Criminals Can Steal Your Money Even from a Blocked Card
A research team from the University of Massachusetts and Penn State University has discovered critical vulnerabilities in popular digital wallets such as Apple Pay, Google Pay, and PayPal. Their study, presented at the recent Usenix Security 2024 conference, revealed that criminals can add stolen credit card numbers to their digital wallets and make purchases—even if the cardholder has already blocked the card.
According to Raja Hasnain Anwar, a PhD student in the Department of Electrical and Computer Engineering at UMass Amherst and the lead author of the study, the main issue lies in authentication loopholes within digital wallet apps and U.S. banking systems.
How the Attack Works
Here’s a typical scenario: First, a criminal (let’s call him Sasha) steals a credit card. By using the cardholder’s name printed on the card, Sasha can find the victim’s address through online databases. He then tries to add the stolen card to various digital wallets. Since each wallet uses different authentication methods, the criminal picks the one where it’s enough to simply provide an address or ZIP code for verification.
After this, Sasha can keep using the credit card even if the owner blocks it. The problem is that banks don’t check whether the wallet actually belongs to the cardholder when updating the authorization token. Instead, they automatically transfer the token to the new card issued as a replacement for the lost one.
Recurring Transactions and Weak Authentication
Banks also allow recurring transactions to go through even if the card is blocked, which can be exploited in these attacks. For example, Sasha can register on Turo.com, add the compromised account as a payment method, and then book and pay for a trip. Even though the credit card is inactive, Turo will still process the payment, labeling it as “recurring.”
The attacker can also trick the bank into using less secure authentication methods when adding the card to a digital wallet. Instead of two-factor authentication (like SMS, email, or a phone call), Sasha might only need to enter a date of birth and the last four digits of the SSN—information that’s often available from public sources. In stores, cashiers are not required to check the cardholder’s identity; device verification is usually enough.
Industry Response
The researchers reported these vulnerabilities to major banks and wallet developers in April 2023. Google confirmed that it is working to fix the issues, but other companies have not yet taken action. Apple, PayPal, and Bank of America have not responded to journalists’ inquiries.