The Register: Digital wallets can allow purchases with stolen credit cards

Source URL: https://www.theregister.com/2024/08/20/digital_wallets_simplify_fraud/
Source: The Register
Title: Digital wallets can allow purchases with stolen credit cards

Feedly Summary: Researchers find it’s possible to downgrade authentication checks, and shabby token refresh policies
Digital wallets like Apple Pay, Google Pay, and PayPal can be used to conduct transactions using stolen and cancelled payment cards, according to academic security researchers.…

AI Summary and Description: Yes

Summary: The text discusses significant security vulnerabilities within major digital wallet applications, highlighting how attackers can exploit flaws in authentication and token management to conduct unauthorized purchases using stolen credit cards. These insights from academic research underscore the urgent need for improved authentication practices among banks and wallet providers.

Detailed Description:
– **Research Overview**: The findings, detailed in a paper presented at Usenix Security 2024 by researchers from UMass Amherst and Penn State, demonstrate serious flaws in the security mechanisms of digital wallets, including Apple Pay, Google Pay, and PayPal.
– **Attack Methodology**:
– Attackers can add a stolen card to a digital wallet by leveraging minimal personal information and exploiting the weaknesses in authentication processes.
– Once added, transactions can be conducted even after the card has been canceled.
– The attack typically involves:
– **Knowledge-Based Authentication (KBA)**: Attackers opt for KBA, which may only require one piece of personal information (e.g., date of birth or ZIP code), rather than more secure multi-factor authentication (MFA) methods.
– **Exploiting Public Records**: Many KBA data points (like address or SSN) are often publicly available or could be obtained through data breaches, making it easier for attackers to succeed.

– **Token Management Issue**:
– When a card is canceled and replaced, the bank issues a new token for transactions; however, it links the old token to the new card number, failing to verify the wallet’s ownership.
– This means an attacker can continue to use the old token associated with the stolen card even after the card has been reported lost or stolen.

– **Recurring Payments Abuse**:
– The researchers identified that merchants permit the processing of recurring payments even when a payment card associated with such transactions is locked, which can be abused by attackers to make fraudulent purchases after acquiring initial access.

– **Industry Response**:
– Following responsible disclosure, banks including Chase and Citi stated that they have resolved associated vulnerabilities; however, gaps still remain as several banks, including American Express and Bank of America, did not respond to the researchers.

– **Recommendations for Improvement**: The researchers suggested several security measures to mitigate these vulnerabilities:
– Transition from traditional one-time passwords to push notifications and dedicated authentication applications.
– Implementing continuous authentication measures in token management.
– Ensuring banks regularly verify the validity of recurring transaction labels to prevent misuse.

This detailed investigation exposes critical needs for enhanced security protocols in digital wallet technologies, particularly relevant for security professionals in the cloud and payment industries, emphasizing the necessity of adopting more robust authentication and verification processes.