/security

News and resources on cyber and physical threats to banks and fintechs worldwide.

NYC subway security hole lets people use card info to track journeys

A security flaw with the New York subway's contactless payments system lets people with a rider's credit card details see their travel history.

  0 Be the first to comment

NYC subway security hole lets people use card info to track journeys

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

The issue, reported by 404 Media, stems from a feature on the Metropolitan Transportation Authority's (MTA's) OMNY website, which allows users to see their seven day ride history.

To see this information, riders do not need to have an account with a PIN or password. Instead, they simply enter their card details.

The feature works for normal card payments as well as Apple Pay and Google Pay, despite the latter two giving merchants a tokenised number.

“Obviously this is a great fit for abusers who live with their victims or have physical access, however brief, to their wallets,” Eva Galperin, director of cybersecurity, Electronic Frontier Foundation, tells 404 Media.

MTA spokesperson Eugene Resnick says: "We’re always looking to improve on privacy, and will consider input from safety experts as we evaluate possible further improvements.”

Sponsored [Webinar] Trusted Transactions: The Future of Risk-Based Authentication

Related Company

Keywords

Comments: (0)

New Report – The Future of AI in Financial Services 2025Finextra PromotedNew Report – The Future of AI in Financial Services 2025