We recently saw how a partial credit card number exposed by Amazon was used to gain fraudulent access to an individual's iCloud and ultimately to other online accounts.
Now we learn that receipts for payment card based self-service top-ups of Myki cards include more details of the card used than ASIC recommends.
The cardholder's name, nine digits of the card number (not the usual last four or five that suffice to give the cardholder a record of which card was used) and its expiry date are all shown on the receipt.
Yes, the imprinters that were previously used for card transactions generated a receipt with the full card number, expiry date and a copy of the cardholder's signature, but we've moved on from there.
The sting in the tail with the Myki machines is that they reportedly issue a receipt even when the customer indicates they don't want one.
Furthermore, if a receipt is requested. a two copies are printed. This makes it likely that at least one receipt will be left behind.
Why it has taken so long for the issue to come to light is a mystery.
For privacy reasons, some travellers decline to register their cards on the Myki web site and only top up with cash.