Researchers have discovered leading digital wallets such as Apple Pay, Google Pay, and PayPal could be used to carry out fraudulent purchases using stolen and cancelled payment cards.
By adding the card to a digital wallet, criminals can exploit the flaw in the ‘authentication, authorization, and access the control mechanisms of major digital wallet apps and US banks alike.
Security academics exposed the fault at the Usenix security 2024, and in a research paper outlined plausible scenarios in which victims full names (which are already printed on cards) and a victim’s address can be used to authenticate a card added to the digital wallet.
The potential scenario
The process can be carried out if the attacker choses a knowledge-based authentication (KBA) instead of a multi-factor authentication such as a one time password sent by email, text, or call (MFA). Some KBA schemes don’t even require multiple data points – many only need a zip code, billing address, date of birth, or last four digits of a social security number. Once this is acquired, the fraudster can freely make purchases with the digital card.
To make matters worse, cancelling or blocking the card does not necessarily stop this, as when a card is authenticated, the bank issues a token which authorizes purchases and is stored in the digital wallet, so criminals can reassociate the wallet with the replacement card once it is reissued.
Recurring transactions can also be used to exploit the victim, with purchases labelled ‘recurring’ processed even if the card is locked.
In the age of data breaches, most notably the recent National Public Data incident which potentially exposed the personal information of billions of people, verifying information is easier than ever to obtain.
Whilst banks have reported that the flaws have been resolved and that this type of attacks are no longer possible, staying vigilant is always important – and for anyone concerned, we’ve reviewed the best credit card fraud detection platforms available.
Via The Register
