New York subway has a security flaw that lets people track journeys using card info
Please note that we are not authorised to provide any investment advice. The content on this page is for information purposes only.
A new report revealed a major security flaw in the New York City subway’s contactless payment system. According to the report, the system allows people with a rider’s credit card details to see their travel history dating back seven days. The report further explains that this is possible due to a feature on the Metropolitan Transportation Authority’s OMNY website, which allows users to check their ride history on the site.
The feature allows abusers to keep track of their victims
This information is available to the user without the need to create an account. They don’t need any kind of PIN or a password. All they require is their card details, and they can see all the locations they have visited using the NYC subway.
The report further explains that the feature works well for normal card payments and for Google Pay and Apple Pay, even though Google’s and Apple’s payment services provide merchants with a tokenized number rather than actual card details.
Electronic Frontier Foundation’s director of cybersecurity, Eva Galperin, stated that this provides an opportunity for abusers who live with their victims or have physical access to their wallets to spy on them and monitor their movements. Galperin argues that even brief access to someone’s wallet would allow them plenty of time to see the victim’s card information and later use it to track the person at any time.
Travel details need to be better protected
MTA spokesperson Eugene Resnick also commented on the matter, saying that MTA is always working on ways to improve privacy. This issue only emerged now, and now that the MTA is aware of it, it will consult safety experts to plan its next step. Resnick added that the MTA plans to evaluate potential improvements and potentially change the system, should the experts decide that there is a need, and recommend the best way to do it.
However, many already see this as a significant privacy risk from a feature supposedly designed to allow individuals to see their travel history. In reality, they see many different ways in which this feature could be open to abuse. Galperin noted that credit card info is not reliable enough to be considered a unique identifier, as anyone can use it against the card’s owner, and all it takes is for them to learn of it.
A relatively easy way to fix this would be to add a different method of authentication. After all, reading card info would not be enough if the process also requires a password, a PIN, or at least a specific email address.
Interestingly, the MTA does offer the option of an OMNY account, which requires a password. However, once an individual accesses the website, the first option is the unauthenticated version, so most users do not even know they can create an account protected by a password.
