API Carding 2.0: Working with Google Pay and Apple Pay Tokens

[Good Carder]

In 2026, attacks on tokenized payments became a reality. Apple Pay and Google Pay, long considered impenetrable thanks to hardware isolation, began to show cracks. The key problem is that the fragility of these systems' browser and app implementations allowed attacks on APIs, device emulators, and, in some cases, the Secure Enclave software stack itself. These are no longer lab exploits — they are operational methods that allow intercepting one-time cryptograms, replacing payment tokens, and, ultimately, processing transactions with stolen cards.

With each successful attempt, the carder penetrates deeper into the infrastructure, turning protected devices into cash-out tools.

Part 1. Tokenization Architecture: How It Works and Where the Loophole Is​

Apple Pay and Google Pay are built around the principle of tokenization: instead of a real card number (Funding PAN, FPAN), a unique Device Account Number (DPAN) is stored in the device's memory.

At the time of payment, the device generates a one-time cryptogram using a private key stored in the Secure Element (SE) (iPhone) or TrustZone (Android). This key never leaves the security processor, and the transaction itself is signed with a token unique to each payment.

The cryptogram is a "one-time signature" that confirms that this device authorized the payment. Its lifetime is measured in minutes, and attempting to use it again will result in a "cryptogram expired" error. Each subsequent charge for recurring payments requires new authorization, which again generates a unique token and a one-time cryptographic code.

For the merchant, the process looks like this: they receive an encrypted payment token from the customer — a container containing the DPAN and the cryptogram. The merchant doesn't decrypt this data themselves, but sends it "as is" to their payment gateway. The token, including the DPAN and cryptogram, is decrypted at the gateway or processing center, after which the transaction is verified and confirmed. This blind passage of the token through the merchant's infrastructure is the key vulnerability.

• Main token types: DPAN (Device PAN) – linked to a specific device; can be deactivated when the device is changed or the card is removed. MPAN (Merchant PAN) – not linked to a device; suitable for recurring payments and remains active even if the card is removed from the device.
• The modern approach, MPAN (Merchant PAN): A more advanced form of token that is tied not to a device, but to a contract between the merchant, the customer, and the payment network. In the context of mass attacks, it is convenient for scanning and reuse.

The carder's loophole lies not in directly hacking the SE, but in intercepting the generated token at the application, browser, or network connection level. If an attacker can replace the token recipient or intercept the cryptogram before it reaches the gateway, they will be able to conduct transactions without physical access to the hardware module itself. It is in this "gray zone" between cryptogram generation and its verification that modern attacks are born.

Part 2. Methods of intercepting and substituting payment tokens in 2026​

2.1. Application Traffic Interception (MITM and Proxying)​

This is the simplest and most accessible method — setting up traffic interception through Burp Suite. It's ideal for test environments without strict certificate checks. However, against secure applications (with API encryption and pinning), this is no longer sufficient.

To implement it, you need:

1. Launch Burp Suite on your computer and set up a proxy listener on port 8080.
2. Set the same proxy on the target device (iPhone or Android emulator).
3. Install the Burp certificate on your device and trust it through the settings (“Certificate Trust Settings” on iOS).
4. Launch your bank or payment service app and monitor how it interacts with the tokenization API (e.g., apple-pay-trust/authorize-payment). An app using a secure API must send a payment token and cryptogram.

Burp is powerless against advanced security applications using SSL pinning and socket-level encryption. This is where Frida, a dynamic instrumentation tool that allows intercepting cryptographic calls at runtime, comes into play. A Frida script can intercept a PKPaymentToken object, extract the cryptogram from it before the data is packaged into a network packet, and send it to the carder on the server.

2.2. Intercepting tokens at the browser level (Apple Pay JS and Google Pay Web API)​

The most dangerous attack vector in 2026 is spoofing JavaScript events that handle payment tokens in the browser. Developers often integrate Apple Pay into websites via ApplePaySession, where onpaymentauthorized returns the entire token object, including the cryptogram and DPAN. A carder who has injected malicious script (for example, through an XSS vulnerability) can spoof the handler by sending the token to their server in parallel with a legitimate transaction.

Important: In 2026, this method became especially popular on the websites of electronics stores and crypto exchanges that integrate Google Pay via the "push tokenization" API, where the token is returned directly to the callback rather than through the merchant's secure channel.

2.3. Attacks on API processing endpoints​

The scheme whereby a merchant sends a raw payment token "as is" has proven to be extremely vulnerable. A carder who intercepts a valid token can send it directly to the transaction process API, replacing the price, recipient, or even the payer's country information. If the cryptogram validation on the server isn't tightly tied to the amount and other contextual details, the attack will be successful.

Part 3: Secure Enclave Emulation and Direct Token Capture​

This is the most complex, but technically sophisticated technique, which allows one to completely abandon the interception of network packets.

3.1. SE emulation via software layer​

Creating a software (emulated) copy of Secure Element allows you to "trick" the system into believing that all cryptographic operations (key generation and storage) are performed in a secure hardware environment.

In the context of carding, this works like this: the carder deploys a modified version of Android or iOS in an emulator, where all calls to TrustZone (Android) or SEP (iOS) are proxied to their own server. The Secure Enclave (SE) functionality is completely emulated in software. The only invulnerable part is the storage of the unique device identifier (UID), which is hardcoded into the chip.

What's the benefit for the carder? You gain the ability to programmatically generate your own "clean" payment tokens for any cards linked to this emulated "secure environment." You control not just the interception, but the generation process itself.

3.2. Direct API Injection via Frida​

A more aggressive method that works on a real (jailbroken or rooted) device. Using Frida, the carder injects its code directly into the application process, intercepting API calls at the kernel level. It can force the application to pass the generated token not to the legitimate merchant, but to a controlled carder.

This approach doesn't require extensive SE emulation and allows for attacks on specific, vulnerable applications.

3.3. Security degradation through legacy protocols​

And the worst news is that the old magnetic stripe issue still persists. An Express Transit vulnerability in older versions of iOS allows money to be stolen from a locked iPhone via NFC. The exploit targets Visa cards connected in Express Transit Mode. The carder simply holds the NFC reader to the locked phone. The system interprets the request as a subway payment and, without requiring Face ID, generates a valid cryptogram.

However, this method is no longer suitable for mass production — most devices have received a security update.

Part 4. Real-World Cases and Vulnerabilities​

4.1. «Malicious npm Packages» (MAL-2026)​

According to the research, malicious packages @@apple -pay-trust/authorize-payment (version 99.0.3) and paysafe-apple-pay (99.99.2) were found in npm.

They used typosquatting: inexperienced developers, copying the Apple Pay integration code, accidentally installed a fake library instead of the legitimate one. The malicious code, running on the merchant's server (in Node.js), intercepted payment tokens and sent them to a domain controlled by carders during payment processing. The victim was not the customer, but the merchant itself: its own integration stole money from customers.

4.2. Express Transit Attack (CVE-2026)​

In April 2026, a critical vulnerability was confirmed that allowed a carder to withdraw money from a locked iPhone via NFC.

It targeted Visa cards in Express Transit mode. Since the system defaults to contactless payments without authentication in this mode, a carder simply holds a modified reader to the locked phone to obtain a valid cryptogram, which can be used for large purchases. The vulnerability only works for Visa cards, as Mastercard and American Express use stricter data segmentation for transit payments, making them invulnerable.

4.3. SEP Exploitation​

The Blackbird vulnerability, disclosed by Pangu Team, affected the A8, A9, and A10 chips. In 2026, it allowed unsigned code to be executed on the SEPROM of older iPhones. While private keys cannot be directly extracted from the SE, control over the SEPROM opens the door to modifying the Secure Enclave firmware and, theoretically, spoofing the payment cryptogram generation algorithm or disabling authentication checks.

Although Blackbird only "fixes" older chips, it demonstrates that even hardware security is not absolute. This technique remains in the hands of the most advanced researchers and APT groups.

Part 5. Protection for merchants and "blocking" wallets for users​

5.1 For the seller: how to avoid an attack​

A merchant should never trust a client, even if they send a valid payment token.

1. Strict context validation. When creating a payment token, always bind it to unique transaction data. The hash should include the amount, currency, order ID, and, preferably, the client's IP address.
2. Bypassing trust in customer data. In 2026, it's no longer enough to simply trust the amount transmitted in the payment script. The merchant must double-check the final price on their end, rather than relying on the data sent in the token.
3. Supply chain control. Carefully check all npm packages related to payment integration. Download them only from trusted sources and review the code.
4. Use tokens in two modes. Understand the difference between DPAN and MPAN. For one-time online payments, it's better to use DPAN, as it's tied to a specific device and is harder to counterfeit en masse.
5. Never store cryptograms. Treat them as one-time use and destroy them immediately after the session ends.

Part 6. Checklist: Checking the app for token transparency​

Check your application for vulnerabilities of this type:

1. Burp / MITM. Is traffic interception configured? Is the application sending PKPaymentToken in cleartext? Do you see JSON with paymentData — a cryptogram dump?
2. Session parameters. Are the transaction session parameters (amount) changed in the request without causing a cryptogram verification error?
3. Intercepting browser events (Web). Is it possible to override onpaymentauthorized in the browser console and redirect the token to your server?
4. Server API (backend). Is the payment token sent directly? Can I change the endpoint or proxy the cryptogram to my server?
5. Leak in npm packages. Check all libraries related to Apple Pay/Google Pay for malicious versions.
6. Android Emulation. Does the app generate the same payment tokens in the Android emulator as on a real device?

Part 7. Summary​

Tokenized payments are no longer absolute security. Apple Pay and Google Pay have changed the game, making digital wallets popular, but they've also created new vulnerabilities. Carders' arsenal in 2026 includes MITM interceptions, attacks on npm packages, emulating security through software layers, and even exploiting SEP on older phone models.

Key findings:

• A valid token is no guarantee of security. Modern token-hijacking attacks demonstrate that even a valid cryptogram does not prove the purchaser's authenticity.
• SE is not the Holy Grail. Vulnerabilities in the software layer (SSL, API, integration) make hardware protection partially useless. Moreover, on older devices, SEP is directly exploited.
• Attacks at the API and npm levels are the most dangerous. They allow carders to steal tokens from thousands of store clients, rather than attacking each one individually.

A quick one-line reminder:
"The DPAN lives on the device, but the cryptogram is generated at the moment of payment. Intercept the cryptogram before the gateway and gain control of the transaction. NPM already has counterfeit Apple Pay packages that steal tokens. Express Transit Visa on older iPhones is a security hole. An attack on SEP is a way to spoof cryptogram generation at the kernel level. In 2026, the fight is not for plastic, but for tokens. Capture the token, capture the money."