> 404 Media found that MTA’s trip history feature still works even when the user pays with Apple Pay. Apple told 404 Media it does not store or have access to the used card numbers, and does not provide these to merchants, including transit systems. Apple did not respond when asked to clarify how the MTA website feature works when a rider uses Apple Pay.
I think the issue has been rather overblown. Realistically I think the solution to this problem is to make riders more aware of the existence of this website, so if they feel that they may be tracked by an abusive partner they'll know how it's happening.
Every time you hand your card to someone they could grab the info. If they use it to buy something, that's fraud and they'll hopefully get in lots of trouble. But if they just use it to track you to your home neighborhood or place of work, is that illegal?
Yeah, no one really cares here because we're not responsible for someone else stealing the money. We just call the bank and they give it all back. The worst part is waiting for a new card to ship and then updating all your payment information with the new card number wherever you're using auto payment.
I don't even bother updating the number on recurring stuff. Most recurrent payments keep going through just fine even if the number itself was compromised.
If you are using it to represent someone else's identity, yes, that's fraud. Doing it on a computer outside the intended purpose will add on a hacking charge. Together, at maximum, that can get you 5 years in prison and a ban from using a computer or smartphone for a decade. Those are federal maximums, per count, but states might have harsher penalties. Source: An FBI agent at an infosec conference.
Breaking news! OMNY caved after I tipped off Joseph Cox about this and he published the story for 404 Media. It took the MTA/OMNY ~24 hours from story to reaction.
The public trip history page is not working any more! (weirdly, you can still access it from the mobile menu - but the functionality has been neutered there as well)
You can also call up any phone provider or mortgager and they will "verify" if you give them an address and credit card number. Society is built on the reality that most people won't, not that they can't.
At first I do think this site is being sensationalist again (3rd story from 404media I've seen on HN lately), but for the stereotypical guy meets girl, guy stalks girl, storyline:
I can imagine a guy working in a store seeing a girl he finds attractive, getting her CC number through some sleight of hand while she was paying, or something like a camera pointed at the payment machine, and then using this number to figure out what station she usually gets off on at what time in the evening.
I wonder what protection can be built in. An online CC transaction needs the exp. date, CVV and ZIP of the customer, could OMNY ask for these values before showing people the ride data associated with the card? The people might be wary "wait, what are they making me buy?", but maybe a big fat warning that they just need this info "for your protection" is sufficient...
Then again, those values are also easy to buy from "criminal marketplaces", and the guy above can just tell the girl that the store is doing a survey where their customers live, and what her ZIP is (the other info are on the card he took a good peek at)
I understand that, but shouldn't OMNY only receive the anonymized static card number?
If I use the OMNY tool [0] and enter in the un-anonymized card number from my physical card, I can still see my ride history even though I paid using Apple Pay.
This, uh, seems strange? Something doesn't add up.