Friday, September 6, 2024
"What we discovered is [that] these digital wallets are not secure," said Taqi Raza, assistant professor of electrical and computer engineering at the University of Massachusetts Amherst, and one of the authors of the report. "The main reason is that they have unconditional trust between the cardholder, wallet and the bank."
In a paper presented to a recent privacy and security symposium, Raza and his co-authors—Raja Hasnain Anwar, also of the University of Massachusetts Amherst, and Syed Rafiul Hassain of Pennsylvania State University—focus on three features of the digital wallet ecosystem that render digital wallets susceptible to fraud. Specifically, they identify vulnerabilities around authentication, authorization and access control.
An estimated 5.3 billion consumers, representing over 60 percent of the global population, are expected to be using digital wallets—Apple Pay, Google Pay and PayPal, for example—by 2026, according to Juniper Research.
In the normal digital wallet ecosystem, users input their credit or debit card number, which becomes the primary account number (PAN) for the wallet. The user's identity gets authenticated with specific information, such as a ZIP code or the last four digits of their Social Security number.
Then, whenever a purchase is made, the wallet hides the PAN and shares a "token" with the merchant. The token then gets attached to the transaction. The token and transaction information gets sent back through the bank's payment network, and the token is converted back to the PAN. The bank then settles the transaction without ever revealing the PAN to the vendor.
But here's the catch: fraudsters have figured out how to circumvent the process and make purchases with other people's bankcards. "Any malicious actor who knows the [physical] card number can pretend to be the cardholder," Raza said. "The digital wallet does not have sufficient [mechanisms] to authenticate whether the card user is the cardholder or not."
Another problem is that once a victim reports a stolen card, their bank only blocks transactions using a physical card, not those made through digital wallets. Banks assume that their authentication systems have sufficient security to prevent attackers from adding someone else's card to their wallets, which, Raza pointed out, is not the case.
"Even if the cardholder requests a card replacement, banks do not re-authenticate the card stored in the wallet," Raza said. "What they do is they simply change the virtual number mapping to the new physical card number."
The researchers also tested this problem on the digital wallet side of the equation and found similar vulnerabilities. "We want [the digital wallet companies] to take some responsibility as well because they are at the forefront of how these transactions happen," said report co-author Anwar, a doctoral candidate and lead study author.
Anwar pointed out that many of these issues stem from new features offered by banks. For example, you could share your card within your family: one card could be added to multiple mobile phones, he noted. Or the cardholder might subscribe to a service like Netflix, and the card issuer, not wanting them to lose the subscription keeps posting charges to the card, even though the card is locked.
"It's security versus convenience," Raza said. And we found the banks give more priority to convenience than security. Security is taken for granted because they believe that the user-device verification being used is sufficient for wallet security. It's not."
The researchers tested security using their own cards and digital wallet apps and bore all financial costs so as not to defraud banks, wallets or merchants.
They disclosed their findings to the banks and digital wallet companies, and received responses from Google, Citibank, Chase and Discover. Google reported back that it was working with banks to address the reported issues with Google Pay.
For their part, the banks reported back that they had made changes to ensure the problems were no longer possible. However, the researchers said, several parties had not reported back as of mid-August when they presented their findings at a security symposium. 
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
