In a lot of ways, money-less payment methods are much more convenient. It has been integrated into most modern systems like online purchases and even transportation. Unfortunately, they also come with setbacks, such as threat actors being able to pull data from transactions.
Tracking NYC Subway Passengers
New York City's subways now have tap-to-pay systems which allow for contactless payment methods. With just your credit card information, the Metropolitan Transporation Authority (MTA) allows you to look at your travel history in the last seven days on the website for OMNY.
Even with the use of Apple Pay which gives merchants a virtual number, the physical credit card number can still be linked to it. It means that the feature can also serve as a security flaw, especially if the information falls into the wrong hands.
According to Engadget, entering a credit card number linked to the Apple Pay account will reveal the ride history, even though the credit card is not directly used to pay the fare. This nulls statement by Apple which says that card numbers are never shared with merchants.
The MTA acknowledged the link between Apple Pay and credit card information through the OMNY website, saying that it can't see the credit card numbers of riders who use Apple Pay. It still doesn't change the fact that Apple Pay payment data can be accessed through credit card details.
In response to the security flaw, the MTA stated that it will consider making changes as it improves the system, adding that they are "committed to maintaining customer privacy." As of right now, it is still a risk to riders.
Journalist Joseph Cox attempted to track travel histories with the passenger's consent, detailing that if he kept monitoring the person, he would have figured out the subway station they started at, which could be near where they lived.
Electronic Frontier Foundation's director of cybersecurity, Eva Galperin expressed that it was a "gift for abusers." Although the OMNY website allows you to create a password-protected account, it is not needed to access a person's travel history.
How to Avoid Being Tracked
Upon purchasing a card in local convenience stores like 7-Eleven, you can pay for it as well as reload it using hard cash. It's important to note that the $5 price you'll pay for the card will not be loaded into the card itself.
Don't use Apple Pay as a way to pay for fares, or at least not until the issue has been resolved. Just for safe measure, try to avoid using other digital wallets that are accepted by OMNY readers as well such as Google Pay/Wallet or Samsung Pay.
As mentioned in the NYC Subway Guide, the cards are much like debit and credit cards, which hold sensitive details in the back such as the 18-digit card number, a CVV number, and an expiration date. This can also ve used to track you, so you should treat it like other payment cards.