18 Oct 2017

AT HOP's web woes traced to 'Kiwi Hub' app

6:08 am on 18 October 2017

Weeks of trouble on Auckland Transport's electronic travel card website have been linked to an increasingly popular smartphone app.

One of Auckland's 57 new electric trains at Henderson Station

A train at Henderson Station. Photo: Supplied/Auckland Transport

AT was alerted to the trouble when some credit card top-ups to AT HOP accounts began stalling, and spent a weekend - with help from software engineers in Paris - trying to find the cause.

The agency now says thousands of AT HOP cardholders had given their account details to the Kiwi Hub app, which then overloaded the website with automated, high-speed requests for information.

Because the requests were in the names of individual card holders, it took AT a while to make the link to the Kiwi Hub app.

The app combines public transport information for Wellington, Christchurch and Auckland - where users were invited to provide account details to see their AT HOP account balances and journey details.

The app saw a surge of interest with users in Auckland rising to 15,000.

"We are talking about a robot which was sending multiple requests within milliseconds, whereas a normal user would only be able to click a refresh button every three or four seconds," AT HOP Group general manager Denise Verrall said.

Ms Verrall said the security of the AT HOP system was never breached as the app access did not involve cardholders' financial transactions.

However, AT is urging cardholders using Kiwi Hub to change their passwords, and reminded them never to provide account details to third parties.

Local software developer Sergey Efimov, who designed the Kiwi Hub app, seemed embarrassed at being linked to the problem when contacted by RNZ.

He has since disabled the AT HOP part of the app.

According to the app's user reviews, the AT HOP function giving cardholders up-to-date account balances appeared to have been its most popular feature.

He said he had not realised his long-running project would cause trouble.

"This is a start-up I've tried to build, it's like my hobby. It's not something I'm making money on right now," he said.

His company Esperite is working to gather and merge data from transport, entertainment and other areas to create databases for companies to reach potential customers.

He said he had no access to personal details of app users, just anonymous data about journeys taken.

Kiwi Hub and the data-mining concept behind it was something he'd been working on for a couple of years, he said.

AT said it hoped to have a similar feature added to its own app around April next year.

Kiwi Hub has far fewer users in Wellington and Christchurch, and does not offer access to electronic card information in either city.

Get the RNZ app

for ad-free news and current affairs