Digital wallets allow stolen credit cards to be used
Researchers have discovered that leading digital wallets such as Apple Pay, Google Pay, and PayPal can be used to make fraudulent purchases using stolen and canceled debit cards.
By adding the card to a digital wallet, criminals can exploit the flaw in the authentication, authorization, and access control mechanisms of major digital wallet apps and US banks.
Security scientists have exposed the flaw in the Usenix security of 2024 and in a research paper outlined plausible scenarios in which victims’ full names (already printed on the cards) and a victim’s address could be used to verify a card added to the digital wallet.
The potential scenario
The process can be accomplished if the attacker opts for knowledge-based authentication (KBA) instead of multi-factor authentication such as a one-time password sent by email, SMS, or phone (MFA). Some KBA schemes don’t even require multiple data points – many only require a zip code, billing address, date of birth, or the last four digits of a social security number. Once this is obtained, the fraudster can freely make purchases using the digital card.
To make matters worse, blocking or canceling the card doesn’t necessarily stop the process. When a card is authenticated, the bank issues a token that authorizes purchases. This token is stored in the digital wallet, so criminals can reconnect the wallet to the replacement card once it’s reissued.
Recurring transactions can also be used to exploit the victim. Purchases labeled “recurring” will be processed even if the card is blocked.
In the age of data breaches, especially the recent National public data incident that may have exposed the personal data of billions of people, it is easier than ever to verify the information.
While banks have reported that the flaws have been fixed and that these types of attacks are no longer possible, it is always important to remain vigilant. For anyone who is concerned, we have the best credit card fraud detection available platforms.
Via The register
