Digital wallets can allow purchases with stolen credit cards Digital wallets like Apple Pay, Google Pay, and PayPal can be used to conduct transactions using stolen and cancelled payment cards, according to academic security researchers. These flaws – some of which have been addressed since responsible disclosure last year – allow an attacker armed with limited personal information to …
There's no cost incurred on the customer if it is a credit card, at least not in the US.
So I really don't concern myself with someone stealing my credit card or credit card number. Yeah I try to prevent it because it is still an inconvenience, but it will never cost me a dime so my concern over what these researchers have found is exactly zero. It isn't my problem, it is the bank that issued my credit card who will be held responsible for any unauthorized charges. They are the ones who would benefit from insuring that cards in a digital wallet get revoked when the card is reported stolen, not me. I could care less.
The banks cover most of these costs and they're now so uniquitous that it's simply seen as part of bank's running costs. If they made the customers cover the loses then no one would ever want a credit card, so the banks cover the costs to ensure everyone keeps racking it up and contributing to the trillions in debt the world owes 'cos debt makes the world turn.
The average UK CC debt is around $2500/pp and we're only #7 highest CC debt holders in the world. The banks love all those 25% APR payments coming in every year and that far offsets a few loses incurred through fraud. US, Japan and Sweden of all places are the top 3 CC debt holders in the world.
Years ago I cut up a credit card in front of a bank manager's eyes after he accused me of theft: by using per the terms and conditions and paying off any outstanding debit in the interest-free period.
Here in Germany, I was amazed to discover that what the bank (a different bank!) called a 'credit card' not only _required_ that the balance be paid off at the end of the month but also made a non-inconsequential charge for the privilege of holding the card in my wallet. I didn't bite... these days I use a credit card for significant purchases - travel tickets mostly - and continue to pay off at the end of the month.
... and continue to pay off at the end of the month.
Indeed.
That is the only way to use a CC.
Otherwise, you are getting screwed once a minute.
It is nothing less than legalised loan-sharking.
Banking regulations and regulating bodies?
Yes, I've heard of them ... 8^/
Many years ago, I had the misfortune of going through a very long dry spell* and took to using my two CCs to sort of manage when cash dried up.
* ever heard of economic austerity policies?
Never again.
From that experience, I learned that a CC is nothing but another payment method, an alternative to cash-in-hand, not a healthy way to finance anything.
ie: you must be absolutely certain that the total sum of anything you have paid for with a CC (promos or any such crap) will be in available in your bank account by the time CC payment is due.
Otherwise, your CC is a sure road to endless grief and worry.
.
"... and continue to pay off at the end of the month.
Indeed.
That is the only way to use a CC."
That's not a good way to better your credit score and can even be a negative if you never show you are good with paying for purchases in installments. I pay for a lot of things with cash and stuff that's tracked anyway such as utilities and taxes I'll pay with by debit card. The credit card I keep for surprise expenses and for things like hotel rooms and car rentals where they require a credit card.
The only exception I make is when they're dumb enough to extend an offer that lets me make money. Last year I got a come-on from one of my cards for a 12 month no fee balance transfer. I usually feed those directly to the shredder, but it also mentioned in big bold letters that for a limited time only it came with a 2% balance transfer fee. In my experience those are usually 3 to 5%. I'd never seen 2%.
So I maxed it out with a $25K balance transfer and took advantage of an offer I'd just seen from my bank for a 5.05% 12 month CD. Went online and put the card on autopay for the minimum payment, and figure after tax I'll make around $500 on the deal. I have a reminder in my phone to pay it off once the term is up (the CD maturing will also remind me) and then I'l pay it off in full. I guess the card issuer believed enough people would take the big balance transfer and spend it, or forget to pay it off.
Or maybe that they'd just forget - just one month's crazy high interest rate if you couldn't or simply forgot to pay it off until you saw the statement would let the bank break even, after that its all profit for them.
> ... buy a car on a credit card - they were offering a percentage cashback ...
Would not dream of doing something like that.
Where I currently reside, banks would charge you a life insurance fee for the total unpaid balance you had on your credit card.
The fee was a percentage on the amount owed which, most if not all of the time, greatly reduced whatever benefit you thought you were getting.
And it was not optional.
No *twice fooled* for me.
Benefits from a bank? 8^D !!!!
Only if you are a shareholder, and even then, only if you are one of the fat cats.
