August 19, 2024 at 09:36PM
Academic security researchers found critical flaws in digital wallets like Apple Pay, Google Pay, and PayPal, allowing attackers to use stolen and canceled payment cards for unauthorized purchases. By exploiting weaknesses in authentication and security mechanisms, attackers can add stolen cards to their digital wallets and make unauthorized transactions, regardless of card cancellation. Some banks and digital wallet providers have responded to these findings.
From the meeting notes, it appears that digital wallets such as Apple Pay, Google Pay, and PayPal can be used to conduct transactions using stolen and cancelled payment cards due to several critical flaws in the authentication, authorization, and access control mechanisms. The flaws allow attackers to add stolen cards to their digital wallets and make unauthorized transactions even after the cards are cancelled and replaced. The attackers exploit weaknesses in the authentication process between the digital wallets and issuing banks, using knowledge-based authentication (KBA) schemes instead of more secure multi-factor authentication (MFA) schemes.
The paper titled “In Wallet We Trust: Bypassing the Digital Wallets Payment Security for Free Shopping” by Raja Hasnain Anwar, Syed Rafiul Hussain, and Muhammad Taqi Raza describes these findings presented at the Usenix Security 2024. The authors reported their findings to relevant US banks and digital wallet providers in April 2023, with responses from Chase, Citi, and Google. However, it was noted that the disclosed attacks may not be possible anymore, but not all companies have responded to these reports.
The authors recommended several mitigations, including adopting push notifications, continuous authentication in token management, and having banks check recurring transactions to ensure they are labeled correctly.