NYC subway security flaw and 'impossible' Apple Pay vulnerability
Cyber Security

NYC subway security flaw and ‘impossible’ Apple Pay vulnerability

An inexcusable NYC security flaw has been revealed, allowing anyone with knowledge of a user's credit card number and expiry date to track all journeys made within the past seven days.

But what's far more concerning is that the vulnerability applies to journeys where Pay was used to tap into stations, despite the fact that this should be completely impossible …

Apple Pay Express Transit on the NYC subway

While most metro subway systems began by requiring dedicated transit cards, most now also accept contactless payment cards, which also allows Apple Pay to be used.

To further streamline the process of passing through entry and exit barriers, Apple later introduced Apple Pay Express Transit.

Related Posts

PTA Warns Public Against Fake DIRBS Messages That Hack…

Microsoft Warns of Malvertising Scheme Spreading CACTUS…

If you choose to have the feature enabled, then the usual Apple Pay authentication process – using Face ID with your iPhone, or double-pressing the side button on your unlocked Apple Watch – is not needed. Instead, you can simply tap your phone or watch against the contactless payment pad.

Although this could allow misuse in the event that someone takes physical possession of your device, transactions are monitored to ensure that the usage patterns are consistent with normal use by a single rider, so the fraud risk is very low. All the other Apple Pay security features should still apply, including single-use codes.

The New York City subway system began rolling out Apple Pay Express Transit back in May 2019, and it was available at all stations by the end of 2020.

NYC subway security flaw

The NYC subway system is run by the Metropolitan Transportation Authority (MTA). While the MTA website does offer the ability to open an account, which then requires authentication to access journey logs, it also offers instant access to the last seven days of travel history using nothing more than card details.

Only the credit card number and expiry date are needed – not even the three – Techfour-digit security code, variously known as the CSC, CVC, or CCV, which is usually found on the reverse of physical payment cards. This means that everything needed to access the last week's worth of travel can be found on the front of most payment cards.

You might also like

Google Patches Another Actively Exploited Chrome Zero-Day Vulnerability

Apple users targeted by new phishing attack to reset ID password

Chinese Hackers Exploited FortiGate Flaw to Breach Dutch Military Network

HelloKitty Ransomware Group Exploiting Apache ActiveMQ Vulnerability

Comments are closed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. AcceptRead More