New York City’s Metropolitan Transportation Authority (MTA) announced today that it’s disabling the “feature” on its website that made it possible to track people’s movements by entering their credit card info. The MTA says it’s turning off the seven-day history feature for OMNY as part of its commitment to privacy.
“This feature was meant to help our customers who want access to their tap-and-go trip histories, both paid and free, without having to create an OMNY account,” MTA spokesperson Eugene Resnick wrote in a statement to Engadget. “As part of the MTA’s ongoing commitment to customer privacy, we have disabled this feature while we evaluate other ways to serve these customers.”
The OMNY website included a page (screenshotted above) where passengers could enter their credit card number and expiration date to view their seven-day point-of-entry history across NYC’s subways. Although intended to provide convenience for users, it was also “a gift for abusers,” as Eva Galperin, the Electronic Frontier Foundation’s director of cybersecurity, described it to Engadget. Joseph Cox of 404 Media, which originally reported on the security hole, successfully tracked someone’s entry points (with consent) using their card info. “If I had kept monitoring this person, I would have figured out the subway station they often start a journey at, which is near where they live,” Cox wrote. “I would also know what specific time this person may go to the subway each day.”
The feature opened the door to stalkers, abusive exes or anyone who got a person’s credit card to find out where and when they entered the subway. The feature didn’t require a PIN or password; although a separate section allowed travelers to create a more secure account, it was buried farther down the page.