Digital Wallets: Unveiling Critical Security Risks
A group of security researchers has uncovered vulnerabilities in Apple Pay, Google Pay, and PayPal systems, which allow stolen and canceled payment cards to be used for transactions. The findings were presented at the Usenix Security 2024 conference.
The experts analyzed critical flaws in authentication, authorization, and access control mechanisms in major digital wallet applications and U.S. banks. The identified flaws enable attackers to add stolen cards to their digital wallets and conduct unauthorized transactions, even if the card has been canceled or replaced.
For instance, a fraudster can use stolen credit card information (cardholder’s name and address) to add the card to various digital wallets. Different wallets employ different authentication methods, and those that require only an address or postal code become easy targets for cybercriminals.
Even if the cardholder blocks or reissues the card, the attacker can still use it in their wallet for transactions. This situation arises because, after the card is added to a digital wallet, the bank issues a token that allows purchases and stores it in the wallet. The token does not update after replacing the card but is linked to the new card, enabling continued purchases using the old token.
Researchers also discovered that many banks permit the use of less secure authentication methods, such as knowledge-based authentication (KBA), instead of more secure multi-factor authentication (MFA). This allows a fraudster to bypass stricter security measures by opting for KBA, which often involves verification through the date of birth and the last four digits of the social security number (SSN).
Obtaining such information is possible through public databases and data breaches. Recent leaks of social security numbers highlight how easily information can be acquired for such verification.
In experiments, researchers successfully used blocked cards to purchase gift cards and electronics, as well as to sign up for monthly subscriptions. Attackers can even enable autopay to carry out transactions with blocked cards. Banks, eager to avoid missed payments and the associated negative consequences for customers, permit such transactions.
The researchers reported their findings to U.S. banks and digital wallet providers in April 2023. At the time of the study’s publication, Google was working with banks to address the issues identified in Google Pay. Chase and Citi also stated that the vulnerabilities were no longer relevant. However, Apple, PayPal, and other companies have yet to comment.
The authors of the study recommend several measures to enhance security: using push notifications instead of one-time passwords, implementing continuous authentication when managing tokens, and verifying the correctness of labels for recurring transactions.