[Engels] Dutch public transport ‘OV-chipkaart’ shows balance without authentication

[Nederlandse versie]

When someone wants to use the Dutch public transport services he pays by it using using a so called ‘OV-chipkaart’, an NFC card. Using a web login portal, a traveler can see his current balance. It turns out that everyone can see another card holder’s balance by only offering the card number of that card holder. To me, this causes some unease when we look at the privacy of the travelers.

What is the situation?

On this website I can enter someone’s card number and this is the result:

‘Jouw saldo’ means ‘your balance’. The result also states the last time the card was used. 

All I had to do, was enter a card number. There was no request for additional verification like a date of birth, a zip code or other piece of more personal data.

Also, on the website of the ‘Nederlandse spoorwegen’ (Dutch railways), I can enter a card number when using the web shop and the date of birth pops up without having to offer any additional verification.

What is the problem?

Using the above websites and someone’s card numer I can acquire the following data:

  • Current card balance
  • Last moment of card use
  • Date of birth
  • Validity

Subjectively, someone can say this is personal data. I am such a person. But objectively, chances are high that offering this data without any additional verification, violates Dutch privacy laws as lawyer Arnoud Engelfriet states here (in Dutch): https://blog.iusmentis.com/2017/12/19/duh-natuurlijk-is-iemands-ov-saldo-kunnen-zien-datalek/

Dutch tech website Tweakers covered all this today in an article (in Dutch): https://tweakers.net/nieuws/133081/translink-ziet-inzien-saldo-met-willekeurig-ov-chipkaartnummer-niet-als-probleem.html

Update 1 – 19-12-2017:

The Dutch Railways tweeted that as of now, they disable showing the date of birth in their webshop.