Adding crypto to payment cards is playing with fire

Payment cards linked to cryptocurrencies are booming. But adding a volatile, fraud-ridden new technology (crypto) to a rickety old one (card payment networks) risks all kinds of new problems. By themselves, payment cards are not immune to fraud. In an earlier New Money Review article, I explained why the 50-year-old payment card technology still has flaws. This is despite the fact that over the years, we’ve added a number of security features–such as EMV and PIN codes–to early cards, which required just a signature or an easy-to-clone magstripe to approve transactions. But adding crypto to the mix takes the risks exponentially higher. To show why, in this article, I focus on those payment cards that allow for crypto cashback (a reward paid in cryptocurrency each time a card is used). This combination creates some interesting new vulnerabilities, threatening the financial technology firms (‘fintechs’) issuing crypto cards. Read on for more.

A reminder to readers, including regulators and those working in the industry: if we write about payment card fraud, it’s not because we want to help criminals. Fraud is a cost paid by everyone in society. Highlighting vulnerabilities and making them public puts peer pressure on those companies that do not want to take any steps to improve their security, leaving card users without protection and opening the door to bigger criminal schemes.

What is cashback?

Cashback is a monetary reward for each card transaction, paid to you by your card issuer, say a bank or a fintech. For example, Chase offers 1% cashback on debit cards and contactless spending to each new customer in the UK for one year. Fintech card issuer Curve offers 1% cashback at certain retailers for customers who choose a paid subscription.

If you look at the cashback offerings that don’t involve cryptocurrency, you’ll notice that the cashback rate is almost always between 1-2% of the transaction value. This is because intermediaries are effectively refunding the 1-2% in fees they traditionally made on card-based transactions. Most card users are completely unaware of these fees because they couldn’t see them. But in the past, if you paid £100 by debit card in a store, the merchant would only receive £97.50-£98 of the total. The rest would go to the card scheme manager (say Visa or Mastercard), the merchant’s bank (called the acquiring bank) and your card issuer (often a bank as well). The last fee, called the interchange fee, would typically take the highest share–and it’s this that largely funds the cashback. Interchange fees have been cut by regulation to 0.3-0.4% in Europe, but in the US they can still reach a fat 2%. In the pie chart we show how the card scheme manager’s fee, the acquiring bank’s fee and the issuing bank’s fee are taken out of a hypothetical £100 card payment. This is for illustrative purposes only–actual fees may be different.

Where a £100 card payment ends up (not to scale)

Where a £100 card payment ends up (not to scale)

When it comes to cashback paid in cryptocurrency, you won’t be surprised to hear that the rates to encourage you to use crypto to spend on your Visa or Mastercard are more tempting. A December 2022 survey of crypto-based cashback offerings showed cashback rates of up to 9%! These kinds of returns would be a honeypot for criminals if they could start exploiting the cashback offerings. But how?


Settlement mismatch

The settlement of card transactions can take up to 5-7 days. For this reason, most card issuers don’t give you cashback immediately after you use the card to make a payment; they wait until the funds have actually cleared in whichever settlement system they use. But some crypto startups we looked at make the mistake of depositing cashback to your account immediately. And this opens up the theoretical possibility of being able to make a transaction, cancel it later, receive the cashback in the interim and spend it.

I decided to put the theory to a test. I found you could use the ‘buy now pay later’ (BNPL) credit offered at the online checkout by fintech Klarna to buy a £300 item on Amazon. Then you could add a Crypto.com card as your source of payments to Klarna. (We’re not pointing fingers at these firms or suggesting their practices are any worse than those in the rest of the industry, but they were the ones we used in our test).

To borrow £300, Klarna will ask you to pay the first third upfront (you pay in three instalments). So £100 will be taken from your Crypto.com card, and you will immediately get cashback for that purchase. Crypto.com pays its highest cashback rates not in cash but in its own token, CRO, which adds a layer of crypto risk to the scheme. But if you then cancel your purchase (you do not buy anything from Amazon using credit from Klarna), you will get your £100 down payment back. But your cashback could be gone by that time - sold for Bitcoin, Tether, or whatever.

