Researcher claims MTA subway flaw beats Apple Pay security

Posted:
in iOS edited August 2023

A researcher who was able to track people's use of the MTA subway system in New York, says that the same methodology exposes an Apple Pay vulnerability -- but it's not clear if it actually does.

MTA turnstiles in New York
MTA turnstiles in New York



New York City added Apple Pay support to all subway stations back in 2020, after a delayed plan over Apple's Express Transit service.

Now Joseph Cox of 404media, claims to have uncovered a startlingly poor weakness in MTA's systems -- and that it also compromises Apple Pay. Cox recounts tracking a traveler using their credit card details and, without further explanation, says the same is possible if they pay with the seemingly far more secure Apple Pay.

"I was sitting inside an apartment, following their movements through a feature on a Metropolitan Transportation Authority (MTA) website, which runs the New York City subway system," writes Cox. "With their consent, I had entered the rider's credit card information -- data that is often easy to buy from criminal marketplaces, or which might be trivial for an abusive partner to obtain -- and punched that into the MTA site for OMNY, the subway's contactless payments system."

"After a few seconds," he continued, "the site churned out the rider's travel history for the past 7 days, no other verification required."

If correct, this is unquestionably a serious security issue for MTA. In an email to Cox stressing that it "is committed to maintaining customer privacy," MTA pointed out at it solely records the point of entry of the traveler, not their point of exit.

That's nonsense, though, because a stalker or other criminal can just wait for the traveler to make a return journey and they have what is probably their entire route.

So MTA's system is flawed, but the real question concerns Apple Pay since that should be impervious to any credit card-related security issues. At the point of transaction, Apple Pay does not relay a user's credit card information at all, rather it provides a one-time verification code.

Consequently Cox concludes that since he or others in 404media say that they could perform the same tracking when Apple Pay is used, that Apple Pay is compromised.

However, the results have yet to be replicated -- and there is also an issue of just what constitutes the point of transaction.

Cox is not very clear on this issue, but he says that to access a user's MTA history, he only had to enter their credit card details. Those are surely the same card details that the user registered with MTA's OMNY contactless payment system.

So if a traveler has registered with an Apple Card, for instance, then it doesn't seem a compromise if a payment on that account is triggered at the turnstile.

"Apple did not respond when asked to clarify how the MTA website feature works when a rider uses Apple Pay," wrote Cox.

Read on AppleInsider

Comments

  • Reply 1 of 6
    anchaancha Posts: 2member
    Your article says: " he only had to enter their credit card details. Those are surely the same card details that the user registered with MTA's OMNY contactless payment system."

    Just to clarify: if the rider registers a card with OMNY, that seems to indicate they have an account with the system, and that means that the trip history is secure. The exploit of displaying trip history with just the credit card number does not work if a card is registered via an OMNY account, as far as I can tell (with my registered card). 

    And OMNY's website says

    "When you add your bank card to your digital wallet, it will create a device account number. The device account number is different for each smart device that you use. The last four digits of each device account number will appear in your OMNY account when you tap your smart device at OMNY readers." 



    mike1ronnmknelsonFileMakerFellerwatto_cobra
  • Reply 2 of 6
    mknelsonmknelson Posts: 1,128member
    ancha said:
    Your article says: " he only had to enter their credit card details. Those are surely the same card details that the user registered with MTA's OMNY contactless payment system."

    Just to clarify: if the rider registers a card with OMNY, that seems to indicate they have an account with the system, and that means that the trip history is secure. The exploit of displaying trip history with just the credit card number does not work if a card is registered via an OMNY account, as far as I can tell (with my registered card). 

    And OMNY's website says

    "When you add your bank card to your digital wallet, it will create a device account number. The device account number is different for each smart device that you use. The last four digits of each device account number will appear in your OMNY account when you tap your smart device at OMNY readers." 

    Thanks for the details.

    It looks like the card number entered on the website links to the rider's account, that account is showing the history of the transactions on the OMNY account, not specifically the transactions on the card.
    FileMakerFellerwatto_cobra
  • Reply 3 of 6
    anchaancha Posts: 2member
    mknelson said:


    It looks like the card number entered on the website links to the rider's account, that account is showing the history of the transactions on the OMNY account, not specifically the transactions on the card.
    Because I have an account, when I'm logged into the website, I can see a menu that lets me choose among my registered cards, either one card at a time, or all together.  For registered cards, there is no searching by credit card number (by myself or by others), but only selection from the menu when logged on. (I'm a senior, and only one card/device gets the discounted rate.)


    FileMakerFellerwatto_cobra
  • Reply 4 of 6
    entropysentropys Posts: 4,194member
    Still trying to get my head around this: does a user have to register their credit card details in their OMNY account? If so, that is the more likely path.
    or is it that you don’t register the details, it is the payment record?

    in any case, this dude is linking it to Apple for the media attention, which he would not get if he just mentioned OMNY. 
    FileMakerFellerwatto_cobraAlex1Njony0
  • Reply 5 of 6
    This is 100% an issue with the MTA website and not with Apple Pay.
    watto_cobrachasmjony0
  • Reply 6 of 6
    The security issue here is actually a feature that MTA built into OMNY.  But I agree they should add a security verification system onto it.  The issue that MTA somehow addressed with the credit card processors is that when you use a mobile wallet like Apple Pay with OMNY, the phone transmits a virtual card number to the payment terminal instead of your actual card number.  The phone will only tell you the last 4 digits of that virtual card number.  So OMNY somehow arranged to retrieve from the credit card processor or network the actual credit card number to associate with the trip entry, or you would have no way to view these trips on OMNY at all!  I supposed this also means that while free transfers and fare capping generally require you to use the same card for all entries, using the actual credit card and the mobile wallet (or even several mobile wallets) would all count as using the same card thanks to this feature!  Again, minimum requirement is MTA should validate the user has access to the credit card billing account before allowing the card to be registered on OMNY.
Sign In or Register to comment.