The MTA Website Leaks Private User Data Due to Basic Technical Flaw

Issue 238

For years passwords, sexual harassment complaints and other sensitive information have been available to third parties on the internet. This article has been updated for our August print edition to reflect new developments. It was originally published on July 18 .

John Bolger Jul 18, 2018

It’s no secret that the MTA website is as decrepit as the signals directing it’s trains. But then again, the MTA website is not very good at keeping secrets. If you have used TripPlanner, Subway Times or Bus Times, customer service, filed a FOIL request or a sexual harassment complaint, if you have submitted personal information through any of these MTA web portals, your data — such as name, email address, username, password, postal address, phone number, photo uploads, text entries and travel details — has been exposed to countless third-parties, for many years.

This is because the MTA’s website did not use encryption when transmitting your private information. As a result, any data submitted to the MTA website could have been read by third parties whose networks your private information passed through on its way to the MTA.

In general, the MTA’s web offerings are all insecure at this time except for the My MTA Alerts, MTA Employment Opportunity and EasyPay portals, which all use encryption to protect visitors. After being notified of the leak, the MTA has since secured the customer service and the third-party developer portals.

For web traffic, secure transmission is known as “HTTPS.” Without HTTPS, there is no privacy or assurance on the web. This is because the internet is basically a network of relays between you and the physical locations of requested web servers. This means a lot of strangers handle your web requests. Without encryption, private data sent over the web can be spied upon or tampered with by any of these third parties. HTTPS thwarts these types of attacks.

It is impossible to count the number of third parties who have had access to your data, and it is impossible to know if any of them read or harvested your data, but a short list of these third parties includes internet service providers and phone companies (Verizon, AT&T, Time Warner Cable), WiFi providers, such as coffee shops, hotels and free providers like LinkNYC — even your landlord in some buildings. Also, criminal hackers and government spy agencies both foreign and domestic.

“For a government agency that is sending and receiving data that has a real effect on people’s daily lives, there’s really no excuse for not using basic security techniques that are, at this point, absolutely bog standard,” said Parker Higgins, a computer security expert and director of special projects for Freedom of the Press Foundation.

“For at least the last five years,” Higgins added, “most government agencies are moving towards HTTPS everywhere. Within the federal government that’s been an official, established standard for three years.”

Switching to HTTPS from the nonsecure transmission line “HTTP” is easy and inexpensive. HTTPS has also recently become common among local government websites. New York City’s various web services, from traffic ticket payment to public housing requests, are all HTTPS-secured. The state government is also up to date in this sense — except when it comes to the MTA.

The MTA website itself is not a single website per se. It is a collection of unrelated web servers located around the country that perform different functions on the website but which link to each other. Since each web server uses a uniform style, the transition from one server to the other during browsing appears seamless. TripPlanner is located in Brooklyn, Subway and Bus Times are located in Virginia, Long Island Rail Road schedule lookup is on Long Island. None of these used HTTPS at press time.

The largest privacy violator for years was the MTA’s web customer service portal, which is located in Chicago on a network operated by Oracle. Traffic to and from this server was unprotected until July 16, when the MTA switched it to HTTPS after being contacted for this article a few days earlier. Last month, a simple web request to this site passed through at least 12 internet relays on its way from New York City to Chicago, according to a diagnostic tool named traceroute. This means that in addition to the MTA, 12 internet operators were able to read your username and password, and any FOIL requests (including postal address), customer service requests or sexual harassment complaints (including photo uploads and phone number) you might have filed. If you re-used passwords, the MTA customer service website could have compromised every account you used the same password for.

“Data that you send over HTTP can be intercepted and read by anyone on your network, including internet service providers and individuals connected to the same WiFi network as you,” said Sydney Li, a staff technologist for the Electronic Frontier Foundation. “Sensitive data such as personally identifiable information, passwords, or sexual harassment complaints should absolutely be sent over an HTTPS connection. When you load content over HTTP, any entity responsible for routing this content can also alter or present fake content to you. This is known as a man-in-the-middle attack.”

Verizon was caught doing just that, since at least 2014, according to reports from ProPublica.  In 2016, the Federal Communications Commission fined Verizon $1.35 million for injecting “super-cookies” into the unencrypted traffic of their mobile customers, with no way to opt out. These are tracking codes that Verizon and third parties use to monitor browsing histories and build profiles on unsuspecting web users. This type of message tampering is exactly what encryption was designed to defeat. It is not possible while using HTTPS.

Some sections of its website are managed in-house by the MTA, others are outsourced to contractors like Oracle, which conducts the MTA’s customer service and employment opportunity portals. Oracle is one of the MTA’s biggest technological contractors. As of May 2017, Oracle held at least $59 million in combined contracts with the MTA until 2020, according to minutes from a board meeting where the Oracle contracts to-date were consolidated into a single umbrella contract.

The MTA’s customer service website is provided to the authority via a service known as RightNow, also referred to as Oracle Cloud. This contract originates from 2002, years before RightNow was purchased by Oracle. At the time, it was offered to MTA for $112,000 per year, according to a 2011 procurement report. Oracle bought RightNow in 2012 and MTA costs have ballooned since then. In July 2014, the RightNow contract was renewed under Oracle for $190,000 a year, according to minutes from a board meeting where the RightNow contract was combined with the procurement of another Oracle service, “Social Relationship Management,” for a combined $518,000 for two years.

Currently, MTA still contracts Oracle for RightNow, which as of 2017 is included in the umbrella Oracle contract. This guarantees that the costs associated with RightNow will be much harder to trace going forward.

The MTA developer portal, for third-party app developers, was also not encrypted, meaning developers may have had their login username and password compromised or their API keys stolen. (API keys are the credentials MTA issues to third-party app developers to grant access to proprietary data feeds, such as train schedule or location services.) Visitors applying for a developer account also had their submissions leaked, which included their name, phone number and company name. The developer servers are located in Virginia.  The MTA secured this portal as of July 25.

On July 2, the MTA unveiled a pre-release version of its new and redesigned website, which was a vast improvement over its current website. Commendably, the homepage and the basic text pages were secured under HTTPS. Train schedule lookups have been merged into the basic website and are now secure as well. But the new website still linked to insecure areas of the old website, such as the lost and found form, which leaked name, phone numbers, email address, postal address and travel details.

The MTA has since secured the lost and found form.  But other parts of the old website remained unprotected at press time, such as TripPlanner and Subway Times and Bus Times.

Despite recent progress, the MTA violated its privacy policy for years and will continue to do so until its entire website is secured under HTTPS. The privacy policy states “the MTA Agencies are strongly committed to protecting personal information collected through the MTA Website against unauthorized access, use, or disclosure … MTA Agencies have implemented procedures to safeguard the integrity of their information technology assets, including, but not limited to, authenticating … and encrypting. Security procedures have been integrated into the design, implementation, and day-to-day operations of the MTA Website as part of our continuing commitment to the security of electronic content.”

After the initial web publication of this report on July 18, an MTA spokesperson emailed The Indypendent the following statement: “The MTA currently uses HTTPS and encryption for all ecommerce apps to protect customer data associated with financial transactions, and our technicians are working on remaining sections of the legacy website and expect to have that patched within days. There has been no evidence of data leak or breach of any information from the MTA website to date.”

However, the nature of this type of data leak means that the mere occurrence of data transmission to the MTA’s insecure servers is evidence itself that the leak has occurred. Since the leak occurs via the act of transmission itself, the MTA has no control over who reads or saves that leaked data. If a third party abused its access to the data, then the evidence would rest with that third party, not the MTA.

And despite its assurance that technicians were patching the data breaches on its “legacy website,” many areas of the website remained leaking as The Indy went to press.

This is reader-supported news. Make a contribution today!

Photo credit: Jens Schott Knudsen.

Buy Ivermectin