Digital wallets such as Apple Pay, Google Pay and PayPal can be used to make transactions using stolen and canceled debit cards, according to academic security researchers.

These flaws – some of which have already been addressed since last year’s responsible disclosure – allow an attacker, armed with limited personal information, to add an active stolen payment card number to a digital wallet and make purchases, even if the card is subsequently cancelled and replaced.

A group of infosec experts – Raja Hasnain Anwar (UMass Amherst), Syed Rafiul Hussain (Penn State), and Muhammad Taqi Raza (UMass Amherst) – detailed their findings in a paper presented last week at Usenix Security 2024.

The paper, titled “In Wallet We Trust: Bypassing the Digital Wallets Payment Security for Free Shopping,” examines “critical flaws in the authentication, authorization, and access control mechanisms of major digital wallet apps and U.S. banks,” Anwar, a doctoral candidate in electrical and computer engineering and lead author, told The register.

“We show how attackers can exploit these weaknesses to add stolen cards to their digital wallets and perform unauthorized transactions.”

“A plausible attack scenario looks like this: An attacker steals a credit card from a person. Using the cardholder’s name (which is printed on the card), the attacker determines a victim’s address using online databases.

“Now the attacker tries to add the card to different digital wallets. Since different wallets have different authentication methods, any wallet that requires an address or zip code for authentication is suitable for the attack.

“Once the attacker adds the card to their wallet, the cardholder can either block the card or ask the bank to send a replacement card. This has no effect on the attacker’s wallet, which still has access to the card for transactions.”

In this scenario, it is assumed that the attacker has stolen a credit card or obtained the primary account number (PAN) of the stolen card and the card owner has not yet blocked it.

The attacker – let’s call her Eve – must first add a card number to her digital wallet. To do this, she must downgrade the authentication process between the issuing bank and the digital wallet. This involves opting for a knowledge-based authentication (KBA) scheme instead of a more secure multi-factor authentication (MFA) scheme – such as a one-time password sent via SMS, email, or phone call. Banks often allow this because it’s convenient.

“The end user, not the bank, determines which authentication method to use,” the article explains. “For example, an attacker can force the bank to fall back on KBA when MFA is required. They do this by using the ‘call-based’ authentication option. The attacker calls the bank’s automated helpline to add the card to the wallet. The helpline asks the attacker to provide the KBA-related information: date of birth and the last four digits of the SSN (social security number) associated with the victim’s card.”

Some KBA schemes do not require both data points. It can only be one of several possible values: the invoice zip code, the billing street address, the date of birth and/or the last four digits of the citizen service number.

The authors acknowledge that obtaining such personal information is typically “non-trivial.” However, they argue that such information is often accessible online, thanks to people search services, public records, and data dumps.

“The recent SSN leak shows how easy it is to obtain KBA information for such PII-based verification,” said Anwar, who added: “I know someone who fell victim to such an attack, which was actually the inspiration for this research.”

Once the stolen card is added to Eve’s wallet, she can use it to make purchases. Canceling the card doesn’t help, because when the card is authenticated, the bank issues a token that authorizes purchases and is stored in the digital wallet. And that token in the attacker’s wallet is reassigned to the replacement card when the bank reissues it.

“When the user reports the loss of the card, the bank blocks the lost card and issues a new card (with a new personal account number) to the user,” the article explains. “However, it does not update the associated token; instead, it links the old token to the new PAN.”

In principle, the bank does not check whether the wallet containing the updated token is owned by the cardholder.

What makes the situation worse is that banks do not need payment terminals in stores to verify the identity of the cardholder. Verifying the identity of the holder of the device is sufficient.

The researchers also found that recurring transactions – such as monthly fees – are being treated in a way that allows for abuse. Merchants dictate which transactions are recurring, but an attacker can trick the merchant into labeling a transaction as “recurring” – and as such it will be processed even if the relevant payment card is blocked.

The article describes a possible scenario:

This also applies to other websites, such as Apple.com, according to the researchers, who reported that “we successfully purchased a $25 Apple Gift Card and $179 AirPods” with a frozen card. Banks allow recurring payments to be made on frozen cards to honor the contract between the user and the merchant, ensuring that subscription services continue and negative credit events for missed subscription payments don’t occur. But this special treatment of recurring payments can be abused.

The researchers said they disclosed their findings to relevant U.S. banks and digital wallet providers in April 2023. Chase, Citi and Google are said to have responded.

“At the time of writing, Google was working with the banks to address the reported issues with Google Pay,” the article said. “However, the banks informed us that the disclosed attacks are no longer possible… We have not yet received responses from AMEX, BoA (Bank of America), US Bank, Apple, or PayPal.”

Apple, Google and PayPal did not immediately respond to The register‘s request for comment.

The authors recommended several measures: using push notifications (Bank App, Duo Mobile, Microsoft Authenticator) or access codes (Google Authenticator) instead of traditional one-time passwords; using continuous authentication in token management; and having banks audit recurring transactions to ensure they are properly labeled. ®