NYC subway security flaw makes it possible to track riders’ journeys

The MTA's OMNY website shows a seven-day ride history with only a credit card number.

Michael M. Santiago via Getty Images

The contactless payment system for New York City’s subways has a security hole. Anyone with access to someone’s credit card number can see when and where they entered the city’s underground transit during the last seven days. The problem lies in a “feature” on the website for OMNY, the tap-to-pay system for the Metropolitan Transportation Authority (MTA), which allows you to view your recent ride history using only credit card info. Further, subway entries purchased using Apple Pay — which gives merchants a virtual number instead of your real one — still somehow link to your physical credit card number.

The MTA’s loose implementation could allow stalkers, abusive exes or anyone who hacks into or purchases a person’s credit card information online to find out when and where they typically enter the subway. Joseph Cox of 404 Media initially reported on the story, detailing how (with a rider’s consent) he tracked the stations they entered — with corresponding times. “If I had kept monitoring this person, I would have figured out the subway station they often start a journey at, which is near where they live,” Cox wrote. “I would also know what specific time this person may go to the subway each day.”

“This is a gift for abusers,” Eva Galperin, the Electronic Frontier Foundation’s director of cybersecurity, told Engadget. The OMNY website also allows passengers to create a password-protected account, but it sits below the more prominent “Check trip history” section atop the page, requiring only a number and expiration date without any further security input. “It is a real problem that the option to track your location — without any kind of password security — is available first on the website,” noted Galperin. She says the MTA could have “fixed this simply” by including a PIN or password requirement alongside the credit card field.

The ‘check trip history’ section of the OMNY website. It includes entry fields for entering a credit card number and expiration date.
The ‘check trip history’ section of the OMNY website. It includes entry fields for entering a credit card number and expiration date. (Metropolitan Transportation Authority)

The website still shows your travel history even if you paid with Apple Pay. The iPhone maker says its tap-to-pay system gives merchants a virtual number rather than the physical card’s number. “And when you pay, your card numbers are never shared by Apple with merchants,” a marketing blurb on the company’s website reads. But an Engadget staffer confirmed that entering their actual credit card number linked to the used Apple Pay account — without having directly used that card to ride — still revealed their seven-day point-of-entry history.

When asked about the OMNY website linking the two regardless, the MTA told Engadget it can’t see the credit card numbers of customers who use Apple Pay. Apple didn’t immediately respond to an emailed request for comment about how the MTA website associates the two without vendors having access to the physical credit card number.

The MTA says it will consider security changes as it improves its system. “The MTA is committed to maintaining customer privacy,” MTA spokesperson Eugene Resnick wrote to Engadget in an email. “The trip history feature gives customers a way to check their paid and free trip history for the last 7 days without having to create an OMNY account. We also give customers the option of paying for their OMNY travel with cash. We’re always looking to improve on privacy, and will consider input from safety experts as we evaluate possible further improvements.”