Skip to content

The New York subway’s ride tracker has a scary security loophole

New York’s OMNY subway pass system is supposed to make the lives of its riders easier, but as a 404 Media investigation highlights, it makes tracking your movement a little bit too easy — posing dangers for anyone at risk of stalking or harassment.

If you tap a bank card to ride the subway, a “trip history” feature on the OMNY website will reveal your past seven days’ worth of trips — including the time and station of entry — to anyone with access to your card number and expiration date. Since it’s not unusual for card numbers to be compromised either online or through someone (like a housemate or partner) briefly getting access to a wallet, that creates an easy-to-miss security hole for people facing things like intimate partner violence. 404 was also able to track trip history for people who rode the subway using a bank card stored with the Apple Pay app, although a couple of Verge staff members who ride the subway using Apple and Google Pay weren’t able to find their own ride histories through the site.

New York Metropolitan Transportation Authority spokesperson Eugene Resnick said in a statement that the MTA is “committed” to user privacy. “The trip history feature gives customers a way to check their paid and free trip history for the last seven days without having to create an OMNY account,” says Resnick. “We also give customers the option of paying for their OMNY travel with cash. We’re always looking to improve on privacy, and will consider input from safety experts as we evaluate possible further improvements.” Apple and Google didn’t immediately respond to requests for comment.

Resnick notes that the MTA does not store a copy of the credit card number itself (it uses a token identifier associated with the card) and that it notes only your point of entry, not your exit. (Unlike some systems, NYC’s subway doesn’t ask riders to tap a card on their way out, so this data simply isn’t recorded.) But a frequent entry point will still likely reveal the neighborhood where a rider lives or works and a rough schedule of their movements, which is enough to seriously compromise their privacy. It’s possible to create an account on OMNY’s site and associate it with your ride history, but The Verge hasn’t yet been able to confirm whether that will prevent pulling up the details with the card number alone. That suggests the only surefire way to avoid tracking is to either use the old MetroCard system — which is being retired in 2024 — or buy an OMNY card with cash and keep it physically secure.

As 404 notes, the MTA could make OMNY’s tracking more secure by requiring a PIN or password in addition to card details. This might not completely remove the risk, but it would make it easier to keep your ride history under your own control — something that, right now, seems dangerously hard to do.

Source link