www.engadget.com Open in urlscan Pro
2001:4998:124:1704::5000  Public Scan

Form analysis
1 forms found in the DOM

https://search.engadget.com/search

<form id="search" data-component="Search" class="V(h) Pe(n) Op(0) Trsdu(0.2s) Trstf(eo) Pos(a) T(0) Start(0) W(100%) Pos(f)!--md H(80px) H(60px)!--xs Z(5001) Bgc(engadgetGray)" style="transition-property:opacity"
  action="https://search.engadget.com/search" aria-label="Search form">
  <div class="rwd-outer-container W(100vw) D(f) Jc(sa) H(100%) BdB Bdbc(engadgetFontGray)" data-component="RWDContainer">
    <div class="rwd-inner-container W(1235px) W(980px)--lg W(640px)--md W(100%)--sm Mx(20px)--sm D(f) Ai(c)"><button class="P(0) Cur(p) Bd(n) Bgc(t) C(engadgetFontLightGray) P(0) Pend(16px)! Bd(n) Bgc(t) C(engadgetFontLightGray)"
        data-component="IconButton" type="submit" aria-label="Search" title="Search" data-ylk="sec:nav;slk:vert-srch;elm:search;elmt:icon;itc:1" data-rapid_p="61" data-v9y="0"><svg
          class="Fill(engadgetFontLightGray) Stk(engadgetFontLightGray) W(24px) H(24px) W(20px)--xs H(20px)--xs Cur(p)" width="24" style="stroke-width:0;vertical-align:bottom" height="24" viewBox="0 0 24 24" data-icon="search">
          <path
            d="M9 3C5.686 3 3 5.686 3 9c0 3.313 2.686 6 6 6s6-2.687 6-6c0-3.314-2.686-6-6-6m13.713 19.713c-.387.388-1.016.388-1.404 0l-7.404-7.404C12.55 16.364 10.85 17 9 17c-4.418 0-8-3.582-8-8 0-4.42 3.582-8 8-8s8 3.58 8 8c0 1.85-.634 3.55-1.69 4.905l7.403 7.404c.39.386.39 1.015 0 1.403">
          </path>
        </svg></button><input type="text" id="search-terms" name="p" class="Fz(22px) Fz(18px)--xs C(engadgetFontLightGray) C(engadgetFontLightGray)::ph Bgc(t) O(n) Bd(n) Fxg(1)" placeholder="What are you searching for?" autofocus="" required=""
        aria-autocomplete="both" aria-roledescription="combobox" aria-expanded="false" aria-label="Search" data-rapid_p="62" data-v9y="0" role="combobox"><input type="hidden" name="fr" value="engadget" data-rapid_p="63" data-v9y="0"><button
        class="P(0) Cur(p) Bd(n) Bgc(t) C(engadgetFontLightGray) wafer-toggle Mend(-4px) clsBtn has-toggle-click has-wafer-click" data-component="IconButton" id="searchCancelBtn" type="button" aria-label="Cancel" title="Cancel"
        data-wf-toggle-class="click:toggle:active" data-wf-toggle-target="#search" data-rapid_p="64" data-v9y="0"><svg
          class="Fill(engadgetFontLightGray) Stk(engadgetFontLightGray) clsBtn:h_Fill(#fff) clsBtn:h_Stk(#fff) W(30px) H(30px) W(24px)!--xs H(24px)!--xs Cur(p)" width="48" style="stroke-width:0;vertical-align:bottom" height="48" viewBox="0 0 48 48"
          data-icon="close">
          <path
            d="M37.98 34.827l-9.9-9.9 9.9-9.898c.78-.782.78-2.05 0-2.83-.78-.78-2.047-.78-2.828 0l-9.9 9.9-9.898-9.9c-.78-.78-2.048-.78-2.828 0-.78.78-.78 2.047 0 2.828l9.9 9.9-9.9 9.898c-.78.78-.78 2.047 0 2.828.78.78 2.047.78 2.828 0l9.9-9.9 9.898 9.9c.78.78 2.048.78 2.828 0 .782-.78.782-2.047 0-2.827z">
          </path>
        </svg></button></div>
  </div>
  <div class="W(100%) Bgc(engadgetGray) C(engadgetFontLightGray) Bdtc(engadgetBlack) Bdts(s) Bdtw(1px) D(f) Jc(sa)" style="transition:opacity .3s ease">
    <div class="rwd-outer-container W(100vw) D(f) Jc(sa)" data-component="RWDContainer">
      <div class="rwd-inner-container W(1235px) W(980px)--lg W(640px)--md W(100%)--sm Mx(20px)--sm D(f)">
        <div id="search-results" class="W(100%) Ov(a) Mah(330px)">
          <div class="sa-tray-ctn">
            <div class="sa-tray"></div>
          </div>
        </div>
      </div>
    </div>
  </div>
</form>

