For the past few years, a new payment system has been rolling out on New York City’s trains and buses: OMNY, a modern, credit card-based replacement for the old MetroCard system. OMNY is simple, replacing single-purpose reloadable MetroCards with contactless readers on turnstiles that accept the contactless payment methods you likely already use regularly. But OMNY has a data-driven dark side — your full ride history, available online to anyone with your credit card number, according to a new report.
404 Media investigated OMNY’s rider tracking, and found that any rider’s tap history can be obtained easily online — only secured by a credit card number. This means that anyone with access to a person’s cards — a roommate, an abusive partner, a pickpocket, or someone who purchased information from a data breach — can track which subway stations they enter every day. From 404 Media:
With their consent, I had entered the rider’s credit card information—data that is often easy to buy from criminal marketplaces, or which might be trivial for an abusive partner to obtain—and punched that into the MTA site for OMNY, the subway’s contactless payments system. After a few seconds, the site churned out the rider’s travel history for the past 7 days, no other verification required.
…
“Obviously this is a great fit for abusers who live with their victims or have physical access, however brief, to their wallets,” Eva Galperin, the director of cybersecurity at activist organization the Electronic Frontier Foundation (EFF) and who has extensively researched how abusive partners use technology, told 404 Media. “Credit card info is not a goddamn unique identifier.”
…
To fix this issue “literally all that the MTA needed to do was add a PIN or password,” Galperin added.
We’ve all long suspected that the OMNY system was tracking our every move, and sometimes it sucks to be right. Welcome to your new cyberpunk reality, everybody. It’s not changing any time soon.