MTA Website 'Feature' Lets You Track Subway Riders' Locations

Slash_Account_Dot shares a report from 404 Media, written by cybersecurity journalist Joseph Cox: In the mid-afternoon one Saturday earlier this month, the target got on the New York subway. I knew what station they entered the subway at and at what specific time. They then entered another station a few hours later. If I had kept monitoring this person, I would have figured out the subway station they often start a journey at, which is near where they live. I would also know what specific time this person may go to the subway each day. During all this monitoring, I wasn't anywhere near the rider. I didn't even need to see them with my own eyes. Instead, I was sitting inside an apartment, following their movements through a feature on a Metropolitan Transportation Authority (MTA) website, which runs the New York City subway system. With their consent, I had entered the rider's credit card information -- data that is often easy to buy from criminal marketplaces, or which might be trivial for an abusive partner to obtain -- and punched that into the MTA site for OMNY, the subway's contactless payments system. After a few seconds, the site churned out the rider's travel history for the past 7 days, no other verification required.

On the OMNY website, the MTA offers the ability for riders to "Check trip history." This feature works for people who use contactless bank cards when entering the subway, or other solutions like Apple Pay and Google Pay. The issue is that the feature requires no other authentication -- no account linked to an email, for example -- meaning that anyone with a target's details can enter it and snoop on their movements. The MTA does offer the option of an OMNY account, which requires a password. The website says having an account lets riders "Securely access your trip history." But the first option that appears on the trip history website is the unauthenticated version. After 404 Media raised the concerns to the MTA, a spokesperson said the agency will look into improving the system. "But at the moment, the tracking feature is still accessible without any authentication," notes Cox.

UPDATE 8/31/23: The MTA says it will disable the feature that leaked trip history.

NYC

[bill_mcgonigle]

NYC Subway Website 'Feature' Lets You Track Riders' Locations

Oh No!

[Local ID10T]

If you already have access to someone's credit card (that they use to pay for subway access) you can track when and where they used it to pay for subway access...

Um. Yeah. I guess we should be outraged over this?.

/nonstory

Re:Oh No!

[b0s0z0ku]

Yes, this is fucking outrageous ... mere access to a CC number/exp date shouldn't allow you to view a person's spending without authorization. This should only be available if you know the bank login/PW.

Re:

[NoWayNoShapeNoForm]

Yes, this is outrageous. Next thing that MTA app will do is hint at which passengers are the best mugging candidates based on what they have in their wallets.

Hmm....

[King_TJ]

I feel like this isn't exactly "great", security-wise. Yet I can also see how some people just want to get on the subway and get from one place to another. They aren't interested in yet another login and password to remember, and the hassle of another account to set up.

The easy solution is probably not to provide any kind of trip history unless you have an actual account set up first? But realistically, this isn't a situation where you can't secure your trip info from prying eyes because they simply don't m

Re:

[Tyr07]

It's bait to convince people to sign up for accounts and give personal information to 'secure' their information. Otherwise /anyone/ could be tracking you.

A lot of people would not choose to opt in to tracking and setup an account to register to do it. Why do most people need it would be their logic. So they went the opposite route, so they can sell that information with actual details since they can't sell the identifying credit card information.

Harder to validate that it's tracking the same person and rea

Re:

[b0s0z0ku]

Yep, that's the correct solution -- if you want trip history, create an account. Don't leak people's personal information to the Internet without their consent.

Re:

[bickerdyke]

The solution to that would be to fix credit cards.

The whole concept does not have the slightest security. You give out all that you need to charge your credit card to the pizza delivery guy!

Granted, when credit cards were designed, you were supposed to show the physical card at the point of sale, but still the whole strategy was to have fees high enough to cover for all fraud because that was still cheaper than adding any actual security.

Re:

[wings]

...the whole strategy was to have fees high enough to cover for all fraud because that was still cheaper than adding any actual security.

This may explain yesterdays article regarding Visa and Mastercard raising Credit-Card fees.
https://news.slashdot.org/stor... [slashdot.org]

"Without any authentication"

[timeOday]

Ehh, the access codes for my money (such as credit card numbers) may be the most well-protected information I possess.

OK, make it require a 2FA text message as well. But I question calling the existing system "without any authentication."

Re:

[Anonymous Coward]

Ehh, the access codes for my money (such as credit card numbers) may be the most well-protected information I possess.

Most people give their credit card numbers to everyone they make credit card payments to. Which is usually a lot of people. They're not well-protected at all.

In related news...

[93 Escort Wagon]

The OMNY website will be rebranding to OMFG.

Re:

[b0s0z0ku]

The telco doesn't provide that info to any member of the public who happens to know your CC # and expiration.

Re:

[apparently]

The telco doesn't provide that info to any member of the public who happens to know your CC # and expiration.

If someone "happens to know" my CC# and expiration, I have bigger problems to worry about, you absolute turnip.

Re:

[b0s0z0ku]

Yet essentially every store or restaurant you pay with a CC has access to that info. You may have bigger problems if their goal is theft, not stalking. In any case, m'fker, this information shouldn't be made publicly available. End of story.

Re:

[b0s0z0ku]

OMNY uses both stored value cards and credit cards. I actually have a stored-value card and use it with OMNY. Vending machines coming eventually, hopefully sooner than later. But yeah, I suspect that MTA wants to nudge people not to pay cash to provide more data for the NYPigD security state.

Re:

[swillden]

The MTA decided that unlike every other transit agency in the world, it would not used stored value cards.

This is wrong in both directions: The MTA does use stored value cards in addition to credit/debit cards, and many other transit agencies in the world also use a combination of stored value and credit/debit cards. For example, I was in London a couple of weeks ago and used contactless credit card payment (both with a plastic card and my NFC-enabled phone and watch) for bus and tube rides all over the place. It was very convenient.

Even more tracking with an account

[david-bo]

The problem is that if you create an account, then MTA etc can track you by name (or at least e-mailaddress).