Summary: A security flaw in the New York City subway system has been revealed that allows anyone with knowledge of a user’s credit card number and expiry date to track their journeys within the past seven days. Even more concerning is that the vulnerability also applies to journeys made using Apple Pay. The flaw was discovered by 404Media, who were able to track a user’s movements through the subway system using only their credit card details. The flaw allows unauthorized access to travel history without any additional verification. Apple Pay is designed to protect against this type of flaw by using a single-use code instead of transmitting the actual payment card details. However, in this case, it was found that entering the user’s physical payment card number still revealed their journeys made using Apple Pay. The Metropolitan Transportation Authority (MTA) has disabled the non-authenticated search feature as a result of this security flaw.

The NYC subway system introduced Apple Pay Express Transit, a feature that allows users to tap their phone or watch against the contactless payment pad to pass through entry and exit barriers without the need for authentication. This feature was rolled out in May 2019 and is available at all stations. While this convenience streamlines the process, it poses a security risk if someone gains physical possession of the device. However, transactions are monitored to ensure consistent usage patterns, minimizing the risk of fraudulent activity. The flaw discovered by 404Media enables unauthorized access to a user’s travel history by using their credit card details.

Apple Pay is designed to protect users’ actual payment card details by substituting them with a payment cryptogram and a device number. This ensures that neither Apple nor the merchant, in this case, the MTA, have access to the real card details. However, the flaw allows the MTA to see the actual payment card numbers used for Apple Pay transactions. This is a violation of Apple Pay’s security and privacy requirements and raises concerns about the protection of user data.

The MTA has disabled the non-authenticated search feature after this flaw was brought to light. Further investigation is required to understand how Apple Pay transactions may be transmitting actual card details to merchants. Apple has not provided a clear explanation of how the MTA website feature works when Apple Pay is used. This security flaw poses a significant privacy risk and needs to be addressed urgently by both the MTA and Apple.

