The contactless payment system for New York City’s subways has a security hole. Anyone with access to someone’s credit card number can see when and where they entered the city’s underground transit during the last seven days. The problem lies in a “feature” on the website for OMNY, the tap-to-pay system for the Metropolitan Transportation Authority (MTA), which allows you to view your recent ride history using only credit card info. Further, subway entries purchased using Apple Pay — which gives merchants a virtual number instead of your real one — still somehow link to your physical credit card number.The MTA’s loose implementation could allow stalkers, abusive exes or anyone who hacks into or purchases a person’s credit card information online to find out when and where they typically enter the subway. Joseph Cox of 404 Media initially reported on the story, detailing how (with a rider’s consent) he tracked the stations they entered — with co
