MTA Website 'Feature' Lets You Track Subway Riders' Locations

In the mid-afternoon one Saturday earlier this month, the target got on the New York subway. I knew what station they entered the subway at and at what specific time.

They then entered another station a few hours later. If I had kept monitoring this person, I would have figured out the subway station they often start a journey at, which is near where they live.

During all this monitoring, I wasn't anywhere near the rider. I didn't even need to see them with my own eyes.

Instead, I was sitting inside an apartment, following their movements through a feature on a Metropolitan Transportation Authority (MTA) website, which runs the New York City subway system.

With their consent, I had entered the rider's credit card information -- data that is often easy to buy from criminal marketplaces, or which might be trivial for an abusive partner to obtain -- and punched that into the MTA site for OMNY, the subway's contactless payments system. After a few seconds, the site churned out the rider's travel history for the past 7 days, no other verification required.

On the OMNY website, the MTA offers the ability for riders to "Check trip history." This feature works for people who use contactless bank cards when entering the subway, or other solutions like Apple Pay and Google Pay.

The issue is that the feature requires no other authentication -- no account linked to an email, for example -- meaning that anyone with a target's details can enter it and snoop on their movements. The MTA does offer the option of an OMNY account, which requires a password.

The website says having an account lets riders "Securely access your trip history." But the first option that appears on the trip history website is the unauthenticated version.

After 404 Media raised the concerns to the MTA, a spokesperson said the agency will look into improving the system. "But at the moment, the tracking feature is still accessible without any authentication," notes Cox.

Click bait.

Sure, if you have a person’s credit card information, you can see what stations they enter, and can make some deductions based on that (Jimmy lives near Nostrand Avenue and comes home at Fulton Street). That’s hardly “tracking”, and to do that, they’d have to pull out the same card each time over a period of time, and save no money on the fare since they’re not using the OMNY program to save money. If this person is a regular commuter, they’re not giving the MTA a cent more than they’re entitled to, and if they have half a brain they’re more concerned with the system leaking their card info so they’re buying a MetroCard from the machine in the station with cash or a credit card... at least those machines you’d have to physically compromise to get card numbers.

It’s not a well-designed feature to let you get meta about a person (they should ask for CVV or the billing zip code or something else besides the card number and expiration date) but that would require real engineers instead of the cadre of vendors that regularly fleece the taxpayers through the MTA.

OMNY is the brainchild of Cubic, the company that developed the MetroCard for NYC and other transit systems’ payment tech. The machines in the stations ran Windows NT well past its expiration date (and the MTA, via Cubic, paid for extended support). Expecting anything well-thought out from these leeches is fantasy.

Very interesting.

- - - - - - - - - -

“Sex and Uber’s ‘Rides of Glory’: The company tracks your one-night stands — and much more
Updated: Nov. 20, 2014, 3:25 p.m.|Published: Nov. 20, 2014, 2:25 p.m.
facebook
twitter

By Douglas Perry | The Oregonian/OregonLive
uber.JPG

Taxi drivers aren’t the only ones who have a problem with Uber.

(The Associated Press)

“Today we’re going to get a little emotional.”

So began the “Uber team” in its March 26, 2012, blog post. The ride-sharing service then quickly downshifted from emotional to creepy.

“You know that Uber loves you and well, gosh, sometimes it’s nice to think that you love us, too. But we know we’re not the only ones in your life and we know that you sometimes look for love elsewhere. Well, while you’re out loving other human beings, we #UberData nerds are cuddled up with our computers, loving math.”

At this point you might be thinking, Well, yeah. Nerds love math. So?

What the nerds mean is that they’re doing math to figure out when you’re loving people other than Uber nerds. In other words, points out Marketplace senior editor Kai Ryssdal, “Uber can and does track one-night stands.”

Well, isn’t that interesting? This is an old Uber blog post but it is newly chilling in the wake of recent comments made by company executive Emil Michael. Michael, talking at a New York City dinner of movers and shakers, was mad at PandoDaily journalist Sarah Lacy, who has reported on Uber doing business with an escort service. Lacy has called Uber misogynistic. “I don’t know how many more signals we need that the company simply doesn’t respect us or prioritize our safety,” she has said.

BuzzFeed first reported on Michael’s comments: “Over dinner, he outlined the notion of spending ‘a million dollars’ to hire four top opposition researchers and four journalists. That team could, he said, help Uber fight back against the press — they’d look into ‘your personal lives, your families,’ and give the media a taste of its own medicine.”

Maybe the opposition researchers will start with Uber’s own data. One of the gross things about Uber’s little sex-research project is that the company’s self-described nerds believe this is all so très chic. They think tracking customers who re-use the service within a short time frame near the previous night’s drop-off point isn’t just a good business practice, it also makes them cool and funny. Wrote “Uber Team”: “I have come to understand that some of you may have—and I’m not pointing any fingers here or anything—on occasion found love that you might immediately regret upon waking up the morning after. Let’s talk about that. In times of yore you would have woken up in a panic, scrambling in the dark trying to find your fur coat or velvet smoking jacket or whatever it is you cool kids wear. Then that long walk home in the pre-morning dawn. But that was then.”

Now, instead of a walk of shame, you can take a “Ride of Glory” (abbreviated by “Team” as “RoG”).

Doesn’t this make you want to never use the service again? Uber proudly shows off a graph that indicates that its customers have lots of quick sex around tax day (we apparently have to remind ourselves as April 15 approaches that there’s still a reason to live). Uber’s customers have a lot fewer slam-bam-thank-you-ma’am encounters around Valentine’s Day.

The company — which insisted after BuzzFeed’s story that it doesn’t do “oppo research” on journalists — calls out Boston for the most one-night-stands. Seattle placed second among its customers. Coming in last for “Rides of Glory” among Uber cities is New York. Sayeth “Uber Team”: “Clearly New Yorkers and Bostonians differ in more than just baseball.” Har-har. Oh, those nerds. Such cards.

Uber charts “Rides of Glory” by neighborhood and day of the week. In that 2012 blog post, it tries to soothe any privacy worries we might have by mentioning in passing that all of its RoG work is done “blind.” Do you believe them? Neither will the divorce lawyer who knows his client’s spouse uses Uber.”

— Douglas Perry

“If you purchase a product or register for an account through one of the links on our site, we may receive compensation. By browsing this site, we may share your information with our social media partners in accordance with our Privacy Policy.”

- - - - - - - - - - - - - - -

Hmm.

Norski.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.