New York City Transit Has A Flaw Where You Can Be Tracked Via Your Credit Card Number… And Apple Pay Is Affected By This Flaw

From the “what the actual hell” department comes this story from 404 Media where a flaw in the New York City transit system fares system allows anyone to track anyone if they know the credit card and the expiry date.

In the mid-afternoon one Saturday earlier this month, the target got on the New York subway. I knew what station they entered the subway at and at what specific time. They then entered another station a few hours later. If I had kept monitoring this person, I would have figured out the subway station they often start a journey at, which is near where they live. I would also know what specific time this person may go to the subway each day. 

During all this monitoring, I wasn’t anywhere near the rider. I didn’t even need to see them with my own eyes. Instead, I was sitting inside an apartment, following their movements through a feature on a Metropolitan Transportation Authority (MTA) website, which runs the New York City subway system.

With their consent, I had entered the rider’s credit card information—data that is often easy to buy from criminal marketplaces, or which might be trivial for an abusive partner to obtain—and punched that into the MTA site for OMNY, the subway’s contactless payments system. After a few seconds, the site churned out the rider’s travel history for the past 7 days, no other verification required.

That’s bad to say the least. But what makes this worse is that Apple Pay which is supposed to be immune from this sort of attack is affected by this:

404 Media found that MTA’s trip history feature still works even when the user pays with Apple Pay. Apple told 404 Media it does not store or have access to the used card numbers, and does not provide these to merchants, including transit systems. Apple did not respond when asked to clarify how the MTA website feature works when a rider uses Apple Pay.

This is unacceptable because Apple advertises Apple Pay as being safer to use than your credit card because Apple is supposed to provide a one time and unique representation of your credit card to the merchant. And through some magic on the back end, it’s supposed to reconcile everything to your actual card. In short, the merchant should not have access to your actual card number. But in this case they clearly do. So is Apple lying about how Apple Pay works? That sounds harsh, but it’s a question that one must ask based on the facts above. And it would be in Apple’s interest to answer those questions quickly and transparently.

Leave a Reply

%d bloggers like this: