The New York Metropolitan Transit Authority (MTA) has disabled the OMNY system's trip-history feature after researchers flagged severe privacy and safety concerns for travelers.
According to a report by 404 Media, a malicious individual with access to a the credit card a traveler tapped for subway rides could easily access the trip history to track the individual’s movement within the city’s subway system.
Privacy advocates have worried about the safety concerns since the ‘trip history’ function listed the time, date and location of each payment made throughout the city’s subway system without further verification. Using the victim’s credit card, a stalker or other malicious individual could effortlessly track a target’s whereabouts, and daily travel schedule, and even narrow down the location of their home.
The MTA shut down the feature just a day after a warning posted by 404 Media, which cited a privacy advocate from the non-profit digital rights group Electronic Frontier Foundation (EFF).
“This feature was meant to help our customers who want access to their tap-and-go trip histories, both paid and free, without having to create an OMNY account," the MTA said. "As part of the MTA’s ongoing commitment to customer privacy, we have disabled this feature while we evaluate other ways to serve these customers.”
While the feature was a convenient tool for users, it also become “a gift for abusers,” explained Eva Galperin, director of cybersecurity at the EFF. During the investigation, Galperin said she was following the movement of another person (with their consent).
“I had entered the rider’s credit card information—data that is often easy to buy from criminal marketplaces, or which might be trivial for an abusive partner to obtain—and punched that into the MTA site for OMNY, the subway’s contactless payments system,” Galperin noted. “After a few seconds, the site churned out the rider’s travel history for the past 7 days, no other verification required. Obviously, this is a great fit for abusers who live with their victims or have physical access, however brief, to their wallets.”
Malicious individuals who use technology to stalk or harass others can have serious psychological and physical implications for victims. Never hesitate to report stalking behavior to the police and protect yourself from further threatening behavior.
If you want to bump your privacy, monitor your digital footprint, and see just how much public-facing information is up for grabs online, check out Bitdefender's Digital Identity Protection.