Summarize

Simplifying... Inshort

Researchers have discovered security flaws in digital wallet apps and US banks that allow thieves to use stolen credit cards for unauthorized purchases.
These flaws include the ability to bypass multi-factor authentication, exploit token authorization even after the original card is cancelled, and abuse recurring transactions.
This highlights the need for stronger security measures to protect users from potential financial fraud.

Was a long read? Making it simpler...

Next Article

Attackers can bypass multi-factor authentication with ease

Security flaw allows stolen credit card use on digital wallets

By Mudit Dube

Aug 20, 2024

06:52 pm

What's the story

A recent study has revealed that popular digital wallets like Apple Pay, Google Pay, and PayPal could potentially be used to conduct transactions with stolen credit cards. The research was conducted by a team of cybersecurity experts including Raja Hasnain Anwar and Muhammad Taqi Raza from the University of Massachusetts Amherst, and Syed Rafiul Hussain from Penn State. Their findings were presented in a paper titled "In Wallet We Trust: Bypassing the Digital Wallets Payment Security for Free Shopping."

Security flaws

Researchers expose vulnerabilities in digital wallet security

The researchers uncovered critical vulnerabilities in the security protocols of major digital wallet apps and US banks. They demonstrated how attackers could exploit weaknesses in authentication, authorization, and access control mechanisms to add stolen credit cards to their own digital wallets and make unauthorized purchases. The study's lead author, Anwar, outlined a potential attack scenario where a thief, armed with a stolen credit card, could use publicly accessible databases to locate the victim's address, facilitating fraudulent transactions.

Authentication loophole

Attackers can bypass multi-factor authentication

The researchers highlighted that an attacker could bypass multi-factor authentication (MFA) by opting for a knowledge-based authentication (KBA) scheme. This involves using the 'call-based' option to add the card to their wallet, where they provide KBA-related information like date of birth or last four digits of social security number. Some KBA schemes only require one data point such as billing ZIP code, billing street address, date of birth, or last four digits of social security number.

Token issue

Token authorization allows continued access to stolen cards

The researchers found that canceling a stolen card does not prevent its use in digital wallets. When a card is authenticated, the bank issues a token authorizing purchases which is stored in the digital wallet. This token remains active even if the original card is canceled and replaced, allowing attackers to continue using it for transactions. The study also revealed that banks do not require point-of-sale terminals in stores to verify the identity of the cardholder, further compounding this issue.

Transaction abuse

Recurring transactions and locked cards: A potential for abuse

The study also found that recurring transactions, such as monthly charges, are processed in a way that can be exploited. An attacker can trick a merchant into tagging a transaction as "recurring," which will be processed even if the relevant payment card has been locked. This is because banks allow recurring payments on locked cards to honor contracts between users and merchants, ensuring continuity of subscription services and avoiding negative credit events due to missed payments.