Tracking NYC Subway Riders’ Journeys Made Possible by Security Flaw
New York City’s subway contactless payment system has a security vulnerability that exposes users’ credit card information. This flaw allows anyone with access to a person’s credit card number to track their recent subway entries within the past week. The issue stems from a “feature” on OMNY’s website, the Metropolitan Transportation Authority’s tap-to-pay system, which enables users to view their ride history solely by using their credit card details. Surprisingly, even subway entries made through Apple Pay, which provides a virtual number instead of the actual one, still manage to connect to the user’s physical credit card number.
The MTA’s lax implementation could allow stalkers, abusive exes, or anyone who hacks or buys a person’s credit card information online to find out when and where they usually get on the subway. Joseph Cox of 404 Media originally reported on the story, detailing how he (with the rider’s consent) tracked the stations they arrived at — at similar times. “If I had followed this person, I would have discovered a subway station that they often start their journey from and that is close to where they live,” Cox wrote. “I also know what time this person can take the subway every day.”
“This is a gift to abusers,” Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, told ReturnByte. The OMNY website also allows travelers to create a password-protected account, but it’s located below the more visible “Check Travel History” section at the top of the page and requires only a number and expiration date, with no additional information. “It’s a real problem that the ability to track your location — without any kind of password protection — is available on a website in the first place,” Galperin noted. He says the MTA could have “fixed this simply” by adding a PIN or password requirement next to the credit card field.
The site still shows your travel history, even if you pay with Apple Pay. The iPhone maker says its tap-to-pay system gives merchants a virtual number instead of a physical card number. “And when you pay, Apple never shares your card numbers with merchants,” says a marketing blurb on the company’s website. But an ReturnByte employee confirmed that entering a credit card number linked to a used Apple Pay account — without having directly used the card to drive — still revealed their seven-day log-in history.
When asked about the OMNY website that connects the two, the MTA told ReturnByte that it doesn’t see the credit card numbers of customers who use Apple Pay. Apple did not immediately respond to an emailed request for comment about how the MTA website connects the two without sellers having access to a physical credit card number.
The MTA says it is considering safety changes as it improves its system. “The MTA is committed to preserving customer privacy,” MTA spokesman Eugene Resnick wrote to ReturnByte in an email. “The Trip History feature gives customers a way to check their paid and free trips for the past 7 days without having to create an OMNY account. We also offer customers the option to pay for their OMNY trips with cash. We are constantly working to improve privacy and take feedback from security experts into account when evaluating possible further improvements.”