In the mid-afternoon one Saturday earlier this month, the target got on the New York subway. I knew what station they entered the subway at and at what specific time. They then entered another station a few hours later. If I had kept monitoring this person, I would have figured out the subway station they often start a journey at, which is near where they live. I would also know what specific time this person may go to the subway each day.
During all this monitoring, I wasn’t anywhere near the rider. I didn’t even need to see them with my own eyes. Instead, I was sitting inside an apartment, following their movements through a feature on a Metropolitan Transportation Authority (MTA) website, which runs the New York City subway system.
With their consent, I had entered the rider’s credit card information—data that is often easy to buy from criminal marketplaces, or which might be trivial for an abusive partner to obtain—and punched that into the MTA site for OMNY, the subway’s contactless payments system. After a few seconds, the site churned out the rider’s travel history for the past 7 days, no other verification required.
The news presents a significant privacy risk from a feature that is supposedly designed for individuals to check their own travel history, but which in reality is wide open to abuse. After 404 Media flagged concerns from security experts to the MTA, a spokesperson said the agency will evaluate improvements to the system. But at the moment, the tracking feature is still accessible without any authentication.
“Obviously this is a great fit for abusers who live with their victims or have physical access, however brief, to their wallets,” Eva Galperin, the director of cybersecurity at activist organization the Electronic Frontier Foundation (EFF) and who has extensively researched how abusive partners use technology, told 404 Media. “Credit card info is not a goddamn unique identifier.”
On the OMNY website, the MTA offers the ability for riders to “Check trip history.” This feature works for people who use contactless bank cards when entering the subway, or other solutions like Apple Pay and Google Pay.
The issue is that the feature requires no other authentication—no account linked to an email, for example—meaning that anyone with a target’s details can enter it and snoop on their movements. Greg Sadetsky originally alerted 404 Media to the OMNY privacy issue.
To fix this issue “literally all that the MTA needed to do was add a PIN or password,” Galperin added.
The MTA does offer the option of an OMNY account, which requires a password. The website says having an account lets riders “Securely access your trip history.” But the first option that appears on the trip history website is the unauthenticated version.
Activists have long been concerned with what data the OMNY system may collect and provide to law enforcement. The Surveillance Technology Oversight Project (STOP) previously published a report with its concerns about the technology. “Given how often government agencies, including the New York Police Department (‘NYPD’), have abused surveillance data to target ethnic and religious minorities and how for- profit corporations face overwhelming pressure to monetize user data, OMNY has the potential to expose millions of transit users to troubling repercussions,” the report reads.
The difference with this feature on the OMNY site is that essentially anyone can abuse it, as long as they have the credit card information of the target.
Subscribe
Eugene Resnick, an MTA spokesperson, told 404 Media in an email that “The MTA is committed to maintaining customer privacy. The trip history feature gives customers a way to check their paid and free trip history for the last 7 days without having to create an OMNY account. We also give customers the option of paying for their OMNY travel with cash. We’re always looking to improve on privacy, and will consider input from safety experts as we evaluate possible further improvements.” Update: after this article was published, the MTA said it will disable the relevant system. You can read more here.
The MTA added that OMNY does not record the point of exit of the rider, only the point of entry. The MTA also said the agency does not see the customer’s real credit card number.
404 Media found that MTA’s trip history feature still works even when the user pays with Apple Pay. Apple told 404 Media it does not store or have access to the used card numbers, and does not provide these to merchants, including transit systems. Apple did not respond when asked to clarify how the MTA website feature works when a rider uses Apple Pay.