Researchers have found that leading digital wallets such as Apple Pay, Google Pay and PayPal could be used to make fraudulent purchases using stolen and blocked payment cards.
By adding the card to a digital wallet, criminals can exploit vulnerabilities in the authentication, authorization and access control mechanisms of major digital wallet apps and US banks.
Security experts revealed the flaw at Usenix Security 2024 and outlined plausible scenarios in a research paper where the victim’s full name (already printed on the card) and the victim’s address can be used to authenticate a card added to the digital wallet.
The possible scenario
The process can be accomplished if the attacker chooses knowledge-based authentication (KBA) instead of multi-factor authentication such as a one-time password sent via email, SMS, or phone call (MFA). Some KBA systems don’t even require multiple data points—many only require a zip code, billing address, date of birth, or the last four digits of a social security number. Once this information is obtained, the fraudster can freely make purchases with the digital card.
To make matters worse, blocking or cancelling the card does not necessarily prevent this process. When a card is authenticated, the bank issues a token that authorizes purchases and is stored in the digital wallet. This allows criminals to relink the wallet to the replacement card after the replacement card is reissued.
Recurring transactions can also be used to exploit the victim: purchases marked as “recurring” are processed even if the card is blocked.
In the age of data theft, especially the recent National public data incident that potentially exposed the personal information of billions of people, it is easier than ever to obtain verifiable information.
Although banks have reported that the vulnerabilities have been fixed and these types of attacks are no longer possible, it is always important to remain vigilant – and for anyone who is concerned, we have the best credit card fraud detection Platforms available.
Over The Register