is transferred and presumably stored which appears to me to be against the terms and conditions and FAQs of using the application.
  • If you use the mLink application on Android or iPhone and it is version 1.4*, upgrade it straight away.

I’ve just been told about @robelkin‘s investigations into some similar and potential new issues with the new version, it is great to see that there are some other curious people around. He’s shared this on his twitter and we might update this post with further information as we find it.


BBC Newsbeat and use of dodgy statistics

Tuesday, January 31, 2012 Posted by

I made a complaint to the BBC last week about an article they were running on blackberry users being unsatisfied. I'm not currently a blackberry user satisfied or otherwise, I'm not a RIM employee/shareholder or anything to do with the company – I just found the blatantly bad use of statistics really, really annoying. 

"I found the article at to be very misleading, the article states that: "Newsbeat's been in touch with hundreds of users and nearly three-quarters say they want to change their handsets." On the radio show, this was changed to "hundreds of users have contacted us". This has been compressed into a headline used on your site as: "Three-quarters of BlackBerry users want to switch phones". This is deeply inaccurate, it may be the case that 71% of the "hundreds" of people that contacted newsbeat were unhappy with their blackberries but to then scale this up to a %'age of all blackberry users is wrong. I also fail to see how this is a story, the figures themselves show that there is only a small drop in sales(100,000 per quarter). I look forward to hearing back from you."

I got a response from them yesterday:

Many thanks for getting in touch. We take comments and complaints about our output seriously so your feedback is welcome. You're absolutely right to say the headline on this story was misleading – we should not have extrapolated the 'three-quarters' figure and applied it to the entire population of Blackberry users. As a result of this, and some of the other issues you talk about in the statistics, I have reminded the entire team of the importance of fully understanding how to apply research statistics to stories. As to your further point about sales figures, we have run a follow up piece to the item today, in which we have reported a further set of sales figures which apply to Blackberry which the company itself claims shows sales are holding up.

The problem with bad statistics like this is that they stick – the first page of search results show that this has been discussed in a number of forums and repeated on other news/tech sites. We should expect more of the BBC – they should all read @bengoldacre's book Bad Science to understand more about dodgy stats and the dangers that come with them.

The updated story mentioned is here and they have updated the story here. The original article has been archived on another site here and I've taken a screenshot of it here in case that disappears as well.

Translink & Open Data #opengov

Monday, October 24, 2011 Posted by
Comments closed

In mid-September I went to a great conference organised by Brian Cleland. The amount of organisations was reasonably heartening although their message was less so. Essentially it boiled down to “don’t call us, we’ll call you”. GIS data being released in 2019 for instance and everything waiting on the publication of a report from Whitehall.

One of the local organisations which I, and I believe many others, feel is really dragging in terms of open data is Translink who operate the trains/buses etc here in Northern Ireland on behalf of the Northern Ireland Transport Holding Company which is a Public Corporation(essentially, I believe, a company owned by our government). There have been efforts in the past by some brave local individuals to access the data from Translink but with very little success, I believe some PDFs were acquired at one point but nothing which was easily machine readable. I wrote to Translink on the day of the event and received the following in response:

Thank you for your email of 22 September 2011 to our Feedback facility. Prompted by your e-mail I checked across our organisation and have not been able to confirm that any of the Translink team received an invitation to the event to which you refer.

That said, it would be wrong to conclude that Translink is not actively involved in the task of making its data more available to the public. The following lists some of the areas where Translink is making a valuable contribution in this sphere:

  1. We are working with the EU Inspire team to ensure Translink is fully compliant in the area of data share
  2. We have an ongoing programme in place to update our data across Metro, Goldline, Ulsterbus and NIR services  
  3. We are working with our sponsor department (DRD) and with representatives from DETI to explore ways in which we can make our data available to mobile apps developers I trust this brief response serves to assure you that Translink is playing an active role in this area.

The note I received highlights what I believe are some of the problems with Translink’s view on open data:

  1. Fully Compliant – why be fully compliant when you can exceed the standards required easily. Open the data up and you will be fully compliant.
  2. Programme in place to update the data – the data is there, open it up and the community will probably help you to keep it up to date. 
  3. Exploring ways to make the data available – It seems they have been exploring for a while. Why not check out this and more specifically this from the MTA in NYC? Free data available for developers to use.

It’s about time that the data was opened so that something can be done with it – there are some great apps out there already which have been pulled together from a screenscraping session but there should be more.

Why not tweet @translink_ni or write to them and ask them to open up the data?


Update 24th Oct 21:56: I have just done an FOI request  to ask for a bit more information from NITHC.

Dexter spoiler alert(but a fricking great image)

Wednesday, February 9, 2011 Posted by
Comments closed


Update 09/02/11 – 16:00

Thanks to @moonpo we now know it was created by Shahed Syed – brilliant work Shahed! Article on it is here

I’m not sure who created this image so can’t credit them – whoever it
was – great work!