Washington Post [unpaywalled]: “Scams just keep popping up when you Google. On Monday, I found what appeared to be impostors of customer service for Delta and Coinbase, the cryptocurrency company, in the “People also ask” section high up in Google. A group of people experienced in Google’s intricacies also said this week that it took about 22 minutes to fool Google into highlighting a bogus business phone number in a prominent spot in search results. This fits a persistent pattern of bad guys finding ways to trick Google into showing scammers’ numbers for airlines, hotels, local repair companies, banks or other businesses. The toll can be devastating when people are duped by these bogus business numbers. Fortune recently reported on a man who called what a Google listing said was Coinbase customer support, and instead it was an impostor who Fortune said tricked the man and stole $100,000. Scammers impersonate businesses and government agencies all over the internet. But Google search is unique …

Fraudsters can add stolen payment cards to digital wallet apps and continue making online purchases even after victims’ report the card stolen and the bank blocks it, computer engineers with University of Massachusetts Amherst and Pennsylvania State University have discovered.Convenience > security

Different users can add the same card to different digital wallets on different mobile devices. The feature is exists to make it easier to share a card within a family, but can be easily exploited by malicious individuals.

Adding the card to a different wallet and making fraudulent purchases is made possible by the trust banks have in the digital wallet apps’ security mechanisms.

[4 or 5 weaknesses or assumptions?]

Banks rely on the app to chose the authentication scheme (usually the weaker, knowledge-based one) to authorize the linking of the card with the app, and the rely on in-device biometric verification methods to identify the cardholder authorizing the transactions (but it assumes that the owner of the phone is the cardholder).

Finally, the banks allow payments for subscription-based services even on lost / stolen cards so that the cardholder doesn’t incur late payment fees / penalties. Fraudsters can make one-time transactions but mark it as a recurring payment, thus bypassing the bank’s transaction authorization restrictions.

As an added drawback, once stolen card numbers are saved in a fraudster’s digital wallet, they are there and will continue to work even if the cardholder requests a card replacement and the bank issues a new card.

“Banks do not re-authenticate the cards stored in the wallet. What they do is they simply change the virtual number mapping to the new physical card number,” Raza explained. Thus, fraudulent purchases continue to go through.

Advice for banks – The only potential barier to adding a stolen card to a new wallet app is if the victim locks the card before that can be done. Barring that, the attackers can covertly make fraudulent purchases that can ultimately only be recognized and disputed by the victim.

They advised banks not to rely on the wallet apps and their preferred legacy authentication methods when it comes to adding cards into wallets. They suggest using push notifications or passcodes.

Banks should also periodically re-authenticate the wallet and refresh the payment token issued to it, especially after events like card loss. And, finally, banks should evaluate the metadata of transactions so they can “see” whether a payment is one-time or recurring (and not rely on merchants for that info).

…

Tags:

Paul also alleged that the U.S. Department of Homeland Security’s Office of Inspector General had identified deficiencies in TSA’s management of the Quiet Skies program. The senator’s letter is supported by The Air Marshal National Council (AMNC) and Empower Oversight.