Despite promising the public it had fixed a privacy issue in the most heavily used public transport system in the U.S., the Metropolitan Transport Authority (MTA) somehow managed to actually not fix a directly related issue, and instead left a gaping hole that allowed me to obtain trip histories stretching back all the way to March.
Now, after I showed them this additional hole, the MTA has disabled the ability for people with accounts on OMNY, the contactless payment system for the New York City subway, to look up their trip history. In short, it was possible for malicious third parties to pull up months worth of trip histories with just a target’s credit card information. The news follows another report by 404 Media in August which found a similar issue which could reveal 7 days worth of data and which the MTA plugged. The new issue impacted a much greater stretch of time
“This feature has been removed while we evaluate new tools to serve our customers,” a message on the OMNY website reads when a user is logged in and viewing the “Trips” tab.
The issue revolves around how OMNY handles account creation and verification. When a user creates a free OMNY account with an email address and password, they are asked if they wish to add a travel card. Here, an attacker is essentially free to add whatever credit or bank card they want as long as it is not already linked to an existing OMNY account. What this means in practice is that an attacker can get hold of a target’s credit card information—a trivial task in an abusive relationship where the person has physical access to the card, for instance—and then add that card to their own account. A person calling themselves Max E. Designer first alerted 404 Media to the issue.
404 Media tested this loophole with a card and obtained trip histories stretching back to March this year. The OMNY website then lets a user export all of those trips as a PDF or CSV. The data does not show where someone exited the subway, but does provide granular and precise information on when exactly a person swiped into the subway and at what station. This can be especially useful information to a stalker for figuring out where a person may be at a particular point in time.
“As part of our longstanding commitment to customer privacy, protection of customer information across the MTA is regularly reviewed. The OMNY trip history feature currently is not available, and its data has never been misused to our knowledge,” Eugene Resnick, deputy communications director at the MTA, told 404 Media in a statement.
In August, 404 Media first reported on a related OMNY privacy issue. In that case, there was no need for account creation. An attacker simply needed to enter a target’s credit card information into a section of the OMNY website to obtain 7 days of data. Initially, Resnick said in a statement that “The MTA is committed to maintaining customer privacy. The trip history feature gives customers a way to check their paid and free trip history for the last 7 days without having to create an OMNY account. We also give customers the option of paying for their OMNY travel with cash. We’re always looking to improve on privacy, and will consider input from safety experts as we evaluate possible further improvements.”
Then around 24 hours after the 404 Media report, the MTA disabled the feature.