Security News > 2024 > August > Digital wallets can allow purchases with stolen credit cards

Digital wallets can allow purchases with stolen credit cards
2024-08-20 01:29

Digital wallets like Apple Pay, Google Pay, and PayPal can be used to conduct transactions using stolen and cancelled payment cards, according to academic security researchers.

These flaws - some of which have been addressed since responsible disclosure last year - allow an attacker armed with limited personal information to add an active stolen payment card number to a digital wallet and make purchases, even if the card is subsequently canceled and replaced.

"We demonstrate how attackers can exploit these weaknesses to add stolen cards to their digital wallets and make unauthorized transactions."

The scenario assumes the attacker has stolen a credit card or obtained the stolen card's primary account number and that the owner of the card has not yet canceled it.

Canceling the card doesn't help - because when the card is authenticated, the bank issues a token that authorizes purchases and is stored in the digital wallet.

Banks allow recurring payments on locked cards to honor the contract between user and merchant, so that subscription services continue and negative credit events for missed subscription payments don't occur.


News URL

https://go.theregister.com/feed/www.theregister.com/2024/08/20/digital_wallets_simplify_fraud/