Text Content

Engadget
Login
 * Reviews
   * Best in Tech
   * Hands-On
   * View all Reviews
 * Buying Guides
   * Back to School Gift Ideas
   * Best Wireless Earbuds
   * Best Robot Vacuums
   * Best Laptops
   * Best Gaming Laptops
   * Best VPN
   * Best Bluetooth Trackers
   * View all Buying Guides
 * Gaming
   * Best Games
   * PlayStation
   * Nintendo
   * Xbox
   * View all Gaming
 * Gear
   * Amazon
   * Apple
   * Google
   * Microsoft
   * Samsung
   * View all Gear
 * Entertainment
   * Movies
   * Music
   * TV
   * YouTube
   * View all Entertainment
 * Tomorrow
   * Space
   * AI
   * Robotics
   * Transportation
   * View all Tomorrow
 * Deals
 * News
 * Video
 * Podcasts

 * Facebook
 * Twitter
 * YouTube

Sections
 * Reviews
 * Buying Guides
 * Gaming
 * Gear
 * Entertainment
 * Tomorrow
 * Deals
 * News
 * Video
 * Podcasts

Login



Read full article


NYC SUBWAY SECURITY FLAW MAKES IT POSSIBLE TO TRACK RIDERS’ JOURNEYS


THE MTA'S OMNY WEBSITE SHOWS A SEVEN-DAY RIDE HISTORY WITH ONLY A CREDIT CARD
NUMBER.

Will Shanklin
Contributing Reporter
Updated Wed, Aug 30, 2023, 3:56 PM EDT·3 min read

1
Michael M. Santiago via Getty Images

The contactless payment system for New York City’s subways has a security hole.
Anyone with access to someone’s credit card number can see when and where they
entered the city’s underground transit during the last seven days. The problem
lies in a “feature” on the website for OMNY, the tap-to-pay system for the
Metropolitan Transportation Authority (MTA), which allows you to view your
recent ride history using only credit card info. Further, subway entries
purchased using Apple Pay — which gives merchants a virtual number instead of
your real one — still somehow link to your physical credit card number.

The MTA’s loose implementation could allow stalkers, abusive exes or anyone who
hacks into or purchases a person’s credit card information online to find out
when and where they typically enter the subway. Joseph Cox of 404 Media
initially reported on the story, detailing how (with a rider’s consent) he
tracked the stations they entered — with corresponding times. “If I had kept
monitoring this person, I would have figured out the subway station they often
start a journey at, which is near where they live,” Cox wrote. “I would also
know what specific time this person may go to the subway each day.”



“This is a gift for abusers,” Eva Galperin, the Electronic Frontier Foundation’s
director of cybersecurity, told Engadget. The OMNY website also allows
passengers to create a password-protected account, but it sits below the more
prominent “Check trip history” section atop the page, requiring only a number
and expiration date without any further security input. “It is a real problem
that the option to track your location — without any kind of password security —
is available first on the website,” noted Galperin. She says the MTA could have
“fixed this simply” by including a PIN or password requirement alongside the
credit card field.


Metropolitan Transportation Authority

The website still shows your travel history even if you paid with Apple Pay. The
iPhone maker says its tap-to-pay system gives merchants a virtual number rather
than the physical card’s number. “And when you pay, your card numbers are never
shared by Apple with merchants,” a marketing blurb on the company’s website
reads. But an Engadget staffer confirmed that entering their actual credit card
number linked to the used Apple Pay account — without having directly used that
card to ride — still revealed their seven-day point-of-entry history.

When asked about the OMNY website linking the two regardless, the MTA told
Engadget it can’t see the credit card numbers of customers who use Apple Pay.
Apple didn’t immediately respond to an emailed request for comment about how the
MTA website associates the two without vendors having access to the physical
credit card number.

The MTA says it will consider security changes as it improves its system. “The
MTA is committed to maintaining customer privacy,” MTA spokesperson Eugene
Resnick wrote to Engadget in an email. “The trip history feature gives customers
a way to check their paid and free trip history for the last 7 days without
having to create an OMNY account. We also give customers the option of paying
for their OMNY travel with cash. We’re always looking to improve on privacy, and
will consider input from safety experts as we evaluate possible further
improvements.”






 * 
 * 
 * 
 * 
 * 
 * 
 * 




Display Advertisement