Wrong payment categories

Most of the time, cashback is limited to certain types of purchases (‘merchant categories’, using card jargon): for example, you only get cashback if you use your card to pay in supermarkets or restaurants. If you use your card to pay another bank, another card firm, the taxman, for fines or government services–no cashback. It would also be unfair to offer cashback to someone using their card to play at the casino or to fund their online brokerage account to gamble on Tesla shares. In this case, you are not spending money, just moving it from one pocket to another. Nevertheless, some smart crooks found a way of using a Visa card to circle money in a loop between accounts in different Russian banks, picking up air miles on each transaction. And I found that by using a Crypto.com card to send money to BNPL provider Klarna, a financial services firm, we still got cashback.

Cashback from Crypto.com for a payment to Klarna

Pre-authorisation charges

Another problem could lie in the way cashback is calculated. When you check into a hotel, you hand over your card, and the check-in manager will “hold” or “pre-authorise”, say, $1,000 in your card account. When you later check out, a large part of the money will be returned to the card account (as long as you haven’t trashed your room). Let’s imagine that at check-in, a fintech sees the $1,000 “pre-authorisation” and pays you 4% cashback ($40 in this case). But if $500 is then sent back to you by your hotel, only $20 should remain in your cashback account. I decided to conduct a cheaper version of this test and went on New Year’s Day to buy some petrol at a self-checkout pump. For cashback, I used my Crypto.com card.

What normally happens at this point is that the self-checkout will authorise an “offline” £100 payment from your card, enough to cover the cost of a full tank of petrol. After a few days, when the system works out how much you have actually spent, it charges you that and returns the remainder of the pre-authorised charge. But in my test, Crypto.com not only gave me cashback for the full pre-authorisation amount (£100). Amazingly, it added even more cashback once a different sum was actually charged!

Cashback from a £100 petrol pump pre-authorisation

Cashback from a £100 petrol pump pre-authorisation

A day later, I received a second cashback payment

A day later, I received a second cashback payment

Bad maths

Banks and fintechs should know for sure how to count money, but sometimes they don’t do it correctly. Here’s a common example of how cashback is calculated wrongly. Customer A pays £0.25 and gets £0.01 in cashback (4%). But if he pays £0.13, he will also get £0.01 in cashback, which is almost 8%. Here the issue is the way currencies are rounded. In fiat currency, banks round to two decimal points. So 4% of 0.13 is 0.0055, which gets rounded to the closest hundredth (0.01). But in cryptocurrency, you can have any number of digits after the decimal point. To exploit this flaw, which involves relatively small cash amounts, you’d need to find out a way of doing things at an industrial scale. But that’s not infeasible–cryptocurrency is programmable money.

Fake invoicing

Another method–where a rogue merchant issues invoices and refunds constantly, helping generate cashback each time–is similar to long-standing criminal schemes like VAT fraud. If the criminals can use more than one account to multiply the amount of cashback, even better for them. In a March 2022 New Money Review article, I showed how easy it is to open savings accounts using a fake name. Once the money generated by a rogue invoice has been cleared, the criminals can move their cashback to another savings account or spend it. The refunds take place only after the cashback has been spent. This would create a negative balance in the cashback account, which the card issuer would have to deal with. Maybe all the transactions would be annulled. In any case, merchants would be paying the card issuer up to 2% in fees, so this cost should be covered by the profits of the scheme.

What next?

Crypto fintechs appear to know that they have issues with their cashback card schemes. Crypto.com, in common with most tech firms, rewards hackers who highlight vulnerabilities in its service. “Crypto.com recognizes the importance of security researchers in helping keep our community safe,” the firm says. “We encourage responsible disclosure of security vulnerabilities via our bug bounty program described on this page,” it goes on. But the firm explicitly excludes cashback from its bug bounty program: it says that “CRO cashback gained via a typical purchase, payment or cash advance” doesn’t qualify to earn a bounty.

Does that mean it’s concerned about the overall state of cashback security and the bug bounties that it might have to pay out? Or perhaps it doesn’t see cashback fraud as a significant risk. To get 3% cashback or more, you need to deposit $50k to Crypto.com in crypto, so perhaps that mitigates fraud concerns. Other fintechs treat cashback abuse schemes more seriously. In December, card issuer Discover said it had stopped accepting applications for its new product cashback debit account because of high levels of fraud.