The NYC Subway Security Hole Lets Users Trace Trips With Cards

A recent discovery by 404 Media has highlighted a significant security flaw in New York City’s subway contactless payments system, potentially jeopardizing the privacy of riders. The flaw enables individuals armed with a rider’s credit card details to gain access to their travel history, raising concerns about unauthorized tracking of journeys, according to Finextra

The flaw stems from a feature within the Metropolitan Transportation Authority’s (MTA) OMNY website, designed to provide users with a convenient way to access their seven-day ride history. Disturbingly, this feature does not require users to have an account protected by a PIN or password; instead, access is granted by merely entering the card details associated with the rider’s account.

Remarkably, this security gap affects various forms of payment, encompassing regular card transactions as well as mobile payment platforms like Apple Pay and Google Pay. The latter two methods typically employ tokenized numbers to enhance security for merchants, but in this instance, they are also vulnerable to exploitation.

Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, emphasized the potential for misuse in such a situation. She pointed out that while the flaw might be especially attractive to individuals who have proximity to their victims, like cohabitants or those with brief access to their wallets, it nonetheless poses a substantial threat to riders’ privacy and security.

Eugene Resnick, a spokesperson for the MTA, responded to the discovery by stating that the agency remains committed to enhancing privacy measures for its riders. He assured the public that the MTA takes such concerns seriously and will actively seek input from safety experts to explore potential improvements to address this vulnerability.

As the MTA grapples with this security lapse, riders are urged to remain vigilant about their financial information and personal data. The incident underscores the ongoing need for stringent security measures in the realm of contactless payments, particularly as public transportation systems continue to modernize their fare payment systems.

In light of this revelation, it becomes evident that a comprehensive review of the MTA’s OMNY website and payment infrastructure is necessary to rectify this issue and prevent future breaches of sensitive information. As the MTA aims to ensure the privacy and safety of its riders, collaboration with cybersecurity experts and ongoing efforts to bolster their security protocols will be critical moving forward.

Other articles
Listening Is the New Power Move in Financial Services
SymphonyAI Eyes Agentic Automation as the Future of AML Compliance
AI Adoption in Financial Services and Fintech in 2025: Key Trends and Use Cases
Visa Launches New Initiative to Simplify Embedded Payments for Businesses
JPMorgan Unveils AI-Powered Tool to Combat Payment Fraud in Corporate Transactions
New ‘Buy Now, Pay Later’ Rules to Benefit Big Lenders, Not Hinder Them
Cable Insurance and TruckerCloud Join Forces to Improve Commercial Auto Data Systems
In-Car Payments Becoming Must-Have Feature for Drivers, Study Finds
Digital Wallets Are Evolving — And They Want to Replace Your Apps, Not Just Your Cards
Parents Call for Financial Education as the New “Fourth R” in Schools
The Role of AI-Driven Large Transaction Models in Transforming Payment Security
How Generative AI Is Fueling the Future of Embedded Finance
How Amazon and Walmart Are Shaping Retail’s Future With Robotics and AI
ECB Collaborates with FinTechs and Banks to Shape the Future of Digital Payments
The Top 10 Automotive Industry Trends to Watch (2025–2027)