ancha

Your article says: " he only had to enter their credit card details. Those are surely the same card details that the user registered with MTA's OMNY contactless payment system."

Just to clarify: if the rider registers a card with OMNY, that seems to indicate they have an account with the system, and that means that the trip history is secure. The exploit of displaying trip history with just the credit card number does not work if a card is registered via an OMNY account, as far as I can tell (with my registered card). 

And OMNY's website says

"When you add your bank card to your digital wallet, it will create a device account number. The device account number is different for each smart device that you use. The last four digits of each device account number will appear in your OMNY account when you tap your smart device at OMNY readers." 

mknelson said:

It looks like the card number entered on the website links to the rider's account, that account is showing the history of the transactions on the OMNY account, not specifically the transactions on the card.

Because I have an account, when I'm logged into the website, I can see a menu that lets me choose among my registered cards, either one card at a time, or all together.  For registered cards, there is no searching by credit card number (by myself or by others), but only selection from the menu when logged on. (I'm a senior, and only one card/device gets the discounted rate.)