A security flaw with the New York subway's contactless payments system lets people with a rider's credit card details see their travel history.
The issue, reported by 404 Media, stems from a feature on the Metropolitan Transportation Authority's (MTA's) OMNY website, which allows users to see their seven day ride history.
To see this information, riders do not need to have an account with a PIN or password. Instead, they simply enter their card details.
The feature works for normal card payments as well as Apple Pay and Google Pay, despite the latter two giving merchants a tokenised number.
“Obviously this is a great fit for abusers who live with their victims or have physical access, however brief, to their wallets,” Eva Galperin, director of cybersecurity, Electronic Frontier Foundation, tells 404 Media.
MTA spokesperson Eugene Resnick says: "We’re always looking to improve on privacy, and will consider input from safety experts as we evaluate possible further improvements.”