A researcher who was able to track people's use of the MTA subway system in New York, says that the same methodology exposes an Apple Pay vulnerability — but it's not clear if it actually does.
Now Joseph Cox of 404media, claims to have uncovered a startlingly poor weakness in MTA's systems — and that it also compromises Apple Pay. Cox recounts tracking a traveler using their credit card details and, without further explanation, says the same is possible if they pay with the seemingly far more secure Apple Pay.
"I was sitting inside an apartment, following their movements through a feature on a Metropolitan Transportation Authority (MTA) website, which runs the New York City subway system," writes Cox. "With their consent, I had entered the rider's credit card information — data that is often easy to buy from criminal marketplaces, or which might be trivial for an abusive partner to obtain — and punched that into the MTA site for OMNY, the subway's contactless payments system."
"After a few seconds," he continued, "the site churned out the rider's travel history for the past 7 days, no other verification required."
If correct, this is unquestionably a serious security issue for MTA. In an email to Cox stressing that it "is committed to maintaining customer privacy," MTA pointed out at it solely records the point of entry of the traveler, not their point of exit.
That's nonsense, though, because a stalker or other criminal can just wait for the traveler to make a return journey and they have what is probably their entire route.
So MTA's system is flawed, but the real question concerns Apple Pay since that should be impervious to any credit card-related security issues. At the point of transaction, Apple Pay does not relay a user's credit card information at all, rather it provides a one-time verification code.
Consequently Cox concludes that since he or others in 404media say that they could perform the same tracking when Apple Pay is used, that Apple Pay is compromised.
However, the results have yet to be replicated — and there is also an issue of just what constitutes the point of transaction.
Cox is not very clear on this issue, but he says that to access a user's MTA history, he only had to enter their credit card details. Those are surely the same card details that the user registered with MTA's OMNY contactless payment system.
So if a traveler has registered with an Apple Card, for instance, then it doesn't seem a compromise if a payment on that account is triggered at the turnstile.
"Apple did not respond when asked to clarify how the MTA website feature works when a rider uses Apple Pay," wrote Cox.