New York City Subways' contactless payment system has raised concerns after a security flaw provided a loophole allowing anyone with a rider's credit card number to see when and where they entered the underground transit in the last seven days.
The issue lies in a feature on the website for OMNY, which is the tap-to-pay system for the Metropolitan Transportation Authority (MTA). It lets you view your recent ride history using only credit card info.
NYC Subway Security Flaw
Additionally, subway entries bought using Apple Pay, which provides merchants with a virtual number instead of your real one, can still link to customers' physical credit card numbers.
The loose implementation of the MTA's system could allow stalkers, abusive exes, or anyone who can hack into or purchase a person's credit card information online to find out when and where riders typically enter the subway.
Initial reports of the story, made by Joseph Cox of 404 Media, detailed how, with the rider's consent, he could track the stations they entered with corresponding times. He said that if he had continued monitoring that person, he would have later figured out the subway station they usually start at, which would be expectedly near where they live.
Cox added that he was also able to know what specific time that person could be expected to go to the station daily. The Electronic Frontier Foundation's director of cybersecurity, Eva Galperin, said the loophole is a gift for abusers.
Currently, the OMNY website allows passengers to create a password-protected account, found below the "Check trip history" section. This one only requires a number and expiration date and does not ask for further security input, as per Engadget.
Galperin noted that the situation is a real problem if the option to track a rider's location does not need password security. She added that the MTA could have fixed the loophole by adding a PIN or password requirement alongside the credit card field.
Tracking Riders' Trip History
When asked about linking Apple's virtual number to riders' location tracking, the MTA said it could not see the credit card numbers of those who used Apple Pay. On the other hand, Apple did not immediately respond to questions about how the two are linked despite there being no access to the credit card number of the rider, according to The Verge.
The MTA said it would look into additional security changes to improve its systems to serve riders better. Company spokesperson Eugene Resnick said that they are committed to maintaining customer privacy.
The security issue comes as New York Gov. Kathy Hochul and New York City Mayor Eric Adams earlier this year announced new data that showed significant progress on subway and transit public safety initiatives.
Last October, the two officials announced that the New York Police Department (NYPD) and the MTA Police Department would deploy more officers on platforms and expand capacity at the New York State Office of Mental Health.
The latter is meant to support unhoused individuals sheltering in the subway system and people suffering from severe mental illnesses said Homeland Security Today.
Related Article : AirTags Help Travelers Track Luggage, Deter Theft