New York’s subway pass system has turned off a feature that could enable others to track your travels if they have access to your bank card number. In a statement to The Verge, Metropolitan Transportation Authority spokesperson Eugene Resnick says the agency “disabled the feature” as part of its “ongoing commitment to customer privacy.”
The MTA’s OMNY system is a contactless subway pass option that lets you pay for a fare by tapping your phone or bank card at a station. However, a report published by 404 Media on Wednesday found that anyone with your card number and expiration date can see your rides within the past seven days through OMNY’s “trip history” feature.
“This feature was meant to help our customers who want access to their tap-and-go trip histories, both paid and free, without having to create an OMNY account,” Resnick tells The Verge. “As part of the MTA’s ongoing commitment to customer privacy, we have disabled this feature while we evaluate other ways to serve these customers.” The page that allowed for easy tracking now simply redirects to the OMNY homepage.
OMNY’s vulnerability raised serious concerns about stalkers or other bad actors using this feature to track victims. The Surveillance Technology Oversight Project (STOP) condemned the MTA for its oversight. “We warned that law enforcement could easily turn OMNY into a tracking device that logs every rider’s movements,” Will Owen, STOP communications director, said in a statement. “But the ‘Check Trip History’ feature shows how susceptible OMNY data also is to stalkers, abusers, and really anyone with a quick glance at your credit card information.”