Stolen and cancelled payment cards can be used to make purchases through digital wallets such as Google Pay, PayPal and Apple Pay. Some of the major flaws responsibly disclosed last year could allow attackers with limited personal information to add an active payment card number and use it, even if the card has been replaced or cancelled.
Critical flaws in authentication, authorisation and access control functions of widely used digital wallets and US banks allow such exploitation to make unauthorised transactions. A group of academic security researchers, Raja Hasnain Anwar and Muhammad Taqi Raza of the University of Massachusetts Amherst and Syed Rafiul Hussain of Pennsylvania State University, presented their paper titled, “In Wallet We Trust: Bypassing the Digital Wallets Payment Security for Free Shopping,” last week at the Usenix Security 2024 conference.
The paper demonstrated how threat actors can exploit certain vulnerabilities to add stolen cards to their digital wallets and use them, regardless of whether the original card holder has closed or replaced it. “An attacker adds the victim’s bank card into their (attacker’s) wallet by exploiting the authentication method agreement procedure between the wallet and the bank,” the research paper stated.
After the victim’s address is found, the cybercriminal attempts to add the card to different wallets. As different digital wallets have distinct authentication methods, a wallet that needs an address or ZIP code to authenticate is suitable for them to proceed.
This attack scenario assumes that the cardholder locks or asks their bank for a replacement when the attacker adds the card to the wallet. However, doing so would not affect the attacker’s wallet, and they could proceed and make transactions. It also assumes that the owner has not cancelled the stolen credit card or leaked the primary account number before the card was added to the wallet.
To add the card number to a digital wallet, the attacker needs to simplify the authentication process between the issuing bank and wallet. This can be done by choosing a knowledge-based authentication (KBA) process rather than a multi-factor authentication (MFA) scheme, such as one-time passwords sent by SMS, phone calls, or emails.
Banks allow end-users to decide on the authentication method and simplify the process for convenience. However, MFA schemes also remain at risk if the process is made to rely on knowledge-based verification. For example, if the individual holds personal information such as date of birth and social security numbers, the call option can be used, which asks for said details of the cardholder.
While obtaining such information is not easy, past leaks of Social Security Numbers through data breaches show that it is possible. Cancelling the card is ineffective because when the card is authenticated, the bank issues a token stored in the digital wallet that authorises transactions. This token does not get updated when the card is replaced. On the other hand, it links the old token to the new card.
The paper further explained that Google is working with banks to address the reported Google Pay flaws, while banks stated that attempts through this process are no longer possible.
In the News: Lazarus exploits Windows zero-day flaw to install stealth malware
