NYC Subway Will Disable ‘Feature’ That Leaked Trip History After 404 Media Investigation

Around 24 hours after 404 Media published its investigation the MTA says it will disable the feature, which an expert said was a “great fit” for abusers.
NYC Subway Will Disable ‘Feature’ That Leaked Trip History After 404 Media Investigation
Photo by Nic Y-C / Unsplash

The Metropolitan Transportation Authority (MTA), the agency which maintains the New York City subway, says it has disabled a system that a 404 Media investigation found could allow stalkers or other third parties to follow specific travelers’ movements through the subway system just by entering their credit card number.

“This feature was meant to help our customers who want access to their tap-and-go trip histories, both paid and free, without having to create an OMNY account. As part of the MTA’s ongoing commitment to customer privacy, we have disabled this feature while we evaluate other ways to serve these customers,” MTA spokesperson Eugene Resnick told 404 Media in a statement on Thursday.

Do you know about any similar tracking features? I would love to hear from you. Using a non-work device, you can message me securely on Signal at +44 20 8133 5190. Otherwise, send me an email at

The issue 404 Media covered was a little known feature on the website for OMNY, the NYC subway’s contactless payment system. This feature allowed users to enter their credit card information to view their trip history over the past 7 days. But the system required no other authentication, meaning that anyone with those credit card details could perform lookups on other peoples’ trips. One potential scenario was an abusive partner who may have easy access to their target’s credit card information abusing the system.

“Obviously this is a great fit for abusers who live with their victims or have physical access, however brief, to their wallets,” Eva Galperin, the director of cybersecurity at activist organization the Electronic Frontier Foundation (EFF) and who has extensively researched how abusive partners use technology, told 404 Media at the time.

404 Media continues to generate impact from its investigations. An article published last week focused on a supply chain of sensitive data that ended in the hands of violent criminals resulted in a data broker blocking lookups on high profile individuals and politicians.