How to Hack an Oyster Card

There are many reasons to want to know where somebody has been on the Tube

• Do you want to find out where your girlfriend/boyfriend has been on the tube?
• Are you concerned that your boss is traveling around London, looking to replace you?
• Are you just a regular stalker/paparazzi who wants to follow somebody around?
• Are you a private investigator who wants to know where your perp has gone on the tube?

Whatever the reason the following guide, of just five simple steps, will show you how to access the travel details of a person’s recent underground journeys:

1. Obtain the relevant Oyster Card
2. Take the card to the nearest London Underground Station
3. Walk up to a counter, hand the card over and state “Excuse me mate, but I am not sure my balance is right on this, I think I didn’t swipe out recently, can you check it for me“
4. The TFL staff will then print out a list of the last couple of weeks journeys and hand them to you
5. Leave the station with the card, the paper, nefarious mind set and a  maniacal laugh

Joking aside, this actually works.

Which is slightly concerning because people can so easily access other peoples travel details. While this may not bother many people, as they will simply say that there journey to work and home again, is their standard commuter route, and so of no interest. Others may think differently.

Firstly, private investigations firms do still use illicit methods to obtain data, the recent telephone bugging scandals involving journalists, is nothing new, its that is only just come to light. A few years ago, several well known companies were involved in a case that showed that information was obtain illegally, via data theft.

High networth individuals, especially if they are going through a divorce or possibly a major deal, can attract the attention of investigation firms. There have been occasions when these individuals have had the routes monitored, their phones and computers hacked into, and other such activity.

People who are involved in protests , for anything from animal rights activists to the anti-war lobby, are likely to be monitored and tracked where possible, and this is not all done via the state.  Large corporate who are likely to be disrupted, or targeted, by protests,  sometimes employ private firms to provide their own intelligence briefings, and these firms will go to great lengths to obtain this information for their client.

Interestingly the TFL (Transport For London) who operate the London Underground, have an exemption from the data protection act, which allows MI5 and the police to get near live data from the system, so track people moving around London.

Data Theft and the Legal System

Recently more news has come to light about data theft: More people are implicated, more data has been misused, and the fines seem to be poor. This all raises more questions than it answers.

A few days ago Mathew Single was sentenced for publishing the BNP membership details, which he took from the BNP. i.e. data theft. The ramifications of publishing the data were a series of vigilante acts against the members. Regardless of your views about the BNP they are a legal party, membership of the BNP  is legal, and they have even won an election. However, vigilante acts and data theft are not legal.

Despite this the fine for publishing the data, for breaking the law, was just £200. Even the judge complained about the level of the fine.

In addition to this more and more details of data theft  are gradually leaking out. There have been allegations of Prince William and Prince Harry’s phones being accessed. Also, the previous Head of the Professional Footballers’ Association, Gordon Taylor, had his phone hacked by the News of the World. The News of the World paid £700,000 in damages, following a court case, “but on condition that details of the case were not made public”. How can such a major media outlet go to court, lose, and still manage to keep the details of such an important case secret for so long. The key word in that sentence is probably “major”.

The ICO has recently stated that they have been let down by the press, politicians, and the court systems; in the failure to create strong enough laws, or the courts to enforce the laws they have effectively.

Recently Steve Whittamore, a former police officer, turned private detective turned crook has come back into the news. He worked for a company called JJ limited and during his time there uncovered 17,500 pieces of personal information, for over 400 journalists (from a variety of papers). The data he and his colleagues obtained varied from banking and telephone information to DVLA and PNC records.

In February 2004, Steve Whittamore, and three others were all convicted of the offences they were charged with and received …… a conditional discharge. A conditional discharge, for those not familiar with the legal system means nothing.

It means they went to court, go told they were bad people who had done a very bad thing, and then walked out, without so much as a peak at a prison. To criminals a conditional discharge is about as effective as sending a sex addict to a lap dancing bar. It just encourages them.

So, the laws are all a bit rubbish, the courts are useless, and the CPS could not organise a pissup in a brewery. But who is buying all of the this data (other than journalists).

So, Who buys Stolen Data?

[The article below has been re-published from July 2008 due to the current relevance]

A lot of the market for personal data theft is in the “gray/black” market.

Some companies specialize in the selling of personal information, anything from just the name and address (phone book/electoral role), upto bank details, phone records etc. The reported costs of this data vary from $100 to $500. These companies who sell the data to lawyers and businesses, may not “acquire” the information themselves, rather sub contract it out, keeping the “dirty end” of the business very much at arm’s length.  This means that the person who users the data, apparently legitimately, is removed by at least two steps from the actual “data theft”.