A bank, just like an insurance company, will always fuck you over.*
Twice, just in case.
.
* a fact that should be taught at elementary school level
IIRC at the time (eighties) it was illegal to charge differently depending on payment method (though you would of course get stung on any interest charges on a loan). I know the cashback system was around for years, but I suspect it's long gone, though I see it sometimes on balance transfer offers.
I did buy, much more recently, an I-have-to-have-wheels-by-monday banger for a grand or so, and was charged a percentage for a credit card then. Curiously, I kept that car for three or four years and then gave it to a friend when I left the UK; as far as I know he's still running it.
IIRC at the time (eighties) it was illegal to charge differently depending on payment method
But nothing would obligate them to accept credit cards as payment for a vehicle.
I can't imagine that type of payment is too common so having a policy of "credit cards not accepted" seems like it isn't going to hurt your sales. It would hurt your sales a whole lot more if you said "cash not accepted" because that's how drug dealers (or business owners who cheat on taxes) have a lot of cash lying around and buying a car is a good place to unload some of it.
"I'm surprised the dealership would let you buy a car with a credit card without charging a percentage to cover the merchant fee."
You have to purchase the car at the right time. If the dealer needs a couple of more sales to hit the next goal for the quarter/year to get more allocation on a popular model or other incentive, they'll waive fees. If they have a couple of the least popular color of something on the lot gathering dust, they will wheel and deal on those too. It's worth doing a bit of research and being flexible on color/options. There's no way to get a deal on a popular new model in the most popular color with the most popular options. The dealers know they'll have no problem selling those quick with undercoating and paint protection addons.
"Still paid it all off at the end of the month :)"
You may have done better to pay a little interest by paying off much of the balance the first month and then the remainder over the next 2-3 billing cycles. Often, that's the trigger to get some good offers or an increase in your limit (which you don't have to accept if it puts you in a bad place).
Here in Germany, I was amazed to discover that what the bank (a different bank!) called a 'credit card' not only _required_ that the balance be paid off at the end of the month but also made a non-inconsequential charge for the privilege of holding the card in my wallet
Sounds like American Express. That was originally the model, because it was about the convenience of not carrying cash, not buying stuff today that you don't have the money for. You had to pay to have it, but it provided some good services in return for "membership", which you didn't get with lesser cards. If you traveled a lot, having an American Express was a no brainer, because originally it was more widely accepted around the world BY FAR than competing cards.
It was only when (what is now) Visa and Mastercard figured out they could use charge cards as a way of extending CREDIT at rates much higher than they'd be able to get away for people applying at the bank itself that their member banks decided letting them keep a balance month to month was worth the risk of having to write off some of that debt.
They were eventually able to dislodge most of the people using American Express by offering "rewards" in the form of airline miles or cash back, since the rewards you got for American Express were mostly replicated by these cards especially the hotel and airline branded ones. Now unless you have a black Amex (invitation only, for really high spenders) it doesn't make much sense. Maybe the Platinum Amex still has enough extra benefits it makes sense for some people, though I suspect carrying that is more about a status symbol than anything else.
"The banks love all those 25% APR payments coming in every year and that far offsets a few loses incurred through fraud. "
25%? Luxury!
I was looking at the Amtrak rewards card and they don't have a default rate due to their normal rate being over 28%. I like taking train trips so earning points on day to day purchases would be useful, but I'm not sure about signing up for that sort of interest rate when I have a non-rewards card that's less than half if I carry a balance.
"The researchers explained they disclosed their findings to relevant US banks and digital wallet providers in April 2023. Chase, Citi, and Google reportedly responded.
"At the time of writing this paper, Google is working with the banks from its end to address the reported issues on Google Pay," the paper notes. "The banks, however, reported to us that the disclosed attacks are not possible anymore … "
Google say they are working on the issues, yet the banks say the attacks are no longer possible. So either someone is lying, or Google are wasting their time working to address issues that no longer exist as the attacks are no longer possible.
In the UK I don't think banks will "allow recurring payments on locked cards" mine certainly won't. I know from experience my bank will block a recuring payment on a card that is no longer valid (canceled or date expired). I suspect that is true of most if not all banks, because banks are responsible for transactions after they have been informed a card has been lost or stolen.
The two banks are US based, Google Pay has presence in many countries. Even if the two banks have entirely addressed the problem in the US (I doubt it), it still leaves other countries vulnerable.
