A security flaw has been discovered in New York City's subway contactless payment system. This allows individuals with someone's credit card number to track their subway entries and locations over the past week.
(Photo : Spencer Platt/Getty Images)
NEW YORK, NEW YORK - APRIL 13: People ride a New York City subway station on April 13, 2021 in New York City. The Metropolitan Transportation Authority (MTA) announced that more than two million people rode the train last Thursday, the highest daily number since the coronavirus (COVID-19) pandemic struck New York.
Raising Privacy Concerns
The New York City subway's contactless payment system has been found to have a significant security vulnerability. Engadget reported that this flaw allows individuals with access to someone's credit card number to track their recent subway entries and locations within the past week.
The issue originates from a "feature" on the OMNY website, the Metropolitan Transportation Authority's (MTA) tap-to-pay system, which permits users to access their recent ride history solely through credit card information.
Even subway entries made with Apple Pay, which employs virtual numbers for transactions, are somehow connected to the user's actual credit card number.
Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, expressed concerns about the security flaw in the New York City subway's contactless payment system. According to Galperin, the accessibility of subway travel data could be exploited by abusers.
While the OMNY website provides the option to create a password-protected account, it prioritizes a less secure access method that only requires a credit card number and expiration date.
Galperin emphasized the need for additional security measures, such as a PIN or password requirement, to safeguard passenger information effectively.
Responding to this Issue
In response to inquiries regarding the association between the OMNY website and Apple Pay, the MTA stated that it lacks visibility into the credit card numbers of Apple Pay users.
However, there is still an unresolved question about how the MTA website manages to link the two without granting vendors access to the actual physical credit card number. Apple has yet to provide a response to queries on this matter.
Eugene Resnick, MTA spokesperson, addressed the concerns, stating that the MTA is dedicated to upholding customer privacy. He explained that the trip history feature provides a convenient way for customers to review their trip history without needing an OMNY account, covering both paid and free trips from the last 7 days.
Resnick also mentioned that the MTA offers customers the choice of using cash to pay for OMNY travel. Acknowledging the need for enhanced privacy, he noted that the MTA will take safety experts' feedback into account as they assess potential further enhancements to the system.
Also Read: Top 5 iPhone New York Subway Apps for 2022
MTA lax approach to security could result in serious privacy breaches. This vulnerability opens the door for stalkers, former partners, or individuals who obtain or hack credit card details to monitor a person's subway entries.
Joseph Cox from 404 Media highlighted this issue by sharing how he tracked someone's journeys with their consent. Cox emphasized that if sustained, this surveillance could reveal patterns about the individual's commuting routine and living location.
Related Article: New York's Mass Transit System Curbs Relationship with Twitter After Price Increase
