NYC Transit Agency Removes Ability to Monitor Subway Passengers

The Metropolitan Transportation Authority (MTA) of New York City has revealed its decision to disable the functionality on its website that allowed individuals to track others’ movements by inputting their credit card details. The MTA has stated that it is deactivating the seven-day history feature for OMNY as a demonstration of its dedication to safeguarding privacy.

“This feature was intended to help our customers who want access to tap-and-go travel history, both paid and free, without an OMNY account,” MTA spokesman Eugene Resnick wrote in a statement to ReturnByte. “As part of the MTA’s continued commitment to customer privacy, we have disabled this feature while we evaluate other ways to serve these customers.”

The OMNY website included a page (screenshot above) where passengers could enter their credit card number and expiration date to view their seven-day entry history on the NYC subways. While it was intended to provide convenience to users, it was also a “gift to abusers,” as Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, described it to ReturnByte. Joseph Cox of 404 Media, who originally reported the vulnerability, was able to track someone’s entry points (with consent) using card information. “If I had followed this person, I would have discovered a subway station that they often start their journey from and that is close to where they live,” Cox wrote. “I also know what time this person can take the subway every day.”

The feature opened the door for stalkers, abusive exes, or anyone who got hold of a person’s credit card to find out where and when they got on the subway. The feature did not require a PIN or password; although a separate section allowed passengers to create a more secure account, it was buried further down the page.