The exact nature of the Apple Pay vulnerability is unclear. Still, a researcher who monitored riders on New York's Metropolitan Transportation Authority (MTA) subway system claims that the same approach reveals the flaw of the mobile payment service.
After a delay due to issues with Apple's Express Transit service, all New York City subway stations finally accepted Apple Pay in 2020.
MTA Subway System Flaw
Joseph Cox of 404 Media, an independent media firm, claims he discovered an alarmingly inadequate vulnerability in MTA's systems, which also affects Apple Pay.
According to Apple Insider, Cox described how he tracked a traveler using their credit card information. And, without providing any context, he argued that the same technique is achievable with Apple Pay, even though it is widely regarded as a safer payment option.
The MTA operates New York City's subway system, and Cox said he was watching passenger movements from inside his apartment using a tool on the MTA website. They gave him permission to put their credit card information onto the MTA site for OMNY, the subway's contactless payments system, where it might easily fall into the wrong hands. Credit card information is widely available on underground markets or may be obtained easily by an abusive spouse.
He said that the website only took a few seconds to generate the rider's trip log for the previous week and that further verification was not even required.
Obviously, if this is true, MTA has a major security flaw on its hands. MTA emphasized its commitment to maintaining customer privacy by noting in an email to Cox that it only tracks passengers' points of arrival and not their departures. But in reality, this may not make sense.
How Safe Is Apple Pay?
Therefore, MTA's system is defective. Yet, the actual question concerns Apple Pay, which should be immune to credit card-related security flaws.
Apple Pay only transmits a one-time verification code at the moment of transaction, never the actual credit card number.
Since Cox and others at 404 Media claimed they could do the same monitoring when Apple Pay is utilized, he drew the conclusion that Apple Pay is vulnerable. Nonetheless, a copy of the findings has not been reported, and the question of what exactly defines the transaction point remains.
Cox's explanation on this matter is somewhat vague, but he claims that all he needed to do to see a user's MTA history was input their payment card information. Those data must match the ones the user entered into the MTA's OMNY contactless payment system.
