The NYC Subway Security Hole Lets Users Trace Trips With Cards

A recent discovery by 404 Media has highlighted a significant security flaw in New York City’s subway contactless payments system, potentially jeopardizing the privacy of riders. The flaw enables individuals armed with a rider’s credit card details to gain access to their travel history, raising concerns about unauthorized tracking of journeys, according to Finextra

The flaw stems from a feature within the Metropolitan Transportation Authority’s (MTA) OMNY website, designed to provide users with a convenient way to access their seven-day ride history. Disturbingly, this feature does not require users to have an account protected by a PIN or password; instead, access is granted by merely entering the card details associated with the rider’s account.

Remarkably, this security gap affects various forms of payment, encompassing regular card transactions as well as mobile payment platforms like Apple Pay and Google Pay. The latter two methods typically employ tokenized numbers to enhance security for merchants, but in this instance, they are also vulnerable to exploitation.

Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, emphasized the potential for misuse in such a situation. She pointed out that while the flaw might be especially attractive to individuals who have proximity to their victims, like cohabitants or those with brief access to their wallets, it nonetheless poses a substantial threat to riders’ privacy and security.

Eugene Resnick, a spokesperson for the MTA, responded to the discovery by stating that the agency remains committed to enhancing privacy measures for its riders. He assured the public that the MTA takes such concerns seriously and will actively seek input from safety experts to explore potential improvements to address this vulnerability.

As the MTA grapples with this security lapse, riders are urged to remain vigilant about their financial information and personal data. The incident underscores the ongoing need for stringent security measures in the realm of contactless payments, particularly as public transportation systems continue to modernize their fare payment systems.

In light of this revelation, it becomes evident that a comprehensive review of the MTA’s OMNY website and payment infrastructure is necessary to rectify this issue and prevent future breaches of sensitive information. As the MTA aims to ensure the privacy and safety of its riders, collaboration with cybersecurity experts and ongoing efforts to bolster their security protocols will be critical moving forward.

Other articles
Signicat: Organisations Are Still Unprepared to Fight AI-Driven Fraud
Bowhead Specialty and Kalepa Improve AI-Driven Underwriting
Retail: Adopting POS Systems, Digital Wallets, BNPL
Swift Is Testing AI to Fight Fraud
How Should Financial Institutions Transform Their Operations Using Gen AI
Business-to-Business Innovation: Leverage, Artificial Intelligence, and Embedded Experiences
Emerging Trends in Insurance and Financial Technology
Simplifying Cross-Border Payments: Fuse Technology’s Impact in the GCC
Thredd’s CEO Jim McCarthy on the Future of FinTech
Revolut Expands Mobile Wallet Partnerships in Africa for Faster International Transfers
Alibaba Cloud Expands Global Footprint and AI Talent Development Initiatives
BBVA Improves Productivity via Strategic Open AI Cooperation
New Era of Payments: Pay-by-Bank Solutions
Banks Must Adapt to an Evolving Open Banking Landscape
Fintech Innovation Needs to be «Mass Produced»