One such example involves Mischon de Reya, a famous UK law firm and Carratou an investigation agency were involved in the purchasing of stolen information.

In this case Mischon wanted find information about Mr Hughes, the former chairman of the now collapsed Allsports. Based on this Mischon instructed Carratou to track down Mr Hughes. Carratou then instructed Sharon and Stephen Anderson, who are independent contractors. Sharon and Stephen then sourced a variety of information about Mr Hughes, including details of his 11 of his bank accounts. They charged around £150 for each piece of financial data. They gained access to this information this through phone calls (impersonating Mr Hughes), false letters, etc, etc.

Once the Anderson’s had “stolen his identify” and got the relevant information, this information was then passed from the Andersons to Carratou then from Carratou to Mischon and then to Mischon’s client. The whole incident only came to light when Mr. Hughes took Carratou to court to find out how they had accessed his bank accounts.

It has since been revealed that Sharon and Stephen Anderson made around £140,000 a year doing this, which equates to nearly 4 pieces of financial information every work day. This means that they are supplying a lot of data to a lot of companies.

Articles in the Guardian and Computer Active and ICO

Other cases of people obtaining and selling data:

Man Convicted of selling personal data

ICO Publishes list of Media Buying Data

So, who buys the stolen data?

The Media (who are always reporting on the data theft), people in the investigation industy, (who are there to protect the public and businesses), and business (who are the victims of hackers and data theft)

Who suffers most? The public.

OFSTED: How a school fakes their data. Part7

Following on from the sexual assault of the girl at School1, which the School failed to report to the police, the situation has since developed.

The police were called, independently of the School, and when they attend the School told the police that there were no CCTV images of the attack. Which is strange, because the school had already reviewed the CCTV and there was indeed images of the assault. When the police were informed of this (i.e. the school had lied about the CCTV) the police then asked for a copy the CCTV, but were refused, demanding the police obtain a warrant.

Section 19 and Section 20 of PACE allows the police to seize exhibits, but as they are invited onto the premises, its gets slightly awkward to enforce this law.

This school was given a near outstanding mark by OFSTED, but who would want their child to go to that school?

OFSTED: How a school fakes their data. Part 5

This is the continuing the series in how a London School, School1, fakes their OFSTED reports, which results in appalling teaching conditions for the children, and a shocking working environment.

School1 is bad, its really bad. Children suffer ABH, but the police are not called. Teachers are assaulted, and need surgery, but the police are still not called. Students have their head stamped on, and suffer head injuries, but are denied immediate access to medical treatment.

All of this is to protect the statistics, to make sure the that school “looks good”, reality is irrelevant, its all about perception and targets.

So how do the school fake it when OFSTED conduct their investigation? The plan is simple as it is dishonest, lie and hide the evidence. The bad students are deleted off the register anyway, so part of the problem is resolved.

But with so many poorly behaved children, and teachers who are unable to control them, how does the school get away with an OFSTED inspection.  Firstly the OFSTED inspect is a couple of days, so its really on cursory, but secondly, and more dishonestly, the school simply tells the bad students and teachers, just to stay away. To not be their during the inspection, out of sight, out of mind.

Once the inspection has been successfully faked, the chaos can continue, the kids walking around school playing football, smoking, and telling the staff to fuck off, all during class time can continue. It seems that staff locking themselves in a class room, for their own safety is OK, as long as OFSTED does not find out.

OFSTED: How a school fakes their data. Part 4

In the contining examples of a London based school allowing children to assualt, beat, and cheat their way through school this latest article explores the issue deleting children off the register, and the effects that has on the school and the children.

This school, known as School1, is based in London, and has an almost outstanding OFSTED report, desite the dire state its in, this is due to a combination of fraud, dishonestly, and bad practices in the school, which cover up the facts from OFSTED.

School1, like all schools, is marked on a variety off issues including attendance and exam results. If there is a child that is constantly violent, refuses to attend school, and will fail exams – this is bad for the school, and lowers their statistics.

There are two ways of addressing this

(1) fix the problem and educate the child, as is expected at school

(2) delete the child from the records so that they don’t count towards the statistics. 

School1, unsurprisingly, goes for option 1. The child still attends the school, when he/she choses to. The child may even attend exams, but they are not on the books, more importantly, they are not on the books anywhere. They are “off the system”, so to speak.

This means that the child’s health, education, reading age, risk of abuse, or any other metric designed to protect the children, are not monitored.