Criminals can link stolen credit cards to digital wallets such as Apple Pay, Google Pay, and Paypal and make purchases with them, even with cancelled cards.
That’s according to a research paper by three security academics. The trio has since shared its findings with the companies and banks concerned and presented the results of the joint research at the Usenix Security 2024 symposium in Philadelphia, U.S., last week.
According to researchers Raja Hasnain Anwar, Syed Rafiul Hussain, and Muhammad Taqi Raza, the authentication methods, authorization mechanisms, and access control of digital wallet providers and some U.S. banks surveyed that provide payments using these wallets are lacking.
Searching for an entry point
To add a stolen credit card to a digital payment method, criminals attempt to link the cardholder’s name (often listed on the card ) to a home address through other sources. The criminals then look for wallets that require a zip code (zip code) to link a card. That is one possible entry point, lead researcher Raja Hasnain Anwar told The Register.
The research found that even if the rightful owner has the card blocked, it is still possible to use it in the digital wallet in some cases. To pull this off, however, the card must not already be blocked when it is linked to the wallet. The attacker then sets up a less stringent authentication method, such as sending a one-time code via text message instead of the more secure multifactor authentication (MFA).
Bypassing the help desk
In such cases, criminals may try to link a card by calling the bank’s help desk. Provided they have enough info at hand (such as the owner’s zip code, the last four digits of the card, the owner’s date of birth, or the owner’s social security number), they succeed in fooling the bank employee often enough.
The researchers say this method certainly does not succeed in all cases. But thanks to the many data breaches in recent years, the thieves’ guild has a treasure trove of personal information on millions of people. If they link the information from various stolen data sources, the criminals would have enough information to appear credible.
Tip: List of affected Snowflake customers since Ticketmaster leak continues to grow
Blocking or replacing the card doesn’t work because the bank’s wallet security token is linked to the old, stolen card. While the replacement card gets a new token, the old connection remains valid in the cases studied. The physical card is no longer valid, but its digital twin still works. Also, when making purchases, there is no check to verify that the card used belongs to the person making the purchase.
Recurring payments
Making purchases via digital wallets with blocked cards is also possible if those purchases are designated recurring payments. This is because banks want to respect the contract between buyer and seller.
The researchers reported their findings to several American banks, such as Chase, AMEX, and Citi, in April of this year. Digital wallet providers were also notified. Some banks said they had since fixed the vulnerabilities, and Google also indicated it had taken action. No response was forthcoming from AMEX, Bank of America, US Bank, Apple, and PayPal. Whether such abuse is or has been possible in Europe has not been investigated.
The researchers suggest that users of digital wallets should turn on push notifications to see immediately that a purchase is taking place. They also recommend using authentication software such as Google Authenticator over one-time passwords. Banks should additionally monitor recurring payments more strictly.
Also read: Digidentity founder: “European digital wallet is preferred tool against data fraud”