Expand / Collapse search

Researchers say digital wallet loophole can let thieves use credit cards after they've been reported stolen

By
Published  August 27, 2025 1:51pm CDT
Sullivan's Smart Sense
FOX 26 Houston
Digital wallet loophole: What you need to know

Digital wallet loophole: What you need to know

Researchers say they have discovered a loophole that can let thieves use a credit card in a digital wallet even after it's been reported stolen.

The Brief

    • Credit card lenders often automatically update new credit card information in digital wallets through tokenization.
    • Researchers say when consumers report credit cards lost or stolen, automatic updates in digital wallets can let thieves continue to use the account.
    • Cybersecurity experts say consumers should ask for both a new card account number and a new token when a credit card has been compromised.

HOUSTON - Tap your phone and go!  Digital wallets are considered to be a safe way to pay for purchases.  But researchers say they have discovered a loophole that can let thieves use a credit card in a digital wallet even after it's been reported stolen.

Digital wallet loophole

What we know:

Your credit card information isn't stored in your digital wallet.  It uses what's called tokenization to replace your card number with a unique code for each transaction.

But researchers at the University of Massachusetts Amherst and Pennsylvania State University say the loophole is that tokenization also allows digital wallets to be automatically updated with new credit card information when the original card has been blocked.

Cybersecurity expert Bruce McCully with Galatic Advisors says he tested his digital wallet, telling his bank his credit card had been compromised, which he says then blocked the account number and issued him a new one.  He says his digital wallet was automatically updated with the new card information.

"I went ahead and tested it to see, and my card still continued to work," said McCully.

McCully says this can work whether a thief steals your phone with your credit card in your digital wallet, or steals your credit card and personal information through identity theft, and sets up the card in a digital wallet that the thief controls.  

You report the card stolen to your bank when you see unauthorized transactions.  You think you're safe, right?

"Not so fast.  If the criminal has it in their digital wallet, that token gets updated and the criminal is still charging on your credit card," said McCully.

How to protect yourself

What you can do:

So what can you do to protect yourself?  

If your credit card is lost or stolen, McCully says you need to ask your bank to issue both a new card and a new token, or to wipe the account out of your digital wallet.  

And in case your phone is lost or stolen, Lisa Gill with Consumer Reports says make sure you have set up a password, fingerprint, or a face scan, both to access your phone, and to use a digital wallet.  

"When you go to use the digital wallet, also require another point of authentication.  You can pick a different code. That’s the best. Or you can use facial identification," explained Gill.

Gill says Apple and Samsung Wallets already require that authorization in order to make a payment, and you can set it up on other wallets in the settings.

She says you also want to set up the Find My app so that you can wipe your digital wallet remotely if it's stolen.

"You can remotely access the phone and wipe it clean of all access a person can have to any of your information, including your digital wallet information," said Gill.

As another protection, Gill says set up notifications with your bank or credit card lender so that you receive text or email updates when transactions are made.

What they're saying:

Different banks and digital wallet providers have different policies on automatic credit card updates.

For example, American Express's website says that its cards in digital wallets are automatically updated with replacements, while Wells Fargo's site says they're not.

The American Bankers Association says they are not seeing this as a widespread issue.  But in the event that it does happen, it points out that unauthorized transactions are protected and reimbursed by financial institutions.  They encourage consumers to monitor their accounts and report fraud to their banks immediately.

PayPal tells us that automatically updating credit card information is determined by the card issuer, not by PayPal.  

A Google spokesperson sent us a statement reading, "Security is core to the Google Wallet experience, and we work closely with ecosystem partners to help prevent cases of fraud using our products. For instance, we provide signals to assist card issuers in detecting fraudulent behavior, so they can decide whether to approve a new card to Google Wallet."

The Source: Information in this article is from Galatic Advisors, the research paper from the University of Massachusetts Amherst and Pennsylvania State University, Consumer Reports, the American Bankers Association, Google, and PayPal.

Sullivan's Smart SenseNewsConsumerHouston