The NYC Subway Security Hole Lets Users Trace Trips With Cards

A recent discovery by 404 Media has highlighted a significant security flaw in New York City’s subway contactless payments system, potentially jeopardizing the privacy of riders. The flaw enables individuals armed with a rider’s credit card details to gain access to their travel history, raising concerns about unauthorized tracking of journeys, according to Finextra

The flaw stems from a feature within the Metropolitan Transportation Authority’s (MTA) OMNY website, designed to provide users with a convenient way to access their seven-day ride history. Disturbingly, this feature does not require users to have an account protected by a PIN or password; instead, access is granted by merely entering the card details associated with the rider’s account.

Remarkably, this security gap affects various forms of payment, encompassing regular card transactions as well as mobile payment platforms like Apple Pay and Google Pay. The latter two methods typically employ tokenized numbers to enhance security for merchants, but in this instance, they are also vulnerable to exploitation.

Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, emphasized the potential for misuse in such a situation. She pointed out that while the flaw might be especially attractive to individuals who have proximity to their victims, like cohabitants or those with brief access to their wallets, it nonetheless poses a substantial threat to riders’ privacy and security.

Eugene Resnick, a spokesperson for the MTA, responded to the discovery by stating that the agency remains committed to enhancing privacy measures for its riders. He assured the public that the MTA takes such concerns seriously and will actively seek input from safety experts to explore potential improvements to address this vulnerability.

As the MTA grapples with this security lapse, riders are urged to remain vigilant about their financial information and personal data. The incident underscores the ongoing need for stringent security measures in the realm of contactless payments, particularly as public transportation systems continue to modernize their fare payment systems.

In light of this revelation, it becomes evident that a comprehensive review of the MTA’s OMNY website and payment infrastructure is necessary to rectify this issue and prevent future breaches of sensitive information. As the MTA aims to ensure the privacy and safety of its riders, collaboration with cybersecurity experts and ongoing efforts to bolster their security protocols will be critical moving forward.

Other articles
Financing Trends Shaping the Auto Industry in 2025
The Hidden Risks of AI-Generated Code in Banking Systems
Spendesk Adopts Dust’s AI Platform to Enhance Security and Efficiency
Klarna Expands BNPL Services to eBay Shoppers in the US
Can Embedded Finance Help Neobanks Outperform Traditional Banks?
Google Deploys AI to Wipe Out Half a Billion Scam Ads in 2024
MoneyGram and Plaid Join Forces to Deliver Seamless, Secure Global Payments
The Rise of AI and ML in Modernizing KYC Compliance
Embedded Finance: Will It Overtake Standalone Banking Apps?
2025 Report: Drivers Demand Seamless In-Car Payment Systems, Willing to Pay for Convenience
How AI and Technology Are Reshaping Finance in 2025
What’s Fueling the Surge in Embedded Finance Adoption?
Bank of England Warns of AI Risks to Financial Stability
Jamie Dimon Warns of FinTech Threat as Consumer Payments Become Banking’s New Battleground
Mercedes-Benz Introduces In-Car Fingerprint Payment with Mercedes pay+