Privacy experts: OMNY system flaw left personal info vulnerable
OMNY has become one of the most popular ways to get on the subway and will be the only way when MetroCards are phased out in 2024. The process is simple - you just tap and go. But privacy experts say the system has a major flaw.
“OMNY decided to roll out a tool that allows you to check how many times you’ve tapped your card to pay your subway fare, to pay the bus, and it gives the location of where you tapped it, it gives the time.” Albert Fox Cahn from the Surveillance Technology Oversight Project told News 12.
“The problem is that anyone who has your credit card number and your expiration date, they could go and they could find your trip history too. This is such an obvious danger to so many New Yorkers.”
Fox Cahn said this leaves New Yorkers who are in domestic violence or stalking situations especially vulnerable.
“We know when someone’s movements are being monitored by an abuser, that can be something that sets off violence if suddenly they’re changing their patterns around the city, if suddenly they’re going someplace they don’t usually go,” he said.
Subway riders shared mixed reactions with News 12.
“It’s the most disturbing feeling, I’m shocked actually - because it’s freedom. We’re in America, we’re supposed to feel safe,” Francesca Vuillemin said.
“I think it’s positive because you can track your kid’s movement, like if they say they’re going to school you can see if they’re going in the direction of their school, or if someone makes accusations against you, you can prove you weren’t in the vicinity, the tracking history is good,” said another subway rider.
The MTA told News 12 in a statement: “This feature was meant to help our customers who want access to their tap-and-go trip histories, both paid and free, without having to create an OMNY account. As part of the MTA’s ongoing commitment to customer privacy, we have disabled this feature while we evaluate other ways to serve these customers.”
OMNY users can still access their ride history, but they now have to register with an email address and password. Fox Cahn says this is a half-measure and still leaves user information vulnerable.
“Thankfully the MTA already scrapped this program and they said they’ll be better about privacy in the future, but one of the scary things is we have no idea whose information has already been compromised,” Fox Cahn added.
Fox Cahn says similar issues will come up with the way the city tracks congestion pricing when it’s implemented in 2024.