New York's Metropolitan Transportation Authority (MTA) has disabled a feature associated with its contactless payment system for the city's subway system, following a report showing how easily someone could abuse it to access another individual's trip history for the prior seven days.
The report by 404 Media described how anyone with access to a credit card number that another individual might have used to tap-and-pay for subway rides could then use the card to track the individual's movement on the subway system. All that someone needed to do was to enter the card number into the MTA's One Metro New York (OMNY) website to pull up the associated account holder's trip-history for the preceding week — without any additional verification.
In addition to someone having physical access to another individual's wallet, credit card numbers are also easily available in underground markets for anyone willing to buy them. A report that Comparitech released in August showed that the average Dark Web price for basic credit card information — including card number, CVV, expiration date, and cardholder name — is $17.36. The prices are tied to the available credit on a stolen card and go into the hundreds of dollars for cards with high credit limits. Just buying a number, though, is likely much more affordable.
A Stalking Threat
OMNY's trip history information shows only the point of entry into the subway system, not the exit point. Even so, the data is enough for an abuser to stalk victims or for someone to track an individual or narrow down where they might live, the 404 Media article warned. The report quoted a privacy expert who expressed concern over how the MTA appeared to have used an individual's credit card number as the primary identifier and did not require so much as a PIN to authenticate that identity.
In an emailed statement to Dark Reading, MTA spokesman Eugene Resnick said the transit authority has temporarily suspended the trip history feature on its OMNY website. “This feature was meant to help our customers who want access to their tap-and-go trip histories, both paid and free, without having to create an OMNY account," Resnick said. "As part of the MTA’s ongoing commitment to customer privacy, we have disabled this feature while we evaluate other ways to serve these customers.”
Meanwhile, MTA continues to give subway riders the option to pay for their travel with cash and is willing to consider input from safety experts on potential improvements to the contactless payment option, he noted.
MTA formally introduced its contactless tap-to-pay option for subway rides four years ago, in June 2019. The option allows riders to pay for rides using their contactless credit or debit cards. Risers also have the option to use mobile wallets such as Google Pay and Apple Pay to pay for rides by simply tapping their smart devices at OMNY readers installed in the city's subway system.
The MTA itself does not store or see the actual card number. Rather, all card numbers are tokenized — or obfuscated — as an additional security precaution. According to the MTA, this allows transactions to be processed and trip histories to be generated without the MTA ever knowing the actual credit card number.
The MTA experience highlights some of the potential hiccups that organizations are likely to encounter as they embrace tap-and-go payment models in the years ahead.
Muted Security Concerns for the Moment
Contactless payment technologies have been around for years, but their use really exploded during the pandemic and has kept growing since. A blog post earlier this month by a senior executive at Fair, Isaac and Company (FICO) the primary credit scoring service in the US, estimates the global value of the contactless payment market to reach $6.3 trillion by 2028, with the UK and Europe leading the way. The post identified contactless payments as enabling banks and merchants a way to provide faster and frictionless transactions while fostering more convenience and ease for consumers.
For the moment, security concerns around use of the contactless payment technology are somewhat muted, and when they exist, it mainly has to do with the potential for payment card fraud. As the FICO blog noted: "The kind of fraud that takes place in the realm of contactless payments, is currently fairly unsophisticated — the accidental loss or deliberate theft of a debit or credit card. Criminals can make several purchases up to the limit before a PIN is needed."