Posts Tagged translink

Data leak on Translink mLink application

Posted by on Wednesday, 8 February, 2012

I was in two minds about whether to write this post but I received a phonecall today from the company mentioned below. While they’re following what they assured me are their internal processes and procedures I think that they have let their users down by not notifying them of the potential leak of their personal data. They have assured me over the phone that Visa & Mastercard are investigating all patterns and users will be notified of any potential fraud but I don’t believe this is satisfactory.

Firstly, this is not a “hack” in any way. It is simply looking at the data which is being sent by the application which we’re trusting with personal information and commenting on it. The below was proven to be an issue on version 1.47 for Android phones and for version 1.4* on the iPhone. 

Secondly, once I notified Translink of the issue on 25th January, they took the problem seriously and worked very hard to get it resolved with Trapeze. Translink also issued an email advising users to update but there was no mention of the potential for their personal data being compromised. I should also say that Translink donated a monthly ticket to me so I could test the updated version for them. 



The mLink application is created by Concept Data Technologies Ltd which is now a part of trapeze and is designed to offer e-tickets for users of Translink in Northern Ireland. It seems like the same application is also used for a number of different applications, which I can only presume have or currently feature the same problems. The largest of these looks to be the Arriva m-ticket.

I’ve used the product and it is ok, most of the time it works well although I did encounter problems on my HTC Sensation due to the large screen size. This was resolved at the same time as the below issue.  

The problem being discussed here is the potential to leak personal information.

The smaller problem

Translink state in their FAQs that:

Q – Will my credit card / bank account details be held on Translink’s server?

A – No, Translink does not hold any credit/debit card details; these are encrypted and held securely within the application on your phone. 

Despite the above, the credit/debit card information is being sent to a remote server I would be really interested to discover if the information is actually being stored or if it’s just being used for identification purposes.

  • Why send the information if it’s not being stored? 
  • Why not be clearer in the FAQ?

The bigger problem

This information is being sent to the server using plain old http and isn’t encrypted in any way. This means that the owner of any wireless connection I am using or happen to join on the way past will be able to read the information using some very basic techniques which have been outlined previously using tools such as firesheep. Any wireless networks which proxy their traffic will be able to identify these details even more easily by simply greping for mblox.

In this case once I’d indentified that data was being leaked I used ZAP to identify the data being sent.

The following information about my account was sent off to the server upon registration completely unencrypted and using insecure http rather than https.


As you can see from the above screenshot, the following information is available in the clear.

  • Mobile Number
  • Title
  • Forename
  • Surname
  • Date of Birth
  • Email
  • Post Code
  • Card Number
  • Card Name
  • Expiry month
  • Expiry year


  • The way in which data is transferred from phone to server was completely insecure.
  • Data is transferred and presumably stored which appears to me to be against the terms and conditions and FAQs of using the application.
  • If you use the mLink application on Android or iPhone and it is version 1.4*, upgrade it straight away.

I’ve just been told about @robelkin‘s investigations into some similar and potential new issues with the new version, it is great to see that there are some other curious people around. He’s shared this on his twitter and we might update this post with further information as we find it.


Translink & Open Data #opengov

Posted by on Monday, 24 October, 2011

In mid-September I went to a great conference organised by Brian Cleland. The amount of organisations was reasonably heartening although their message was less so. Essentially it boiled down to “don’t call us, we’ll call you”. GIS data being released in 2019 for instance and everything waiting on the publication of a report from Whitehall.

One of the local organisations which I, and I believe many others, feel is really dragging in terms of open data is Translink who operate the trains/buses etc here in Northern Ireland on behalf of the Northern Ireland Transport Holding Company which is a Public Corporation(essentially, I believe, a company owned by our government). There have been efforts in the past by some brave local individuals to access the data from Translink but with very little success, I believe some PDFs were acquired at one point but nothing which was easily machine readable. I wrote to Translink on the day of the event and received the following in response:

Thank you for your email of 22 September 2011 to our Feedback facility. Prompted by your e-mail I checked across our organisation and have not been able to confirm that any of the Translink team received an invitation to the event to which you refer.

That said, it would be wrong to conclude that Translink is not actively involved in the task of making its data more available to the public. The following lists some of the areas where Translink is making a valuable contribution in this sphere:

  1. We are working with the EU Inspire team to ensure Translink is fully compliant in the area of data share
  2. We have an ongoing programme in place to update our data across Metro, Goldline, Ulsterbus and NIR services  
  3. We are working with our sponsor department (DRD) and with representatives from DETI to explore ways in which we can make our data available to mobile apps developers I trust this brief response serves to assure you that Translink is playing an active role in this area.

The note I received highlights what I believe are some of the problems with Translink’s view on open data:

  1. Fully Compliant – why be fully compliant when you can exceed the standards required easily. Open the data up and you will be fully compliant.
  2. Programme in place to update the data – the data is there, open it up and the community will probably help you to keep it up to date. 
  3. Exploring ways to make the data available – It seems they have been exploring for a while. Why not check out this and more specifically this from the MTA in NYC? Free data available for developers to use.

It’s about time that the data was opened so that something can be done with it – there are some great apps out there already which have been pulled together from a screenscraping session but there should be more.

Why not tweet @translink_ni or write to them and ask them to open up the data?


Update 24th Oct 21:56: I have just done an FOI request  to ask for a bit more information from NITHC.