Push Provisioning Fraud
Fraud where criminals use stolen card details to add a victim's payment card to a digital wallet on a device they control, enabling contactless or online purchases without the physical card.
Also known as: digital wallet fraud, mobile wallet provisioning fraud
Last reviewed: 1 June 2026
Push provisioning is the legitimate process by which a cardholder adds their physical card to a digital wallet such as Apple Pay, Google Pay, or Samsung Pay. Push provisioning fraud occurs when a criminal uses stolen card details — obtained from phishing, data breaches, or dark web markets — to provision that card to their own device, effectively gaining the ability to spend using the victim's card without needing the physical card itself.
The attack exploits weaknesses in the bank's identity verification process during wallet enrollment. If the bank relies solely on card details (number, expiry, CVV) to authenticate a new device, a fraudster who has that data can complete provisioning. More robust banks send a one-time password to the registered phone number or require biometric verification, but gaps exist across the industry.
Once provisioned, the fraudster can make contactless payments in shops or online purchases through the digital wallet. Because digital wallet transactions have higher spending limits and may be treated differently by fraud detection systems, significant damage can occur before the victim notices. Card issuers counter this with real-time provisioning alerts to the cardholder and step-up authentication requirements for any new device enrollment.
Examples
- Using card details purchased online, a fraudster successfully adds a victim's debit card to a digital wallet on their own phone and makes several contactless purchases before the victim receives an unusual transaction alert.