Translink Fail

The Queensland Government recently introduced the Go card to provide a single intelligent ticketing mechanism for (almost) all public transport in South East Queensland.

The technology was developed by Cubic Transportation Systems and similar cards are in use all over the world.  The idea is when you get onto a bus or a train or anything, you touch your Go card to the sensor.  When you get off, you touch it again and the appropriate amount of money gets debited from your card balance.  Presuming it works, it's a sensible system in my opinion.

Despite catching a bus to (not from) work nearly every working day, I had originally avoided the new system for a few reasons.  The main one was that it provided no financial benefit to me.  There's a refundable deposit that's payable when you buy a card, and the cost of an individual one-way ticket was the same whether you used the card or paid cash on the bus.  Discounts only came when you used it more than 6 times in a week.  I very, very rarely travel by bus more than half a dozen times a week.  In early August however, the fares will come down for the Go card only.  This makes it more attractive, so I went to purchase one.

The TransLink website provides an online web ticketing service that lets you purchase a card online.  Presumably they send it out to you but I didn't get that far because frankly, I was too scared.  Let me show you.

After a couple of short screens asking you about the type of card you want, you come across this screen (click to enlarge):

TransLink Online Web Ticketing - First Screen

Notice the "Billing Account Question" at the bottom.  There's no more information on what this is for, but I presume it's some kind of verification question you have to answer in order to make payments or maybe changes to your billing details.  The default question is, "What is my name?".  That's probably the worst security question I've ever heard! Ok, I'm generous, so I'll give them the benefit of the doubt here and assume that this isn't used for anything important.  You can change it anyway, and if you're sensible, you probably will.

Let's look at the next screen:

TransLink Online Web Ticketing - Second Screen

The first thing I noticed was that there was another "Cardholder Question".  Is this different from the other one?  Again, there's no help available to tell you what it's for.  At least the question is slightly more difficult to guess this time.  I wasn't terribly concerned at this point, so I continued.

Here's the next screen:

TransLink Online Web Ticketing - Third Screen

Now I'm quite concerned.  Firstly, it appears that despite this being a Queensland Government website, I'm suddenly being charged in pounds.  On one of the first screens, I was told that the charge was $5 so I could probably assume that they just got the currency symbol wrong, but this is a big deal.  What if I am going to end up paying the equivalent of just over $10? I had a look at the address bar to make sure I was still in the right place, and yes, it's an Australian domain.  I'm growing more and more reluctant to sign up to this thing.  Of course by this stage, I've already given them my credit card details, and who knows whether they've been stored.

So next, I clicked on the terms and conditions link at the bottom of the page.  Here's what the pop-up window said:

TransLink Online Web Ticketing - Terms and Conditions

So that's it.  I'm done.  No way I'm going to buy online using a credit card from a site with that many problems. The other thing that the terms and conditions error showed me was that they appear to be using Lotus-Domino version 4.6.7aThe current stable version is version 8.  And does that "a" indicate an alpha version?  The Wikipedia page on Lotus Domino doesn't even recognise the software before version 5, and the page on Lotus Notes suggests that version 4.6.7 was released sometime prior to 1999.  I'd hate to think what kind of exploits could be carried out on that server.  Colour me scared.

Now, I'm sure I could have continued on my merry way, bought the card, and everything would have worked out fine, but I wasn't convinced that the transaction would work or even that my information was safe.  SSL or no, the currency problems and the information gathered from that error page just scare me too much.

To be honest, I'm not sure I'm comfortable buying the card at all any more.  The cards have to be registered, so I assume I have to give them some kind of personal information.  With web software that old, I simply can't trust that it's safe.

I certainly hope they sort all this out soon if they plan to decommission their other ticketing options.

Damo

Damian Brady

I'm an Australian developer, speaker, and author specialising in DevOps, developer process, and software architecture. I love Octopus Deploy, Visual Studio Team Services, and reducing process waste.