The contactless payment system for New York City’s subways has recently come under scrutiny due to a security loophole. It has been discovered that anyone with access to someone’s credit card number can trace their recent subway rides within the last seven days. This vulnerability is a result of a “feature” on the OMNY website, which is the tap-to-pay system for the Metropolitan Transportation Authority (MTA). By using only credit card information, individuals can view their ride history. This poses a serious privacy concern as it allows stalkers, abusive ex-partners, or those who have obtained credit card information illegally to track someone’s movements and determine when and where they typically ride the subway.
The issue was initially reported by Joseph Cox of 404 Media, who tested the system by tracking a rider’s movements with their consent. He found that he could gather information about the stations they entered and the corresponding times. Cox stated that if he had continued monitoring this person’s activity, he could have easily identified the subway station they often start their journeys at, which would have revealed their approximate place of residence. Consequently, this security flaw presents a gift to abusers and individuals with malicious intent, allowing them to track someone’s movements with relative ease.
Eva Galperin, the Director of Cybersecurity at the Electronic Frontier Foundation, emphasized the seriousness of this loophole. She stated, “This is a gift for abusers.” Galperin pointed out that while the OMNY website does offer the option to create a password-protected account, it is overshadowed by the prominently placed “Check trip history” section, which only requires a credit card number and expiration date without any additional security measures. She argued that the MTA could have easily resolved this issue by implementing a PIN or password requirement alongside the credit card information field. By doing so, it would have provided an additional layer of security and deterred unauthorized access to a rider’s travel history.
Even if a rider paid using Apple Pay, the problem persists. Apple Pay uses a virtual number when conducting transactions, which prevents merchants from accessing the actual credit card number. Apple has advertised this feature, ensuring that card numbers are never shared with merchants. However, it has been confirmed that even if the actual credit card number linked to an Apple Pay account was not directly used for a ride, entering the number on the OMNY website reveals the rider’s seven-day point-of-entry history. This discrepancy raised questions about how the MTA website associates the two without vendors having access to the physical credit card number. The MTA claims that it cannot see the credit card numbers of customers who use Apple Pay, but Apple has yet to provide a response regarding this association.
In response to these security concerns, the MTA has stated that it will consider making security changes as part of its ongoing system improvements. MTA spokesperson Eugene Resnick assured the public that maintaining customer privacy is a priority for the organization. The trip history feature was introduced to allow customers to easily check their paid and free trip history within the last seven days without the need to create an OMNY account. The MTA also offers the option of paying for OMNY travel with cash. Resnick acknowledged the importance of privacy and stated that the MTA would welcome input from safety experts as they continue to evaluate possible improvements.
In conclusion, the security loophole in New York City’s subway contactless payment system raises significant concerns about privacy and personal safety. The ability for individuals to track someone’s subway travel history with just a credit card number poses a risk for harassment, stalking, and abuse. The MTA and Apple Pay must address this issue urgently to ensure the protection of riders’ personal information. Implementing stronger security measures, such as requiring additional authentication or encryption, would be a crucial step towards mitigating this security vulnerability. By prioritizing customer privacy and listening to the advice of safety experts, the MTA can take the necessary steps to address this issue and ensure the safety and security of its riders.