It's not the invalid card that's used for the payment, it's a token (which is basically a PAN itself) that was issued using the then still valid card.
The article explains that once issued, those tokens had their own life, independent from the card.
Tokens go beyond wallets. For example, nowadays, when saving a card on a website for a subscription or recurring payment, it's not the actual card number that's saved, but a token. It's good for security, it means if the site leaks, it can't be reused. But conversely, many banks made token renewal the default when the card expires. So subscriptions don't automatically end with the original card if you forget them.
In the UK I don't think banks will "allow recurring payments on locked cards" mine certainly won't.
It's some six or seven years ago now, but mine did. Had my card skimmed somehow and the bank spotted a large payment ~£300 which they blocked and reported to me. Once we'd sorted out what was going on they cancelled the card and sent me a new one. I discovered on receiving my next statement that there was a monthly payment going out to Netflix which I hadn't set up. At the time I didn't have any continuous card authorisations on the account, so argued that surely that (along with its start date) was suspicious too. The bank initially argued but eventually refunded the payments "as an act of goodwill".
Fortunately not had it happen since so couldn't say if that's still the policy.
M.
When ApplePay came out, I added my wife's MC (Debit Card) to her wallet, by just taking a photo of the card number, and entering the CCV. About two year later, when I got my first iPhone I had to download the bank's app and authenticate in the app, in order to add the card to ApplePay.
Lo and behold, my wive's Apple Pay once authorized kept working - and when she finally replaced her iPhone years later I could not add back the very same debit card, the bank explained the credentials only work for the app on a single device and to add the card for her I needed to open a second account (pay through the nose). Secondary cards are not supported for ApplePay the bank explained, even though was working all the time - she loved paying with her Apple-Watch.
Yes, if the account remains active - wallet tokens once authorized remain active (for more than 3 years in my case).
"banks do not require point of sale terminals in stores to verify the identity of the cardholder – verifying the identity of the device-holder is enough"
Which is why so many electronic transaction methods (notably "tap") remain fragile and abusable.
...tap in a PIN at the POS (interpret as you like) terminal.
Would be cool if you could set the up to follow the card-holders chosen preference: "Never" (for he gullible), "Random / every X(10?)th payment + on bigger amounts" (as seems to be the default now, at least where I live), or "Always" (for the more paranoid among us).
The banks are insecure.
Its also been known for years that the chip and pin system only came about so they could pass the issue onto customers. So if there was fraud, they can blame the user "You must of given out your pin".
My friend had her card clone. It was used in town where we work. Then, 5 mins later it was used 100 miles away. She reported it, the bank tried to claim "No, its your fault, you've obviously given your details to someone who's using your card". She had to ask them, "Explain how that person, in 5 mins, flew/drove 100 miles away to use the card again. Clearly its been cloned".
Fucking banks.
I have had this yesterday with Chase.
Was working away, and my phone pops up with a notification that someone tried to buy something for £59.98 off of Wayfair. I don't use Wayfair, and I didn't buy anything then either. This was followed by two missed calls within a minute of the transaction from a withheld number. Thankfully because I'm skint there wasn't enough money in the account.
Messaged Chase about it and they said it was the virtual card that was used, which they've since reset it. I had 20 questions about it, and essentially it was "you must have given the details to someone". I fucking didn't. That card is on my ApplePay. Somewhere I've used it and this has happened. If a website offers ApplePay I'll use it, but thinking about what I've bought etc they've all been fairly good retailers. Only time a place has been a bit sketchy has been petrol stations, but that's it.
Never had a card cloned like this before in my life, even my wife said she was surprised as I'm usually careful. Which I am. So in my mind either a petrol station clerk has pulled a fast one, or there is a website I've used in the past that's been targeted. Given the account is only a year old it wouldn't be hard for me to work it out. Same as Chase. But no of course it's obviously something I've done wrong by giving my bank details out that's caused this.
But I concur, fuck banks.
Then fortunately for her, it was not chip and pin tbat was used, because there's currently no known way to clone the chip. The magnetic strip, on the other hand, is easy to copy, and that's why it's now being removed from cards.
We French invented chip and pin, and after decades of using it, there's no doubt it greatly curbed card fraud. What's left of it is targeting the strip, which can't be used domestically anymore, or the PAN, which mandatory MFA like 3Dsecure greatly helps (my card has a rotating CVV in addition, changing every hour or so).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
