Share This Article
In a shocking revelation, a critical security flaw within the New York City subway system has come to light, exposing a gaping vulnerability that enables anyone armed with a user’s credit card number and expiry date to track their journeys spanning the past week.
The issue takes an even more disconcerting turn as it extends to journeys where Apple Pay was utilized for station entry. This occurrence seems utterly implausible given the supposed imperviousness of Apple’s security measures.
While traditional metro systems initially relied on dedicated transit cards, most have now embraced the convenience of contactless payment cards, a development that has also ushered in the integration of Apple Pay.
To further streamline the access process through entry and exit points, Apple introduced the Apple Pay Express Transit feature. If enabled, this feature negates the standard authentication steps, such as Face ID verification or side-button pressing on an unlocked Apple Watch. Instead, users can effortlessly tap their devices on the contactless payment pad.
Though this could potentially lead to misuse if the physical device is compromised, transactions are vigilantly monitored to ensure conformity with the usage patterns expected from a single commuter. Consequently, the risk of fraudulent activities remains minimal. Notably, the array of other security facets associated with Apple Pay, including single-use codes, remains in effect.
The rollout of Apple Pay Express Transit within the New York City subway system commenced in May 2019, culminating in full station coverage by the close of 2020.
Overseeing this sprawling subway network is the Metropolitan Transportation Authority (MTA). While the MTA website does grant account creation, necessitating authentication for journey log access, it also provides instant entry to the preceding week’s travel history using only card details.
Incredibly, solely the credit card number and expiry date are requisite—no requirement for the customary three- or four-digit security code found on physical cards. Astonishingly, everything necessary to retrieve a week’s worth of travel history is right on the face of most payment cards.
An experiment conducted by 404Media underscored this glaring privacy lapse by voluntarily tracking an individual via their credit card particulars.
On a recent Saturday afternoon, this individual entered the New York subway system. Armed with knowledge about their entry station and precise time, subsequent monitoring indicated their traversal of another station hours later. Persisting in this pursuit would likely have unveiled their habitual starting station, situated near their residence. Furthermore, a predictable commuting time would become evident.
Remarkably, this surveillance transpired devoid of any physical proximity. The tracking unfolded within the confines of an apartment, utilizing a feature within the Metropolitan Transportation Authority (MTA) website, the entity responsible for the city’s subway system.
With consent secured, the participant’s credit card information was entered—an acquisition often facilitated through underground markets or by unscrupulous partners. These details were then punched into the MTA’s OMNY, the contactless payment system for the subway. Within moments, the site yielded a week-long travel history, necessitating no further authentication.
In theory, Apple Pay is fortified against such vulnerabilities. Rather than transmitting actual payment card information, a one-time code (payment cryptogram) and a device number are dispatched to payment terminals.
Related articles
- Apple TV+ Presents Trailer of ‘The Pigeon Tunnel’ Documentary
- Apple Unveils Applications for the 2024 Security Research Device Program
- Apple Launches ‘Apps by Apple’ Site to Redefine User Experience
While banks can algorithmically reconcile these elements with the legitimate card account, neither Apple nor the merchant should access the true card details. The MTA, in this context, constitutes the merchant, and its access to a user’s authentic card number should be unfeasible. Yet, the investigation divulged that inputting the card number indeed divulged all Apple Pay transactions.
Astoundingly, even when employing Apple Pay for payment, the MTA’s trip history feature continued functioning.
In response, Apple maintained that it neither stores nor has access to used card numbers, withholding this information from merchants, including transit systems.
Curiously, Apple refrained from addressing queries about the functionality of the MTA website feature when Apple Pay is employed by a commuter.
In a glaring confluence of technological intricacies and security concerns, this revelation underscores the unexpected vulnerabilities that can lurk even within the seemingly invincible realm of Apple Pay.