Security Cracks Open When The World’s Your Oyster

A new game that requires players to give up their Oyster Card passwords is presenting a new challenge for security experts, says Eric Doyle

Corporate security is under threat from a new generation of employees, who are happy to follow policy rules – except where it constrains their personal whims. Company information is appearing on social networking sites, USB sticks and cloud services regardless of wordy policy document threats and cajoling.

Even passwords may not be safe from widespread distribution, judging by the popularity of a new game on the Internet.

Your keys, please, and London is yours

Chromaroma is an innovative game which uses Transport for London (TfL) Oyster card and Barclays Bike scheme data. Based on the flash mob craze that swept major cities last year, Chromaroma uses tasks and events to get players to visit particular Tube stations and London locations at a particular time of day or challenges them to get from A to B in the shortest possible time to gain points.

The game is currently classed as being in public beta and was devised by Toby Barnes and Chris Thorpe under the company name of Mudlark.

Chromaroma players are divided into colour-coded teams and, based on TfL data collected when each player “touches in” their RFID Oyster card at the chosen station, they gain points and the team that accrues the most points “owns” that station. At the end of the year-long playing period, the team that owns the most stations wins the game – or “takes London”, as the gameplay overview states.

All a bit of harmless and, to my mind, pointless fun for airheads with too much time on their hands – but no more so than a game of Snap. Where I do balk during the enrolment process is the request that players must “Enter your Oyster card number, username, and password in your secure Account page on Chromaroma”.

Yes, to play, you have to reveal your account details which effectively gives the Chromaroma site access to your personal details stored by TfL. The data, Mudlark claims, is securely encrypted but, as has been pointed out recently, hackers are now using techniques to bypass encryption.

Ed Skoudis, senior security consultant at InGuardians, said that data has to be unencrypted to be useful and that hackers are planting Trojans that detect these weak points and stealing the data at the point of decryption. The process is known as “pervasive data scraping” and it is on the increase, Skoudis said.

To update the Chromaroma database, the users’ passwords are used to open their accounts and download their travel history. At this point every user’s details are sequentially unencrypted and therefore potentially vulnerable to pervasive data scraping techniques.

Deal with it

TfL is not comfortable with this situation. The company has made timetables and anonymous, aggregated train, bus and bike tracking data available on the London Datastore, under its data transparency initiative. Emer Coleman, director of digital projects at the London Assembly, underlined the organisation’s concerns at the recent Cloud Expo Europe in London.

“The Oyster people cannot get their heads around why anyone would want to give away their username and password. I just think ‘Well, they are’ so you just have to deal with it,” she said.

“There are huge challenges for organisations who are concerned that they don’t want people to think they are giving away their data,” she explained. “Meanwhile, people are merrily giving away their own stuff because they want to participate in the game. TfL is not giving anything away but, from a corporate reputation point of view, will people understand that distinction?”

A spokesperson for TfL assured eWEEK Europe that it takes great care of Oyster card and Barclays Bike user details.

“User information is stored securely on www.tfl.gov.uk  and the site is regularly tested to prevent vulnerabilities that might allow that data to be stolen. TfL urges all Oyster online card holders and Barclays Cycle Hire members to consider the personal risks of passing on this information on to a third party,” warned TfL.

Questioning The Weakest Link

The question that Chromaroma players should be asking is whether Mudlark takes such great care. It does warn potential gamers that they should ensure their Oyster card and Barclays Bike usernames and passwords are not used elsewhere – but does it perform the same rigorous tests on its system that TfL claims to be doing.

For the rest of the users of the travel systems, it raises the question of whether Chromaroma’s access could provide a route for hackers to circumvent TfL’s security. Mudlark was approached to comment but has yet to reply [see below for subsequent – and very interesting – comments from Mudlark].

Industry has to come to terms with the fact that the new generation of workers are not as wary of security as their predecessors. This is not because they are all that different from previous generations.

It has always been a concern that users will take risky shortcuts to get their jobs done. Before the days of mobile apps, workers used to download freeware from the Internet, with no concerns about security implications.

Businesses and security staff have to accept that security is not in the mind of the average user – regardless of stringent penalties for contravening company policy. For years, we have been saying that businesses want to run their core business and not be too concerned about IT issues.

Underground Tunnels

That goes doubly for the users. They have a daily workload and line managers on their backs if they fall behind. To avoid criticism, they will try anything to keep up, even if it means bending the rules by using the same passwords for all systems in their business and private life; or by uploading company data to a public cloud service so it can be accessed from home.

It is only a matter of time before some bright spark finds a service that can be offered to these hard-pressed workers that hides a malicious operation. The recent spate of 419 email scams shows that people can often be conned out of thousands of pounds, so how much easier to would it be to get them to reveal their log-on details?

The cavalier users of Chromaroma have a lot to teach security staff about security at grass-roots level. Security should be inherent in a system and not rely on collusion with users who have better things to worry about. It’s time that we started to see more products that recognise this and eliminates the weakest link.

Update: Mudlark’s Toby Barnes discusses the security implications of Chromaroma.