As computer engineers at the University of Massachusetts Amherst and Pennsylvania State University have discovered, fraudsters can add stolen payment cards to digital wallet apps and continue making online purchases even after victims have reported the card as stolen and blocked it by the bank.

Comfort > Safety

Different users can add the same card to different digital wallets on different mobile devices. The feature is intended to make it easier to share a card within a family, but it can easily be exploited by malicious individuals.

Adding the card to another wallet and making fraudulent purchases is made possible by banks’ trust in the security mechanisms of digital wallet apps.

Banks rely on the app to select the authentication scheme (usually the weaker, knowledge-based one) to authorize the card’s linking to the app, and they rely on biometric verification methods in the device to identify the cardholder who authorizes the transactions (but this assumes that the owner of the phone is the cardholder).

Finally, banks allow payments for subscription-based services even if the card is lost or stolen, so the cardholder does not incur fees or penalties for late payments. Fraudsters can make one-time transactions but mark them as a recurring payment, thus bypassing the bank’s transaction authorization restrictions.

“Any malicious actor who knows the (physical) card number can impersonate the cardholder,” emphasizes Taqi Raza, assistant professor of electrical and computer engineering at UMass Amherst. “The digital wallet does not have sufficient mechanisms to authenticate whether the card user is the cardholder or not.”

Authentication methods used in different wallets (Source: UMass Khwarizmi Lab)

Another disadvantage: Once stolen card numbers are stored in a fraudster’s digital wallet, they remain there and continue to work even if the cardholder requests a replacement card and the bank issues a new card.

“Banks do not re-authenticate the cards stored in the wallet. They simply change the mapping of the virtual number to the new physical card number,” Raza explained. Therefore, fraudulent purchases continue to be made.

Advice for banks

The only potential obstacle to adding a stolen card to a new wallet app is for the victim to lock the card first. Otherwise, attackers can secretly make fraudulent purchases that can ultimately only be detected and challenged by the victim.

The researchers tested the different scenarios using cards from major US financial institutions (Chase, AMEX, Bank of America, Discover, US Bank and Citi) and three popular digital wallet apps: Apple Pay, Google Pay and PayPal.

They advised banks not to rely on wallet apps and their preferred traditional authentication methods when adding cards to wallets, suggesting using push notifications or passwords.

Banks should also regularly re-authenticate the wallet and update the payment token issued for it, especially after events such as a lost card. Finally, banks should evaluate the metadata of transactions so they can “see” whether it is a one-time or recurring payment (and not rely on merchants for this information).

The researchers shared their findings with the companies mentioned and some of them took action.

“We have received responses from Google, Citi, Chase and Discover. At the time of this writing, Google is working with the banks to resolve the reported issues with Google Pay,” the report said.

“However, the banks have informed us that the disclosed attacks are no longer possible. Chase confirmed that additional fraud detection and transaction restriction measures have been taken to address the reported vulnerabilities. However, Citi and Discover have not shared with us the specific mitigation measures. We have not yet received responses from AMEX, BoA, US Bank, Apple and PayPal.”

UPDATE (August 19, 2024, 2:45 p.m. ET):

“One of our employees was a direct victim of this. They blocked the card after it was lost, but someone continued to make payments with the card. This document is the result of our research into how this was possible,” Raja Hasnain Anwar, a doctoral student in electrical and computer engineering at UMass Amherst, told Help Net Security.

“On a larger scale, we don’t know how widespread this attack method is, but we can certainly confirm that there are some attackers using it.”

He pointed out that anyone who knows the billing address, date of birth or the last four digits of their ID can be an attacker – and this information is very easy to obtain through online databases.

“We’ve noticed that it’s now more difficult to add cards to new devices because most wallets use MFA instead of KBA. Chase connected us with their Red Team to better understand the attacker, and AMEX has also confirmed that our threat report was valid and they are working to fix the issues. However, no bank or wallet has shared the exact steps they have taken to resolve the issues,” he added.

Consumers should regularly check their credit card statements, but they should also go into the account settings of their bank’s web portal or mobile app and enable email notifications when a card is added/removed from the wallet and when a transaction is made. Some banks allow their customers to monitor which devices (and wallets) are actively using the card.

“These security settings are often not easy to find. At least the people I spoke to were unaware of these settings, and they are security researchers who take their financial security seriously,” Anwar said.

“That’s why we encourage banks to make these settings easy to find and to educate their customers about the right security mechanisms.”