The NYC Subway Security Hole Lets Users Trace Trips With Cards

A recent discovery by 404 Media has highlighted a significant security flaw in New York City’s subway contactless payments system, potentially jeopardizing the privacy of riders. The flaw enables individuals armed with a rider’s credit card details to gain access to their travel history, raising concerns about unauthorized tracking of journeys, according to Finextra

The flaw stems from a feature within the Metropolitan Transportation Authority’s (MTA) OMNY website, designed to provide users with a convenient way to access their seven-day ride history. Disturbingly, this feature does not require users to have an account protected by a PIN or password; instead, access is granted by merely entering the card details associated with the rider’s account.

Remarkably, this security gap affects various forms of payment, encompassing regular card transactions as well as mobile payment platforms like Apple Pay and Google Pay. The latter two methods typically employ tokenized numbers to enhance security for merchants, but in this instance, they are also vulnerable to exploitation.

Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, emphasized the potential for misuse in such a situation. She pointed out that while the flaw might be especially attractive to individuals who have proximity to their victims, like cohabitants or those with brief access to their wallets, it nonetheless poses a substantial threat to riders’ privacy and security.

Eugene Resnick, a spokesperson for the MTA, responded to the discovery by stating that the agency remains committed to enhancing privacy measures for its riders. He assured the public that the MTA takes such concerns seriously and will actively seek input from safety experts to explore potential improvements to address this vulnerability.

As the MTA grapples with this security lapse, riders are urged to remain vigilant about their financial information and personal data. The incident underscores the ongoing need for stringent security measures in the realm of contactless payments, particularly as public transportation systems continue to modernize their fare payment systems.

In light of this revelation, it becomes evident that a comprehensive review of the MTA’s OMNY website and payment infrastructure is necessary to rectify this issue and prevent future breaches of sensitive information. As the MTA aims to ensure the privacy and safety of its riders, collaboration with cybersecurity experts and ongoing efforts to bolster their security protocols will be critical moving forward.

Other articles
Galileo Introduces Wire Transfers for FinTechs
Revolutionizing Automotive Transactions: The Integration of In-Car Payments
The ESG FinTech Sector: Is it Expanding Rapidly Enough?
Consumers Can Save for Purchases Via Save Now, Buy Later Fintech
Banking-as-a-Service: Navigating the Upheaval
Digital Vehicle Wallets Revolutionize Connected Car Payments
The Influence of Global Regulatory Compliance on Financial Services
Artificial Intelligence: The Key to Financial Inclusion
Visa Offers Travelers a Digital Card Replacement Service
Next-Gen Biometric Payment Cards Launched by Fingerprints and Valid
Financial Services Sector Hesitant to Adopt AI
Signicat: Organisations Are Still Unprepared to Fight AI-Driven Fraud
Bowhead Specialty and Kalepa Improve AI-Driven Underwriting
Retail: Adopting POS Systems, Digital Wallets, BNPL
Swift Is Testing AI to Fight Fraud