11 Nov 2013

Council shuts down bus card website

11:30 am on 11 November 2013

The Canterbury Regional Council says it is temporarily shutting down the website for Christchurch's bus card in order to investigate a claim that users' personal details can be hacked.

A security researcher whose online name is AmmonRa says the Metrocard system has security flaws that allow access to people's names, addresses and phone numbers, and also allow funds to be added or removed from the cards.

He says if a card is not registered, it is possible for another person to hack the account of the card owner. He says he informed the council, which runs the bus network, and was told they knew about the flaw but were not planning on doing anything about it.

However, the council now says the website was closed down on Monday morning. Operations director Wayne Holten-Jefferies says that if the researcher is to be believed, the problem could be fixed in half a day.

"Our staff will be working with the German suppliers of the info to rectify the issue," he says.

Technology blogger Keith Ng, who exposed a security flaw in Work & Income's self-service kiosks in 2011, says the fact the council has been using technology that is known to be faulty is very concerning.