Researchers talk about vulnerabilities in Apple Pay, Google Pay, and PayPal.
A team of researchers from the University of Massachusetts and Pennsylvania State University has discovered critical vulnerabilities in the popular digital wallets Apple Pay, Google Pay, and PayPal. Their research, presented at the recent Usenix Security 2024 conference, showed that carders can add stolen credit card numbers to their digital wallets and make purchases with them, even if the owner decided to block the card.
According to Raja Hasnain Anwar, a doctoral student in the Department of Electrical Engineering and Computer Science at UMass Amherst and lead author of the study, the main problem is gaps in the application authentication systems for digital wallets and banks in the United States.
A typical scenario for such an carding is as follows. First, the carder (let's call him Sasha) steals a credit card. Knowing the cardholder's name printed on it, Sasha determines the victim's address using online databases. It then tries to add the stolen card to various digital wallets. Since each wallet uses different authentication methods, the carder chooses the one where it is enough to provide an address or zip code for confirmation.
After that, Sasha can continue to use the credit card, even if the owner blocks it. The problem is that banks don't check if the wallet actually belongs to the cardholder when the authorization token is updated. Instead, they automatically transfer the token to a new card issued to replace the lost one.
In addition, banks allow recurring transactions even if the card is blocked. This can also be used in carding. For example, Sasha can register on the Turo.com website, add a compromised invoice as a payment method, and then book and pay for the trip. Even though the credit card is inactive, Turo will still process the payment, marking it as "recurring".
An carder can also trick the bank into using less secure authentication methods when adding a card to a digital wallet. Instead of two-factor authentication (SMS, email or call), Sasha can simply enter the date of birth and the last 4 digits of the SNN, which can often be found in open sources. In stores, cashiers are also not required to verify the identity of the cardholder - verification of the device is enough.
Researchers reported the vulnerabilities to leading banks and wallet developers in April 2023. Google has confirmed that it is working to fix them, but other companies have not yet taken retaliatory action. Apple, PayPal and Bank of America did not respond to requests from reporters.
Source
A team of researchers from the University of Massachusetts and Pennsylvania State University has discovered critical vulnerabilities in the popular digital wallets Apple Pay, Google Pay, and PayPal. Their research, presented at the recent Usenix Security 2024 conference, showed that carders can add stolen credit card numbers to their digital wallets and make purchases with them, even if the owner decided to block the card.
According to Raja Hasnain Anwar, a doctoral student in the Department of Electrical Engineering and Computer Science at UMass Amherst and lead author of the study, the main problem is gaps in the application authentication systems for digital wallets and banks in the United States.
A typical scenario for such an carding is as follows. First, the carder (let's call him Sasha) steals a credit card. Knowing the cardholder's name printed on it, Sasha determines the victim's address using online databases. It then tries to add the stolen card to various digital wallets. Since each wallet uses different authentication methods, the carder chooses the one where it is enough to provide an address or zip code for confirmation.
After that, Sasha can continue to use the credit card, even if the owner blocks it. The problem is that banks don't check if the wallet actually belongs to the cardholder when the authorization token is updated. Instead, they automatically transfer the token to a new card issued to replace the lost one.
In addition, banks allow recurring transactions even if the card is blocked. This can also be used in carding. For example, Sasha can register on the Turo.com website, add a compromised invoice as a payment method, and then book and pay for the trip. Even though the credit card is inactive, Turo will still process the payment, marking it as "recurring".
An carder can also trick the bank into using less secure authentication methods when adding a card to a digital wallet. Instead of two-factor authentication (SMS, email or call), Sasha can simply enter the date of birth and the last 4 digits of the SNN, which can often be found in open sources. In stores, cashiers are also not required to verify the identity of the cardholder - verification of the device is enough.
Researchers reported the vulnerabilities to leading banks and wallet developers in April 2023. Google has confirmed that it is working to fix them, but other companies have not yet taken retaliatory action. Apple, PayPal and Bank of America did not respond to requests from reporters.
Source
