Stolen, locked payment cards can be used with digital wallet apps
Fraudsters can add stolen payment cards to digital wallet apps and continue making online purchases even after victims’ report the card stolen and the bank blocks it, computer engineers with University of Massachusetts Amherst and Pennsylvania State University have discovered.
Convenience > security
Different users can add the same card to different digital wallets on different mobile devices. The feature is exists to make it easier to share a card within a family, but can be easily exploited by malicious individuals.
Adding the card to a different wallet and making fraudulent purchases is made possible by the trust banks have in the digital wallet apps’ security mechanisms.
Banks rely on the app to chose the authentication scheme (usually the weaker, knowledge-based one) to authorize the linking of the card with the app, and the rely on in-device biometric verification methods to identify the cardholder authorizing the transactions (but it assumes that the owner of the phone is the cardholder).
Finally, the banks allow payments for subscription-based services even on lost / stolen cards so that the cardholder doesn’t incur late payment fees / penalties. Fraudsters can make one-time transactions but mark it as a recurring payment, thus bypassing the bank’s transaction authorization restrictions.
“Any malicious actor who knows the [physical] card number can pretend to be the cardholder,” Taqi Raza, assistant professor of electrical and computer engineering at UMass Amherst, pointed out. “The digital wallet does not have sufficient mechanism to authenticate whether the card user is the cardholder or not.”
Authentication methods used in different wallets (Source: UMass Khwarizmi Lab)
As an added drawback, once stolen card numbers are saved in a fraudster’s digital wallet, they are there and will continue to work even if the cardholder requests a card replacement and the bank issues a new card.
“Banks do not re-authenticate the cards stored in the wallet. What they do is they simply change the virtual number mapping to the new physical card number,” Raza explained. Thus, fraudulent purchases continue to go through.
Advice for banks
The only potential barier to adding a stolen card to a new wallet app is if the victim locks the card before that can be done. Barring that, the attackers can covertly make fraudulent purchases that can ultimately only be recognized and disputed by the victim.
The scientists tested the various scenarios with cards issued by major US financial institutions (Chase, AMEX, Bank of America, Discover, US Bank and Citi) and three popular digital wallet apps: Apple Pay, Google Pay, and PayPal.
They advised banks not to rely on the wallet apps and their preferred legacy authentication methods when it comes to adding cards into wallets. They suggest using push notifications or passcodes.
Banks should also periodically re-authenticate the wallet and refresh the payment token issued to it, especially after events like card loss. And, finally, banks should evaluate the metadata of transactions so they can “see” whether a payment is one-time or recurring (and not rely on merchants for that info).
The researchers shared their findings with those companies and some have sprung into action.
“We received responses from Google, Citi, Chase, and Discover. At the time of writing this paper, Google is working with the banks from its end to address the reported issues on Google Pay,” they said.
“The banks, however, reported to us that the disclosed attacks are not possible anymore. Chase confirmed that additional fraud detection and transaction limitation measures have been put in place to address the reported vulnerabilities; Citi and Discover, however, did not disclose the specific mitigation measures to us. We did not yet receive responses from AMEX, BoA, US Bank, Apple, and PayPal.”
UPDATE (August 19, 2024, 02:45 p.m. ET):
“One of our collaborators was a direct victim of this. They locked the card after it went missing but someone kept on making the payments on the card. This paper is the outcome of our research into how this was possible,” Raja Hasnain Anwar, doctoral candidate in electrical and computer engineering at UMass Amherst, told Help Net Security.
“On a larger scale, we are not aware of how widespread this attack method is, but we can certainly confirm that there are some attackers who use this.”
He pointed out that anyone can be an attacker if they know the cardholder’s billing address, date of birth, or last four digits of ID – and these details are very easy to acquire through online databases.
“We have verified that it is now harder to add cards to new devices as most wallets are using MFA instead of KBA. Chase connected us with their red team to understand the attacker better and AMEX also confirmed that our threat report was valid and they were working to fix the issues. However, no bank or wallet has communicated the exact steps they took to solve the issues,” he added.
Consumers should be regularly checking their credit card statements, but they should also go in to their bank’s web portal or mobile app account settings and switch on email notifications for when a card is added/removed from the wallet and when a transaction goes through. Some banks allow customers to monitor which devices (and wallets) are actively using the card.
“These security settings are often not easy to find. At least the people I talked to, didn’t know about these settings, and they are security researchers who take their financial security seriously,” Anwar said.
“So, we also encourage the banks to make these settings easy to locate and educate their customers about the proper security mechanisms.”