Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy Security

MTA Website 'Feature' Lets You Track Subway Riders' Locations (404media.co) 23

Slash_Account_Dot shares a report from 404 Media, written by cybersecurity journalist Joseph Cox: In the mid-afternoon one Saturday earlier this month, the target got on the New York subway. I knew what station they entered the subway at and at what specific time. They then entered another station a few hours later. If I had kept monitoring this person, I would have figured out the subway station they often start a journey at, which is near where they live. I would also know what specific time this person may go to the subway each day. During all this monitoring, I wasn't anywhere near the rider. I didn't even need to see them with my own eyes. Instead, I was sitting inside an apartment, following their movements through a feature on a Metropolitan Transportation Authority (MTA) website, which runs the New York City subway system. With their consent, I had entered the rider's credit card information -- data that is often easy to buy from criminal marketplaces, or which might be trivial for an abusive partner to obtain -- and punched that into the MTA site for OMNY, the subway's contactless payments system. After a few seconds, the site churned out the rider's travel history for the past 7 days, no other verification required.

On the OMNY website, the MTA offers the ability for riders to "Check trip history." This feature works for people who use contactless bank cards when entering the subway, or other solutions like Apple Pay and Google Pay. The issue is that the feature requires no other authentication -- no account linked to an email, for example -- meaning that anyone with a target's details can enter it and snoop on their movements. The MTA does offer the option of an OMNY account, which requires a password. The website says having an account lets riders "Securely access your trip history." But the first option that appears on the trip history website is the unauthenticated version.
After 404 Media raised the concerns to the MTA, a spokesperson said the agency will look into improving the system. "But at the moment, the tracking feature is still accessible without any authentication," notes Cox.

UPDATE 8/31/23: The MTA says it will disable the feature that leaked trip history.
This discussion has been archived. No new comments can be posted.

MTA Website 'Feature' Lets You Track Subway Riders' Locations

Comments Filter:
  • NYC Subway Website 'Feature' Lets You Track Riders' Locations

  • Oh No! (Score:1, Troll)

    by Local ID10T ( 790134 )

    If you already have access to someone's credit card (that they use to pay for subway access) you can track when and where they used it to pay for subway access...

    Um. Yeah. I guess we should be outraged over this?.

    /nonstory

    • Re:Oh No! (Score:4, Insightful)

      by b0s0z0ku ( 752509 ) on Wednesday August 30, 2023 @07:34PM (#63810674)
      Yes, this is fucking outrageous ... mere access to a CC number/exp date shouldn't allow you to view a person's spending without authorization. This should only be available if you know the bank login/PW.
    • Yes, this is outrageous. Next thing that MTA app will do is hint at which passengers are the best mugging candidates based on what they have in their wallets.
  • I feel like this isn't exactly "great", security-wise. Yet I can also see how some people just want to get on the subway and get from one place to another. They aren't interested in yet another login and password to remember, and the hassle of another account to set up.

    The easy solution is probably not to provide any kind of trip history unless you have an actual account set up first? But realistically, this isn't a situation where you can't secure your trip info from prying eyes because they simply don't m

    • by Tyr07 ( 8900565 )

      It's bait to convince people to sign up for accounts and give personal information to 'secure' their information. Otherwise /anyone/ could be tracking you.

      A lot of people would not choose to opt in to tracking and setup an account to register to do it. Why do most people need it would be their logic. So they went the opposite route, so they can sell that information with actual details since they can't sell the identifying credit card information.

      Harder to validate that it's tracking the same person and rea

    • Yep, that's the correct solution -- if you want trip history, create an account. Don't leak people's personal information to the Internet without their consent.
    • The solution to that would be to fix credit cards.

      The whole concept does not have the slightest security. You give out all that you need to charge your credit card to the pizza delivery guy!

      Granted, when credit cards were designed, you were supposed to show the physical card at the point of sale, but still the whole strategy was to have fees high enough to cover for all fraud because that was still cheaper than adding any actual security.

      • by wings ( 27310 )

        ...the whole strategy was to have fees high enough to cover for all fraud because that was still cheaper than adding any actual security.

        This may explain yesterdays article regarding Visa and Mastercard raising Credit-Card fees.
        https://news.slashdot.org/stor... [slashdot.org]

  • by timeOday ( 582209 ) on Wednesday August 30, 2023 @06:27PM (#63810530)
    Ehh, the access codes for my money (such as credit card numbers) may be the most well-protected information I possess.

    OK, make it require a 2FA text message as well. But I question calling the existing system "without any authentication."

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Ehh, the access codes for my money (such as credit card numbers) may be the most well-protected information I possess.

      Most people give their credit card numbers to everyone they make credit card payments to. Which is usually a lot of people. They're not well-protected at all.

  • The OMNY website will be rebranding to OMFG.

  • The problem is that if you create an account, then MTA etc can track you by name (or at least e-mailaddress).

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...