According to academic security researchers, digital wallets such as Apple Pay, Google Pay and PayPal can be used for transactions with stolen and blocked payment cards.
These flaws – some of which have been fixed since responsible disclosure last year – allow an attacker with limited personal information to add an active, stolen payment card number to a digital wallet and make purchases, even if the card is subsequently blocked and replaced.
A group of infosec experts – Raja Hasnain Anwar (UMass Amherst), Syed Rafiul Hussain (Penn State) and Muhammad Taqi Raza (UMass Amherst) – described their findings in a paper presented last week at Usenix Security 2024.
The paper, titled “In Wallet We Trust: Bypassing the Digital Wallets Payment Security for Free Shopping,” examines “critical deficiencies in the authentication, authorization, and access control mechanisms of major digital wallet apps and U.S. banks,” Anwar, a doctoral student in electrical and computer engineering and lead author, told The Register.
“We show how attackers can exploit these vulnerabilities to add stolen cards to their digital wallets and perform unauthorized transactions.”
“A plausible attack scenario is as follows: An attacker steals a person’s credit card. Using the cardholder’s name (printed on the card), the attacker uses online databases to determine the victim’s address.
“Now the attacker tries to add the card to different digital wallets. Since different wallets use different authentication methods, any wallet that requires an address or zip code for authentication is suitable for the attack.
“Once the attacker adds the card to their wallet, the cardholder can block the card or ask the bank to send a replacement card. This will not affect the attacker’s wallet, who will still have access to the card for transactions.”
The scenario assumes that the attacker has stolen a credit card or obtained the primary account number (PAN) of the stolen card and that the cardholder has not yet blocked it.
The attacker – let’s call her Eve – must first add a card number to her digital wallet. This requires downgrading the authentication process between the issuing bank and the digital wallet. This requires choosing a knowledge-based authentication (KBA) scheme rather than a more secure multi-factor authentication (MFA) scheme – such as a one-time password sent via SMS, email or phone call. Banks often allow this because it’s convenient.
“The end user, not the bank, decides which authentication method is used,” the document states. “For example, an attacker can trick the bank into resorting to KBA when MFA is required. This is done by using the ‘call-based’ authentication option. The attacker dials the bank’s automated helpline to add the card to the wallet. The helpline prompts the attacker to provide the KBA-related information: date of birth and the last four digits of the SSN (social security number) associated with the victim’s card.”
Some KBA systems do not require both data points. It can only be one of several possible values: the billing address zip code, the billing address, the date of birth and/or the last four digits of the social security number.
The authors acknowledge that obtaining such personal information is usually “non-trivial,” but they argue that such information is often accessible online thanks to people search services, public records, and data dumps.
“The recent SSN leak shows how easy it is to obtain KBA information for such PII-based verification,” Anwar explained, adding, “I know someone who was a victim of such an attack, which actually served as the inspiration for this research study.”
Once the stolen card is added to Eve’s wallet, she can use it to make purchases. Blocking the card won’t help – because when the card is authenticated, the bank issues a token that authorizes purchases and is stored in the digital wallet. And that token in the attacker’s wallet will be reassigned to the replacement card when the bank reissues it.
“If the user reports the card loss, the bank will block the lost card and issue a new card (with a new personal account number) to the user,” the document said. “However, the associated token will not be updated, but will link the old token to the new PAN.”
In principle, the bank does not check whether the wallet that receives the updated token is the property of the cardholder.
What makes matters worse is that banks do not require cardholders to verify their identity at cash register terminals in stores – verifying the identity of the device owner is sufficient.
The researchers also found that recurring transactions – such as monthly fees – are handled in a way that allows for abuse. Merchants dictate which transactions are recurring, but an attacker can trick the merchant into marking a transaction as “recurring” – and as such it will be processed even if the corresponding payment card has been blocked.
The paper explains a possible scenario:
This is also true for other websites, such as Apple.com, which reported using a blocked card to “successfully purchase a $25 Apple gift card and $179 AirPods,” according to the researchers. Banks allow recurring payments with blocked cards to honor the contract between user and merchant, so subscription services continue and negative credit events do not occur for missed subscription payments. However, this special treatment of recurring payments can be abused.
The researchers said they disclosed their findings to relevant U.S. banks and digital wallet providers in April 2023. Chase, Citi and Google reportedly responded.
“At the time of writing, Google is working with banks to resolve the reported issues with Google Pay,” the document says. “However, banks have informed us that the disclosed attacks are no longer possible… We have not yet received responses from AMEX, BoA (Bank of America), US Bank, Apple, and PayPal.”
Apple, Google and PayPal did not immediately respond to The Registerasked for a comment.
The authors recommend several countermeasures: introducing push notifications (Bank App, Duo Mobile, Microsoft Authenticator) or passwords (Google Authenticator) instead of traditional one-time passwords, using continuous authentication in token management, and having banks review recurring transactions to ensure they are properly labeled. ®
