Researchers at the University of Massachusetts Amherst and other institutions discovered a critical flaw in popular digital wallets such as Apple Pay, Google Pay, and PayPal.
The security flaw allows hackers to add another person's credit card to their digital wallet and make purchases, even if the original card has been blocked by the bank.
Digital wallets work by storing credit card information in a secure, encrypted format.
Instead of sending the actual card number (known as the Primary Account Number or PAN) during a transaction, digital wallets send a temporary token.
This token allows the purchase to proceed without revealing the card details.
However, the researchers discovered a way around this system, allowing criminals to easily bypass security and go on shopping sprees using stolen cards.
The main issue concerns how digital wallets authenticate users. When someone adds a card to their digital wallet, they are usually required to verify their identity.
This is done by providing basic information such as their billing address or the last four digits of their Social Security number.
However, the study concluded that this system is insufficiently robust. Criminals can easily obtain the necessary personal information from public databases.
Which allows them to impersonate the cardholder and load the card into their own digital wallet.
Once a stolen card is added, digital wallets and banks are not always able to detect the fraud.
Even if the legitimate cardholder notices the problem and locks their card, criminals can still make purchases because the bank continues to trust the digital wallet's authorization token.
This flaw makes victims vulnerable even after they have reported their card as stolen.
Real-life experiments confirm the vulnerability
The researchers ran a number of experiments to test the flaw. They successfully added stolen cards from major US banks, including AMEX and Chase, to their own digital wallets.
Despite the victims' cards being locked, the attackers were able to make in-store purchases at Walmart and Target using Apple Pay and Google Pay.
The researchers even showed that they could conduct transactions up to a week after the card was reported stolen.
Another experiment involved the attackers using a stolen Citibank credit card to pay for a car rental service.
Even though the victim had locked the card, the rental company processed the payment because it was marked as a recurring transaction—another flaw in the system.
The attackers were also able to purchase items such as Apple gift cards and AirPods using cards that should have been disabled.
The study found that even with modern security measures such as card locking, criminals can still use stolen cards to make fraudulent purchases.
This vulnerability affects major banks in the United States as well as popular digital wallets, putting millions of users at risk.
Banks believe that their current security systems are sufficient to prevent fraud, but this study demonstrates otherwise.
Digital wallets are intended to protect cardholders, but they fall short in terms of preventing unauthorized use after a card is stolen.