NYC Subway Disables Trip-History Feature Over Tap-and-Go Privacy Concerns

  /     /     /  
Publicated : 23/11/2024   Category : security


NYC Subway Disables Trip-History Feature Over Tap-and-Go Privacy Concerns


The move by New Yorks Metropolitan Transit Authority (MTA) follows a report that showed how easy it is for someone to pull up another individuals seven-day ride history through the One Metro New York (OMNY) website.



New Yorks Metropolitan Transportation Authority (MTA) has disabled a feature associated with its contactless payment system for the citys subway system, following a report showing how easily someone could abuse it to access another individuals trip history for the prior seven days.
The report by
404 Media
described how anyone with access to a credit card number that another individual might have used to tap-and-pay for subway rides could then use the card to track the individuals movement on the subway system. All that someone needed to do was to enter the card number into the MTAs One Metro New York (OMNY) website to pull up the associated account holders trip-history for the preceding week — without any additional verification.
In addition to someone having physical access to another individuals wallet,
credit card numbers are also easily available in underground markets
for anyone willing to buy them. A report that
Comparitech released in August
showed that the average Dark Web price for basic credit card information — including card number, CVV, expiration date, and cardholder name — is $17.36. The prices are tied to the available credit on a stolen card and go into the hundreds of dollars for cards with high credit limits. Just buying a number, though, is likely much more affordable.
OMNYs trip history information shows only the point of entry into the subway system, not the exit point. Even so, the data is enough for an abuser to stalk victims or for someone to track an individual or narrow down where they might live, the 404 Media article warned. The report quoted a privacy expert who expressed concern over how the MTA appeared to have used an individuals credit card number as the primary identifier and did not require so much as a PIN to authenticate that identity.
In an emailed statement to Dark Reading, MTA spokesman Eugene Resnick said the transit authority has temporarily suspended the trip history feature on its OMNY website. “This feature was meant to help our customers who want access to their tap-and-go trip histories, both paid and free, without having to create an OMNY account, Resnick said. As part of the MTA’s ongoing commitment to customer privacy, we have disabled this feature while we evaluate other ways to serve these customers.”
Meanwhile, MTA continues to give subway riders the option to pay for their travel with cash and is willing to consider input from safety experts on potential improvements to the contactless payment option, he noted.
MTA formally introduced its contactless tap-to-pay option for subway rides four years ago, in June 2019. The option allows riders to pay for rides using their contactless credit or debit cards. Risers also have the option to use mobile wallets such as Google Pay and
Apple Pay to pay for rides
by simply tapping their smart devices at OMNY readers installed in the citys subway system.
The MTA itself does not store or see the actual card number. Rather, all card numbers are tokenized — or obfuscated — as an additional security precaution. According to the MTA, this allows transactions to be processed and trip histories to be generated without the MTA ever knowing the actual credit card number.
The MTA experience highlights some of the potential hiccups that organizations are likely to encounter as they embrace tap-and-go payment models in the years ahead.
Contactless payment technologies have been around for years, but their use really exploded during the pandemic and has kept growing since. A blog post earlier this month by a senior executive at Fair, Isaac and Company (FICO) the primary credit scoring service in the US, estimates the global value of the contactless payment market to reach $6.3 trillion by 2028, with the UK and Europe leading the way. The post identified contactless payments as enabling banks and merchants a way to
provide faster and frictionless
transactions while fostering more convenience and ease for consumers.
For the moment,
security concerns around use of the contactless payment technology
are somewhat muted, and when they exist, it mainly has to do with the potential for payment card fraud. As the FICO blog noted: The kind of fraud that takes place in the realm of contactless payments, is currently fairly unsophisticated — the accidental loss or deliberate theft of a debit or credit card. Criminals can make several purchases up to the limit before a PIN is needed.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
NYC Subway Disables Trip-History Feature Over Tap-and-Go Privacy Concerns