Got an Oyster card? TfL just locked your account, wants you to reset your password

TfL is asking all Oyster and contactless account holders to reset their passwords to reduce the risk of credential stuffing attacks.
Written by Steve Ranger, Global News Director

London's transport authority has locked all Oyster travel card and contactless accounts, requiring users to reset their passwords to regain access.

Back in August, Transport for London (TfL) discovered that around 1,200 Oyster accounts had been "accessed maliciously", most likely after their login credentials were compromised when using non-TfL websites.

Now, as a precautionary measure, TfL is asking all Oyster and contactless account holders to reset their passwords to reduce the risk of stolen passwords being used to break into their Oyster accounts -- an attack known as 'credential stuffing'.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

Since 28 November, all Oyster and contactless accounts have been locked, TfL said, and will only be unlocked once customers request a reset for their password, which will be send to their registered email.

These new passwords will need to be at least eight characters long and contain a mixture of numbers, upper-case letters and lower-case letters. TfL warned customers never to share their password or account details with any third-party apps or websites.

However, even while their account is locked, customers will still be able to travel using their Oyster or contactless card, as well as top up their cards at a ticket machine or an Oyster Ticket Stop.

Shashi Verma, chief technology officer at Transport for London, said: "This is a precautionary measure due to earlier reported instances of a very small number of accounts being accessed maliciously using data obtained from non-TfL websites."

George Loukas, associate professor in cybersecurity at the University of Greenwich, said: "It is often tempting to use the same password or slight variations on different websites. Don't."

SEE: London Underground to begin tracking passengers through Wi-Fi hotspots

Every time you hear a retailer, gaming site or online storage provider has been hacked, you can consider the username and password pairing that you used there as practically public knowledge because crooks will use automated systems to test that combination to see if they've been used for other services.

"Use different passwords for every online service you use. If this sounds too much, then try a password manager that does it for you. If any online service you use offers two-factor authentication, then give that a try too," he said.

Editorial standards