NYC Subway's Contactless Payment System Raises Privacy Concerns

A security flaw has been discovered in New York City's subway contactless payment system.

A security flaw has been discovered in New York City's subway contactless payment system. This allows individuals with someone's credit card number to track their subway entries and locations over the past week.

Hinting At NYC's Pandemic Rebound, NYC Subway Ridership Hits 2 Million For First Time Since Start Of Pandemic
NEW YORK, NEW YORK - APRIL 13: People ride a New York City subway station on April 13, 2021 in New York City. The Metropolitan Transportation Authority (MTA) announced that more than two million people rode the train last Thursday, the highest daily number since the coronavirus (COVID-19) pandemic struck New York. Spencer Platt/Getty Images

Raising Privacy Concerns

The New York City subway's contactless payment system has been found to have a significant security vulnerability. Engadget reported that this flaw allows individuals with access to someone's credit card number to track their recent subway entries and locations within the past week.

The issue originates from a "feature" on the OMNY website, the Metropolitan Transportation Authority's (MTA) tap-to-pay system, which permits users to access their recent ride history solely through credit card information.

Even subway entries made with Apple Pay, which employs virtual numbers for transactions, are somehow connected to the user's actual credit card number.

Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, expressed concerns about the security flaw in the New York City subway's contactless payment system. According to Galperin, the accessibility of subway travel data could be exploited by abusers.

While the OMNY website provides the option to create a password-protected account, it prioritizes a less secure access method that only requires a credit card number and expiration date.

Galperin emphasized the need for additional security measures, such as a PIN or password requirement, to safeguard passenger information effectively.

Responding to this Issue

In response to inquiries regarding the association between the OMNY website and Apple Pay, the MTA stated that it lacks visibility into the credit card numbers of Apple Pay users.

However, there is still an unresolved question about how the MTA website manages to link the two without granting vendors access to the actual physical credit card number. Apple has yet to provide a response to queries on this matter.

Eugene Resnick, MTA spokesperson, addressed the concerns, stating that the MTA is dedicated to upholding customer privacy. He explained that the trip history feature provides a convenient way for customers to review their trip history without needing an OMNY account, covering both paid and free trips from the last 7 days.

Resnick also mentioned that the MTA offers customers the choice of using cash to pay for OMNY travel. Acknowledging the need for enhanced privacy, he noted that the MTA will take safety experts' feedback into account as they assess potential further enhancements to the system.

MTA lax approach to security could result in serious privacy breaches. This vulnerability opens the door for stalkers, former partners, or individuals who obtain or hack credit card details to monitor a person's subway entries.

Joseph Cox from 404 Media highlighted this issue by sharing how he tracked someone's journeys with their consent. Cox emphasized that if sustained, this surveillance could reveal patterns about the individual's commuting routine and living location.

Written by Inno Flores
Tech Times
ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics