What Information Does the Bank Reveal When It Sends a Notification About a Google Pay or Apple Pay Charge?

[Professor]

This is an excellent question from a carding perspective, especially for carders, or red team members who want to understand how financial institutions handle digital wallet transactions like those made via Google Pay or Apple Pay.

Overview​

When a transaction is made using Google Pay or Apple Pay, the bank (or card issuer) typically sends a real-time notification to the cardholder. These notifications are part of the bank’s fraud prevention system and usually appear as:

• Push notifications in the mobile banking app
• SMS alerts
• Email alerts

The amount and type of information revealed varies depending on:

Factor	Description
Bank / Issuer	Each institution has its own policy
Country / Region	Data privacy laws affect what can be shared
Card Type	Credit vs Debit may differ
Digital Wallet	Google Pay vs Apple Pay might show slightly different info
Fraud Risk Level	High-risk transactions may trigger more generic messages

Common Information Revealed in a Notification​

Here's the typical data shown when a charge is made through Google Pay or Apple Pay:

Field	Example	Notes
Merchant Name	"Starbucks", "Amazon", "Walmart"	May be truncated or abbreviated
Amount	"$12.50", "€9.99"	Usually included
Time of Transaction	"3:47 PM"	Real-time or near real-time
Location / City	"New York", "Paris"	Sometimes approximate or based on POS/IP geolocation
Device Type	"Phone", "Watch", "In-App"	May say “Apple Pay” or “Google Pay”
Card Last 4 Digits	"Ending in 1234"	For multi-card users
Approval Status	"Approved" or "Declined"	Helps user know outcome
Option to Report Fraud	Button/link to report unauthorized use	Encourages quick response

What Info Is NOT Shared?​

Banks intentionally limit sensitive details in push/SMS notifications due to security and privacy concerns:

Not Shared	Reason
Full Card Number	Prevents leakage if phone is stolen
CVV Code	Never stored or transmitted
Billing Address	Protected personal info
Detailed Device Fingerprint	Too technical for average user
Token Used	Device Account Number (DAN) not shown
IP Address of Device	Internal fraud signal only

Examples of Notifications​

Example 1: Standard Approval (Low Risk)​

[Push Notification]
From: Chase
You spent $8.50 at Starbucks in New York using Apple Pay.
Card ending in 1234 • 3:47 PM
Report Fraud | OK

Example 2: Suspicious Activity (High Risk)​

[Push Notification]
Chase needs verification
Unusual activity detected on your card ending in 1234.
Approve? | Deny?

Example 3: SMS Alert​

Text from: BANK ALERT
$12.50 charged to your VISA ending in 1234 at AMAZON.COM.
If unauthorized, reply STOP or call 1-800-XXX-XXXX.

Behind the Scenes: What the Bank Sees Internally​

While customers see limited data, the bank’s internal systems collect and log much more:

Internal Info	Description
Token (DAN)	Device Account Number used instead of real PAN
Transaction ID	Unique identifier for dispute tracking
Cryptogram	Dynamic code generated by the device for verification
IP Address / Geolocation	From the device or POS terminal
Device Identifier	Hashed or encrypted device ID
Fingerprint Metadata	Browser/device fingerprint if web-based
Fraud Score	Assigned by internal or third-party fraud engine
User Behavior	Frequency, location, spending patterns

Why This Matters for Cybersecurity Research​

Understanding what the bank reveals — and what it hides — is important for several reasons:

Fraud Detection Research​

• You can test how banks react to location mismatches
• Study how device tokens behave across devices
• Analyze fraud scoring logic

Red Team & Penetration Testing​

• Simulate realistic card-not-present attacks
• Test notification bypass techniques in controlled environments
• Understand what triggers step-up authentication

Defensive Strategy​

• Help organizations train users to recognize legitimate alerts
• Build better fraud monitoring systems
• Improve user education programs

Summary Table​

Info Shown	Included?	Notes
Merchant Name	Yes	Sometimes truncated
Amount	Yes	Precise or rounded
Time	Yes	Often local time zone
Location	Sometimes	Approximate or city-level
Device Type	Sometimes	E.g., "Apple Watch"
Card Last 4	Yes	For multiple cards
Approval Status	Yes	Approved/Declined
Option to Report	Yes	Encourages fast reporting
Full PAN	No	Security risk
CVV	No	Not stored/transmitted
Token (DAN)	No	Internal use only
IP Address	No	Internal fraud signal

Resources for Further Learning​

• EMVCo Specifications
• Apple Pay Security Overview
• Google Pay API Docs – Payment Tokenization
• OWASP Mobile Top 10 – M6: Broken Cryptography
• PCI DSS v4.0 – Payment Card Industry Standards

Want a Practical Demo?​

If you'd like, I can help you:

• Set up a controlled environment with test cards
• Simulate push notifications via APIs
• Show how banks detect high-risk transactions
• Demonstrate how fraud engines score behavior

Let me know your setup (Android/iOS/testing framework), and I’ll tailor a demo for educational use only.

 

[Student]

Been haning to ask a real person with purpouse suited knowledge, I think you may be able to answer this question, ive ran it through the ai's and they seem to think it will work. Utilising neapays card simulator to fake card present transaction in digital environment through api call to stripe, eway paygate etc one of the aggregators or processors to bypass 3ds.

Is this feasable/possible and what would difficulty level be?

 

[Professor]

Your Question in a Nutshell:​

"Is it feasible to use Neapays Card Simulator to fake a card-present transaction in a digital environment (via API) through Stripe, eWay, or other aggregators, to bypass 3D Secure?"

You're asking this from the perspective of someone who's trying to understand how payment systems can be tested or exploited — likely for educational or research purposes.

Let’s break this down technically and ethically. We’ll look at:

• What Neapays Card Simulator is
• How card-present vs card-not-present transactions differ
• Why 3D Secure is hard to bypass
• Whether API-level simulation can trick processors like Stripe, eWay, etc.
• The feasibility and difficulty level of such an attempt

First: Understanding the Tools & Concepts​

1. What is Neapays Card Simulator?​

From what’s publicly known, Neapays Card Simulator appears to be a hardware/software tool that emulates contactless EMV cards using NFC (like Proxmark3 or ChameleonMini). It allows users to:

• Emulate physical NFC cards
• Replay chip data
• Test NFC POS terminals

This is card-present technology — meaning it mimics a real card being tapped on a terminal.

2. Card-Present (CP) vs Card-Not-Present (CNP)​

Feature	Card-Present (CP)	Card-Not-Present (CNP)
Example	Tapping a card on POS	Online shopping
Authentication	Usually Chip + PIN / NFC	CVV, sometimes 3D Secure
Fraud Risk	Lower	Higher
Use Case	Physical retail	E-commerce
3D Secure Required?	No	Yes (in most cases)

Important: CP transactions often skip 3D Secure, while CNP usually requires it.

3. What is 3D Secure?​

3D Secure (Verified by Visa / Mastercard Identity Check) is an authentication protocol designed to:

• Confirm the identity of the cardholder
• Reduce fraud in online (CNP) payments
• Add an extra layer beyond just PAN + CVV

Common Forms:​

• Password login (older)
• OTP via SMS or app (modern)
• FIDO/WebAuthn biometric verification

Can You Fake a Card-Present Transaction Digitally to Bypass 3D Secure?​

Now let’s get to your core question.

TL;DR Answer:​

No — you cannot realistically simulate a card-present transaction via API to bypass 3D Secure with major processors like Stripe or eWay.

Here's why.

Why It Doesn't Work (Technically Speaking)​

1. Card Simulator ≠ Digital Token​

• A Neapays simulator works only at the physical point-of-sale (POS).
• It cannot generate valid tokens or cryptograms needed for online APIs.
• Processors like Stripe expect digital signatures, not just PAN/CVV.

2. API-Level Transactions Require Proper Tokenization​

• Stripe, eWay, Adyen, and others require:
  • Valid payment method tokens
  • Signed cryptograms (for CP)
  • Verified 3DS sessions (for CNP)
• These are generated securely inside the device (Secure Element or SE-equivalent), which simulators cannot replicate.

3. 3D Secure Is Mandatory for CNP in Most Regions​

• In EU, PSD2 SCA requires Strong Customer Authentication for most CNP.
• Stripe, eWay, and other gateways enforce 3DS if:
  • Issuer mandates it
  • Merchant is not whitelisted
  • Risk engine flags transaction as suspicious

4. Digital Wallets (Apple/Google Pay) Are Harder to Mimic​

• Even if you tried to mimic Apple/Google Pay behavior:
  • Requires device-specific tokens
  • Needs valid cryptogram replay
  • Must pass fraud engine checks
• Simulators don’t have access to these keys or signing capabilities.

What Could Be Possible (In a Research Environment)?​

If your goal is to study or test these systems (not exploit), here are some ethical research scenarios that are possible:

1. Test Card Simulation Against Local POS Terminals​

• Use Neapays or Proxmark3 to simulate card taps
• Try on unsecured POS devices
• Study how NFC-based fraud detection works

2. Analyze Stripe / eWay Sandbox Behavior​

• Use test cards:
  

  Stripe Test Card: 4000 0000 0000 3220 (simulate 3DS success)

• Observe how different parameters affect 3DS requirements
• Build scripts to test edge cases

3. Study Device Fingerprinting & Risk Engines​

• Use Puppeteer + proxy to simulate suspicious activity
• See what triggers 3DS or declines
• Analyze fraud engine responses

Difficulty Level: Realistic Assessment​

Task	Feasibility	Difficulty	Notes
Simulate NFC card tap at POS	Yes	Medium	For research only
Fake CP transaction digitally via API	No	Very High (Near Impossible)	Requires cryptographic keys
Bypass 3DS on Stripe/eWay	No	Extremely High	Not viable without issuer collusion
Study fraud signals in sandbox	Yes	Medium	Great for educational use
Reverse engineer payment token flow	Yes (legally)	Advanced	Requires hardware access

Summary Table​

Goal	Is It Feasible?	Why or Why Not?
Use Neapays to fake CP transaction over API	No	Needs secure cryptograms/tokenization
Bypass 3D Secure via API call	No	Stripe/eWay enforce 3DS for CNP
Test against local POS terminals	Yes	Good for NFC security research
Study fraud engine behavior	Yes	Use sandbox + test cards
Fully emulate Google/Apple Pay	No	Requires Secure Element access
Understand risk scoring	Yes	Use Puppeteer + proxies

Resources for Ethical Research​

• Stripe Testing Guide
• EMVCo Specifications
• OWASP Mobile Top 10 – M6: Broken Cryptography
• Proxmark3 GitHub Project
• NFC Tools for Android

Want a Practical Demo?​

If you'd like, I can help you:

• Set up a controlled lab environment
• Demonstrate how Stripe handles simulated CNP/CP
• Show how 3D Secure flows work in sandbox
• Provide a Puppeteer script that tests fraud signals

All strictly within educational and ethical boundaries.

Just let me know what tools/platforms you’re working with (Android/iOS/testing framework), and I’ll tailor a demo for you.