Digital wallets allow for the use of stolen credit cards

News
By published

Even cancelled cards can pose risks to unsuspecting victims, report claims

Someone checking their credit card details online.
(Image credit: Pickawood / Unsplash)

Researchers have discovered leading digital wallets such as Apple Pay, Google Pay, and PayPal could be used to carry out fraudulent purchases using stolen and cancelled payment cards.

By adding the card to a digital wallet, criminals can exploit the flaw in the ‘authentication, authorization, and access the control mechanisms of major digital wallet apps and US banks alike.

Security academics exposed the fault at the Usenix security 2024, and in a research paper outlined plausible scenarios in which victims full names (which are already printed on cards) and a victim’s address can be used to authenticate a card added to the digital wallet.

The potential scenario

The process can be carried out if the attacker choses a knowledge-based authentication (KBA) instead of a multi-factor authentication such as a one time password sent by email, text, or call (MFA). Some KBA schemes don't even require multiple data points - many only need a zip code, billing address, date of birth, or last four digits of a social security number. Once this is acquired, the fraudster can freely make purchases with the digital card.

To make matters worse, cancelling or blocking the card does not necessarily stop this, as when a card is authenticated, the bank issues a token which authorizes purchases and is stored in the digital wallet, so criminals can reassociate the wallet with the replacement card once it is reissued.

Recurring transactions can also be used to exploit the victim, with purchases labelled ‘recurring’ processed even if the card is locked.

In the age of data breaches, most notably the recent National Public Data incident which potentially exposed the personal information of billions of people, verifying information is easier than ever to obtain.

Whilst banks have reported that the flaws have been resolved and that this type of attacks are no longer possible, staying vigilant is always important - and for anyone concerned, we've reviewed the best credit card fraud detection platforms available.

Via The Register

More from TechRadar Pro

Ellen Jennings-Trace
Ellen Jennings-Trace
Staff Writer

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.

Read more
An illustration of a hooded hacker with an obscured face holding a large fingerprint against a red background.
ID theft – what happens when someone steals your identity
Dark Web cybercriminals are buying up ID to bypass KYC methods
Promo image of new GOV.UK Wallet to digitalized ID documents in one mobile app
“Big Brother in your pocket:” Privacy advocates slam UK ID digital wallet proposal
Concept art representing cybersecurity principles
Cybercriminals cashing in on holiday sales rush
Concept image of a person having their face scanned, indicating the risk of identity theft.
Identity fraud attacks using AI are fooling biometric security systems
Biometrics
Like selling your virtual soul: Researchers uncover extraordinary identity farming operation where the culprits are the victims
Latest in Pro
Squarespace
Build a website for less with 10% off Squarespace subscriptions
UK Prime Minister Sir Kier Starmer
UK PM says AI should soon replace civil servants
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
An image of network security icons for a network encircling a digital blue earth.
Why effective cybersecurity is a team effort
Data leak
Hacked Tata Technologies data leaked by ransomware gang
A close-up photo of an iPhone, with the App Store icon prominent in the center of the image.
Thousands of iOS apps found to expose user data and leak Stripe keys
Latest in News
Nicole Kidman wears a blue blouse with her arms crossed.
Netflix might be renewing The Perfect Couple and Beauty in Black for season 2, but I don’t get why when it’s canceled shows with poorer ratings
The Russo brothers posing for a photograph and Herman carrying a Volkswagen camper van in The Electric State
'We're optimists': AI enthusiasts Joe and Anthony Russo defend its use in movies and TV shows, but admit there are 'very real dangers' around its application
UK Prime Minister Sir Kier Starmer
UK PM says AI should soon replace civil servants
Xbox Copilot in Minecraft
Microsoft confirms Copilot can be tested by Xbox Insiders next month and shares new details about how the AI sidekick will enhance the player experience: 'It has to be about gameplay, it has to be personalized to you'
Eight Samsung TVs mounted to the wall showing different basketball games
Samsung is offering you 8 new TVs in one bundle for March Madness, in case you want to watch all games at once like a Bond villain’s lair
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
More about pro
Workers in a futuristic office

40% of IT leaders scared to admit mistakes due to workplace culture of fear
Squarespace

Build a website for less with 10% off Squarespace subscriptions
Nicole Kidman wears a blue blouse with her arms crossed.

Netflix might be renewing The Perfect Couple and Beauty in Black for season 2, but I don’t get why when it’s canceled shows with poorer ratings
See more latest
Most Popular
Nicole Kidman wears a blue blouse with her arms crossed.
Netflix might be renewing The Perfect Couple and Beauty in Black for season 2, but I don’t get why when it’s canceled shows with poorer ratings
Workers in a futuristic office
40% of IT leaders scared to admit mistakes due to workplace culture of fear
13-inch and 15-inch MacBook Air M4 in Sky Blue
The new Apple MacBook Air M4 has a weird quirk with its performance cores - but it's nothing to worry about
The Russo brothers posing for a photograph and Herman carrying a Volkswagen camper van in The Electric State
'We're optimists': AI enthusiasts Joe and Anthony Russo defend its use in movies and TV shows, but admit there are 'very real dangers' around its application
Xbox Copilot in Minecraft
Microsoft confirms Copilot can be tested by Xbox Insiders next month and shares new details about how the AI sidekick will enhance the player experience: 'It has to be about gameplay, it has to be personalized to you'
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Dune Awakening screenshot showing the exploration of The O'odham
Latest Dune Awakening trailer provides a deeper look at open-world exploration on the planet Arrakis
close-up of soundbar mesh with Sonos branding
Sonos reportedly cancels its streaming video player, but I hope it resurrects one part of it, because it could be huge
A close-up photo of an iPhone, with the App Store icon prominent in the center of the image.
Thousands of iOS apps found to expose user data and leak Stripe keys
Emily takes a selfie in front of her apartment window in Rome in Emily in Paris
Emily in Paris season 5: everything we know so far about the hit Netflix show’s return