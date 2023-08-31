A flaw in the New York City subway’s security system has been revealed, exposing a potential privacy breach for Apple Pay users. The vulnerability allows anyone with knowledge of a user’s credit card number and expiry date to track all journeys made within the past seven days, even those made using Apple Pay.

Apple Pay Express Transit, a feature introduced by Apple to streamline the process of passing through entry and exit barriers in the subway, allows users to tap their phone or Apple Watch against the contactless payment pad without the need for authentication. This feature, however, poses a potential security risk if someone gains physical possession of the device.

While transactions made with Apple Pay are monitored to detect any inconsistencies in usage patterns, a flaw in the Metropolitan Transportation Authority’s (MTA) website allows instant access to the last seven days of travel history using just the credit card number and expiry date. This means that attackers could easily track a user’s movements by obtaining their credit card details, which are readily available on the front of most payment cards.

Interestingly, even journeys made with Apple Pay are exposed through this security flaw. The MTA website’s trip history feature still works when a rider pays with Apple Pay, revealing all the journeys made using the service. Apple has stated that it does not store or have access to the card numbers used with Apple Pay, and it does not provide this information to merchants, including transit systems. However, it remains unclear how the MTA website feature works when a rider uses Apple Pay.

This security flaw raises concerns not only about the MTA’s decision to allow non-authenticated travel history requests but also about the collection of actual payment card details when Apple Pay is used. Apple Pay is designed to protect users’ card details by substituting them with single-use codes, ensuring that only the code and device number are transmitted to the merchant. The fact that this security measure appears to be bypassed in certain circumstances is a serious issue that needs investigation from Apple.

In conclusion, this privacy breach in the New York City subway’s security system highlights the importance of robust security measures for contactless payment systems such as Apple Pay. Immediate action is required to address this flaw and protect users’ sensitive payment card information.

Definitions:

– Apple Pay Express Transit: A feature introduced by Apple that allows users to tap their iPhone or Apple Watch against contactless payment pads in transit systems without the need for authentication.

– Metropolitan Transportation Authority (MTA): The organization responsible for operating the New York City subway system.

– Single-use code: A unique code generated for each transaction made with Apple Pay that substitutes the user’s actual payment card details.

Sources:

– Article: New York City subway privacy flaw exposed by tracking trips made with Apple Pay (9to5Mac)