The contactless payment system for New York City’s subways has a security hole. Anyone with access to someone’s credit card number can see when and where they entered the city’s underground transit during the last seven days. The problem lies in a “feature” on the website for OMNY, the tap-to-pay system for the Metropolitan Transportation Authority (MTA), which allows you to view your recent ride history using only credit card info. Further, subway entries purchased using Apple Pay — which gives merchants a virtual number instead of your real one — still somehow link to your physical credit card number.
The MTA’s loose implementation could allow stalkers, abusive exes or anyone who hacks into or purchases a person’s credit card information online to find out when and where they typically enter the subway. Joseph Cox of 404 Media initially reported on the story, detailing how (with a rider’s consent) he tracked the stations they entered — with corresponding times. “If I had kept monitoring this person, I would have figured out the subway station they often start a journey at, which is near where they live,” Cox wrote. “I would also know what specific time this person may go to the subway each day.”
“This is a gift for abusers,” Eva Galperin, the Electronic Frontier Foundation’s director of cybersecurity, told Engadget. The OMNY website also allows passengers to create a password-protected account, but it sits below the more prominent “Check trip history” section atop the page, requiring only a number and expiration date without any further security input. “It is a real problem that the option to track your location — without any kind of password security — is available first on the website,” noted Galperin. She says the MTA could have “fixed this simply” by including a PIN or password requirement alongside the credit card field.
The website still shows your travel history even if you paid with Apple Pay. The iPhone maker says its tap-to-pay system gives merchants a virtual number rather than the physical card’s number. “And when you pay, your card numbers are never shared by Apple with merchants,” a marketing blurb on the company’s website reads. But an Engadget staffer confirmed that entering their actual credit card number linked to the used Apple Pay account — without having directly used that card to ride — still revealed their seven-day point-of-entry history.