Update: The MTA flaw has been eliminated, but the Apple Pay question remains. See the end of the piece.
An inexcusable NYC subway security flaw has been revealed, allowing anyone with knowledge of a user’s credit card number and expiry date to track all journeys made within the past seven days.
But what’s far more concerning is that the vulnerability applies to journeys where Apple Pay was used to tap into stations, despite the fact that this should be completely impossible …
Apple Pay Express Transit on the NYC subway
While most metro subway systems began by requiring dedicated transit cards, most now also accept contactless payment cards, which also allows Apple Pay to be used.
To further streamline the process of passing through entry and exit barriers, Apple later introduced Apple Pay Express Transit.
If you choose to have the feature enabled, then the usual Apple Pay authentication process – using Face ID with your iPhone, or double-pressing the side button on your unlocked Apple Watch – is not needed. Instead, you can simply tap your phone or watch against the contactless payment pad.
Although this could allow misuse in the event that someone takes physical possession of your device, transactions are monitored to ensure that the usage patterns are consistent with normal use by a single rider, so the fraud risk is very low. All the other Apple Pay security features should still apply, including single-use codes.
The New York City subway system began rolling out Apple Pay Express Transit back in May 2019, and it was available at all stations by the end of 2020.
NYC subway security flaw
The NYC subway system is run by the Metropolitan Transportation Authority (MTA). While the MTA website does offer the ability to open an account, which then requires authentication to access journey logs, it also offers instant access to the last seven days of travel history using nothing more than card details.
Only the credit card number and expiry date are needed – not even the three- or four-digit security code, variously known as the CSC, CVC, or CCV, which is usually found on the reverse of physical payment cards. This means that everything needed to access the last week’s worth of travel can be found on the front of most payment cards.
404Media confirmed this NYC subway privacy flaw by tracking a user – with permission – using nothing more than their credit card details.
In the mid-afternoon one Saturday earlier this month, the target got on the New York subway. I knew what station they entered the subway at and at what specific time. They then entered another station a few hours later. If I had kept monitoring this person, I would have figured out the subway station they often start a journey at, which is near where they live. I would also know what specific time this person may go to the subway each day.
During all this monitoring, I wasn’t anywhere near the rider. I didn’t even need to see them with my own eyes. Instead, I was sitting inside an apartment, following their movements through a feature on a Metropolitan Transportation Authority (MTA) website, which runs the New York City subway system.
With their consent, I had entered the rider’s credit card information—data that is often easy to buy from criminal marketplaces, or which might be trivial for an abusive partner to obtain—and punched that into the MTA site for OMNY, the subway’s contactless payments system. After a few seconds, the site churned out the rider’s travel history for the past 7 days, no other verification required.
Somehow, Apple Pay journeys are also exposed
Apple Pay is designed to offer protection against this type of flaw. Instead of your actual payment card details being transmitted to a payment terminal, a single-use code is substituted, known as a payment cryptogram, together with a device number.
The bank or finance house is able to algorithmically reconcile these two numbers with the actual card account, but neither Apple nor the merchant should have access to your payment card details.
In this case, the merchant is the MTA, and it should not be able to see your actual payment card number. Yet the site found that entering the target’s physical payment card number still revealed all the journeys they had made using Apple Pay.
404 Media found that MTA’s trip history feature still works even when the user pays with Apple Pay.
Apple told 404 Media it does not store or have access to the used card numbers, and does not provide these to merchants, including transit systems.
Apple did not respond when asked to clarify how the MTA website feature works when a rider uses Apple Pay.
9to5Mac’s Take
MTA’s security failing here is inexcusable. It’s a completely dumb decision to allow non-authenticated travel history requests. As the piece says, this is a massive privacy fail which is easily abused by stalkers.
But of far greater concern is that actual payment card details are somehow being collected when Apple Pay is used.
It is supposed to be a core Apple Pay security and privacy requirement that neither the merchant nor Apple ever gets to see your real card details, only a code which is different for every single transaction. This means, for example, that if a company’s databases are hacked, and credit card details obtained, only the single-use codes and device numbers are exposed for Apple Pay purchases, making the data useless.
This test – if replicated by others – appears to indicate that there are circumstances in which Apple Pay transactions can transmit the actual physical card details to a merchant. This should absolutely not be possible, and it requires immediate investigation by Apple.
Update: September 1
Top comment by Alex
Apple does not share the real card number. The payment network / issuer‘s Token Service Provider maps the Device Account Number to the card number. To improve privacy in this case it should be made mandatory to perform a Strong Customer Authentication (SCA) like is mandated for payments in Europe with PSD2 for this transaction lookup capability.
In the USA on the other hand there is probably no such legislation in place as they enjoy the freedom to have less privacy. 😅
Engadget reports that the MTA has now disabled the non-authenticated search feature.
“This feature was meant to help our customers who want access to their tap-and-go trip histories, both paid and free, without having to create an OMNY account,” MTA spokesperson Eugene Resnick wrote in a statement to Engadget. “As part of the MTA’s ongoing commitment to customer privacy, we have disabled this feature while we evaluate other ways to serve these customers.”
This still leaves unanswered the question of how Apple Pay transactions revealed physical card numbers. Some have suggested that Express Transit is an exception to the one-time code approach, in order to track both entry and exit on subway systems with barriers at both ends. However, this doesn’t make sense as the device number would be sufficient for this purpose.
We’ve reached out to Apple for comment, and will update with any response.
FTC: We use income earning auto affiliate links. More.
Comments