Fraudsters can add stolen payment cards to digital wallet apps and continue making online purchases even after victims’ report the card stolen and the bank blocks it, computer engineers with University of Massachusetts Amherst and Pennsylvania State University have discovered.
Convenience > security
Different users can add the same card to different digital wallets on different mobile devices. The feature is exists to make it easier to share a card within a family, but can be easily exploited by malicious individuals.
Adding the card to a different wallet and making fraudulent purchases is made possible by the trust banks have in the digital wallet apps’ security mechanisms.
Banks rely on the app to chose the authentication scheme (usually the weaker, knowledge-based one) to authorize the linking of the card with the app, and the rely on in-device biometric verification methods to identify the cardholder authorizing the transactions (but it assumes that the owner of the phone is the cardholder).
Finally, the banks allow payments for subscription-based services even on lost / stolen cards so that the cardholder doesn’t incur late payment fees / penalties. Fraudsters can make one-time transactions but mark it as a recurring payment, thus bypassing the bank’s transaction authorization restrictions.
“Any malicious actor who knows the [physical] card number can pretend to be the cardholder,” Taqi Raza, assistant professor of electrical and computer engineering at UMass Amherst, pointed out. “The digital wallet does not have sufficient mechanism to authenticate whether the card user is the cardholder or not.”
Authentication methods used in different wallets (Source: UMass Khwarizmi Lab)
As an added drawback, once stolen card numbers are saved in a fraudster’s digital wallet, they are there and will continue to work even if the cardholder requests a card replacement and the bank issues a new card.
“Banks do not re-authenticate the cards stored in the wallet. What they do is they simply change the virtual number mapping to the new physical card number,” Raza explained. Thus, fraudulent purchases continue to go through.
Advice for banks
The only potential barier to adding a stolen card to a new wallet app is if the victim locks the card before that can be done. Barring that, the attackers can covertly make fraudulent purchases that can ultimately only be recognized and disputed by the victim.
The scientists tested the various scenarios with cards issued by major US financial institutions (Chase, AMEX, Bank of America, Discover, US Bank and Citi) and three popular digital wallet apps: Apple Pay, Google Pay, and PayPal.
They advised banks not to rely on the wallet apps and their preferred legacy authentication methods when it comes to adding cards into wallets. They suggest using push notifications or passcodes.
Banks should also periodically re-authenticate the wallet and refresh the payment token issued to it, especially after events like card loss. And, finally, banks should evaluate the metadata of transactions so they can “see” whether a payment is one-time or recurring (and not rely on merchants for that info).
The researchers shared their findings with those companies and some have sprung into action.
“We received responses from Google, Citi, Chase, and Discover. At the time of writing this paper, Google is working with the banks from its end to address the reported issues on Google Pay,” they said.
“The banks, however, reported to us that the disclosed attacks are not possible anymore. Chase confirmed that additional fraud detection and transaction limitation measures have been put in place to address the reported vulnerabilities; Citi and Discover, however, did not disclose the specific mitigation measures to us. We did not yet receive responses from AMEX, BoA, US Bank, Apple, and PayPal.”