A feature on the Metropolitan Transportation Authority (MTA) website, designed to allow New York City subway riders to check their travel history, has come under scrutiny for posing a significant privacy risk. As one privacy expert explains, “Obviously this is a great fit for abusers who live with their victims or have physical access, however brief, to their wallets.”
404 Media reports that the MTA’s OMNY contactless payment system was designed to make commuting easier for New Yorkers who rely on the city’s famous subway system. However, a feature that allows riders to check their travel history has raised eyebrows among cybersecurity experts. The feature requires only the credit card information used for travel, with no additional verification steps, making it susceptible to abuse.
(Marcus Santos/New York Daily News/Tribune News Service via Getty Images)
“Obviously this is a great fit for abusers who live with their victims or have physical access, however brief, to their wallets,” said Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation (EFF). “Credit card info is not a goddamn unique identifier.”
The issue lies in the lack of authentication. Typically, features that provide access to sensitive information require a multiple step verification process. However, the MTA’s feature allows anyone with a person’s credit card details to access their travel history. This opens up the possibility for stalking, harassment, and other forms of abuse.
In response to the concerns raised, an MTA spokesperson stated, “The MTA is committed to maintaining customer privacy. The trip history feature gives customers a way to check their paid and free trip history for the last 7 days without having to create an OMNY account. We’re always looking to improve on privacy, and will consider input from safety experts as we evaluate possible further improvements.”
Read more at 404 Media here.
Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship. Follow him on Twitter @LucasNolan