Digital wallets allow for the use of stolen credit cards
Even cancelled cards can pose risks to unsuspecting victims, report claims
Researchers have discovered leading digital wallets such as Apple Pay, Google Pay, and PayPal could be used to carry out fraudulent purchases using stolen and cancelled payment cards.
By adding the card to a digital wallet, criminals can exploit the flaw in the ‘authentication, authorization, and access the control mechanisms of major digital wallet apps and US banks alike.
Security academics exposed the fault at the Usenix security 2024, and in a research paper outlined plausible scenarios in which victims full names (which are already printed on cards) and a victim’s address can be used to authenticate a card added to the digital wallet.
The potential scenario
The process can be carried out if the attacker choses a knowledge-based authentication (KBA) instead of a multi-factor authentication such as a one time password sent by email, text, or call (MFA). Some KBA schemes don't even require multiple data points - many only need a zip code, billing address, date of birth, or last four digits of a social security number. Once this is acquired, the fraudster can freely make purchases with the digital card.
To make matters worse, cancelling or blocking the card does not necessarily stop this, as when a card is authenticated, the bank issues a token which authorizes purchases and is stored in the digital wallet, so criminals can reassociate the wallet with the replacement card once it is reissued.
Recurring transactions can also be used to exploit the victim, with purchases labelled ‘recurring’ processed even if the card is locked.
In the age of data breaches, most notably the recent National Public Data incident which potentially exposed the personal information of billions of people, verifying information is easier than ever to obtain.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Whilst banks have reported that the flaws have been resolved and that this type of attacks are no longer possible, staying vigilant is always important - and for anyone concerned, we've reviewed the best credit card fraud detection platforms available.
Via The Register
More from TechRadar Pro
Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.