Researcher claims MTA subway flaw beats Apple Pay security

MTA turnstiles in New York

A researcher who was able to track people's use of the MTA subway system in New York, says that the same methodology exposes an Apple Pay vulnerability — but it's not clear if it actually does.

New York City added Apple Pay support to all subway stations back in 2020, after a delayed plan over Apple's Express Transit service.

Now Joseph Cox of 404media, claims to have uncovered a startlingly poor weakness in MTA's systems — and that it also compromises Apple Pay. Cox recounts tracking a traveler using their credit card details and, without further explanation, says the same is possible if they pay with the seemingly far more secure Apple Pay.

"I was sitting inside an apartment, following their movements through a feature on a Metropolitan Transportation Authority (MTA) website, which runs the New York City subway system," writes Cox. "With their consent, I had entered the rider's credit card information — data that is often easy to buy from criminal marketplaces, or which might be trivial for an abusive partner to obtain — and punched that into the MTA site for OMNY, the subway's contactless payments system."

"After a few seconds," he continued, "the site churned out the rider's travel history for the past 7 days, no other verification required."

If correct, this is unquestionably a serious security issue for MTA. In an email to Cox stressing that it "is committed to maintaining customer privacy," MTA pointed out at it solely records the point of entry of the traveler, not their point of exit.

That's nonsense, though, because a stalker or other criminal can just wait for the traveler to make a return journey and they have what is probably their entire route.

So MTA's system is flawed, but the real question concerns Apple Pay since that should be impervious to any credit card-related security issues. At the point of transaction, Apple Pay does not relay a user's credit card information at all, rather it provides a one-time verification code.

Consequently Cox concludes that since he or others in 404media say that they could perform the same tracking when Apple Pay is used, that Apple Pay is compromised.

However, the results have yet to be replicated — and there is also an issue of just what constitutes the point of transaction.

Cox is not very clear on this issue, but he says that to access a user's MTA history, he only had to enter their credit card details. Those are surely the same card details that the user registered with MTA's OMNY contactless payment system.

So if a traveler has registered with an Apple Card, for instance, then it doesn't seem a compromise if a payment on that account is triggered at the turnstile.

"Apple did not respond when asked to clarify how the MTA website feature works when a rider uses Apple Pay," wrote Cox.

Follow AppleInsider on Google News

6 Comments

ancha 2 comments · 3 Years

About 7 months ago

Your article says: " he only had to enter their credit card details. Those are surely the same card details that the user registered with MTA's OMNY contactless payment system."

Just to clarify: if the rider registers a card with OMNY, that seems to indicate they have an account with the system, and that means that the trip history is secure. The exploit of displaying trip history with just the credit card number does not work if a card is registered via an OMNY account, as far as I can tell (with my registered card).

And OMNY's website says

"When you add your bank card to your digital wallet, it will create a device account number. The device account number is different for each smart device that you use. The last four digits of each device account number will appear in your OMNY account when you tap your smart device at OMNY readers."

mknelson 1127 comments · 9 Years

About 7 months ago

ancha said:

Your article says: " he only had to enter their credit card details. Those are surely the same card details that the user registered with MTA's OMNY contactless payment system."

Just to clarify: if the rider registers a card with OMNY, that seems to indicate they have an account with the system, and that means that the trip history is secure. The exploit of displaying trip history with just the credit card number does not work if a card is registered via an OMNY account, as far as I can tell (with my registered card).

And OMNY's website says
"When you add your bank card to your digital wallet, it will create a device account number. The device account number is different for each smart device that you use. The last four digits of each device account number will appear in your OMNY account when you tap your smart device at OMNY readers."

Thanks for the details.

It looks like the card number entered on the website links to the rider's account, that account is showing the history of the transactions on the OMNY account, not specifically the transactions on the card.

ancha 2 comments · 3 Years

About 7 months ago

mknelson said:

It looks like the card number entered on the website links to the rider's account, that account is showing the history of the transactions on the OMNY account, not specifically the transactions on the card.

Because I have an account, when I'm logged into the website, I can see a menu that lets me choose among my registered cards, either one card at a time, or all together. For registered cards, there is no searching by credit card number (by myself or by others), but only selection from the menu when logged on. (I'm a senior, and only one card/device gets the discounted rate.)

entropys 4167 comments · 13 Years

About 7 months ago

Still trying to get my head around this: does a user have to register their credit card details in their OMNY account? If so, that is the more likely path.
or is it that you don’t register the details, it is the payment record?

in any case, this dude is linking it to Apple for the media attention, which he would not get if he just mentioned OMNY.

Latest comparisons