A security vulnerability in the New York subway’s contactless payment system allows individuals who have access to a rider’s credit card information to view their travel history.
This issue, highlighted by 404 Media, originates from a feature on the Metropolitan Transportation Authority’s (MTA) OMNY website that enables users to check their ride history for the past seven days. Remarkably, to access this information, riders are not required to have an account with a PIN or password; they only need to enter their card details.
The feature is applicable to standard card payments, as well as payments made through Apple Pay and Google Pay, despite the latter two methods utilizing a tokenized number for transactions.
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, noted, “Obviously this is a great fit for abusers who live with their victims or have physical access, however brief, to their wallets.”
In response, MTA spokesperson Eugene Resnick stated, “We’re always looking to improve on privacy, and will consider input from safety experts as we evaluate possible further improvements.”