Researchers have identified security issues with most existing digital wallets, making them vulnerable to fraudulent payments. Specifically, an attacker may exploit digital wallets to perform transactions using stolen or canceled payment cards.
Digital Wallets May Allow Fraudulent Payments Due To Vulnerabilities
A team of researchers from the University of Massachusetts Amherst and the Pennsylvania State University have shed light on the existing security issues with digital wallets.
Digital wallets have recently gained traction as a convenient and secure contactless payment method. The technology relies on a decentralized system, allowing users to make payments via their smart devices.
While the digital wallet system seems useful, the researchers discovered inherent issues with the technology that may allow transactions from stolen or canceled payment cards, broadening the security risks.
Specifically, the vulnerabilities exist in the authentication, authorization, and access control security functions of digital wallet systems. Exploiting these issues allows an attacker to integrate an unrelated, stolen, or even canceled payment card into its own account and make payments.
Describing the attack scenario, the researchers stated,
First, an attacker adds the victim’s bank card into their (attacker’s) wallet by exploiting the authentication method agreement procedure between the wallet and the bank. Second, they exploit the unconditional trust between the wallet and the bank, and bypass the payment authorization. Third, they create a trap door through different payment types and violate the access control policy for the payments.
The researchers effectively demonstrated their attack strategy against popular US banks, including Bank of America, Chase, and AMEX, and the common digital wallets Apple Pay, Google Pay, and PayPal.
The researchers have presented their findings at the Usenix Security 2024, sharing the details in their research paper.
Proposed Countermeasures
The researchers explained that the vulnerabilities with digital wallets exist due to how the technology works.
First, the card integration with a digital wallet lacks a robust authentication mechanism, such as multi-factor authentication. Instead, it relies on knowledge-based authentication (KBA) methods, which an adversary may bypass using publicly available information about the victims.
Next, the security lapse also arises from the banks’ end. The banks do not update the token associated with a stolen or canceled payment card. Instead, they connect the same token with the new card, thus skipping new card authentication and permitting the continued use of the old card for transactions.
To address these contactless payment safety issues, the researchers advise implementing Push-based MFA authentication for card integration with digital wallets, continuous authentication for card verification token updates, and constant monitoring of payment metadata to prevent fraudulent recurrent payments.
The researchers responsibly disclosed the security issues with the relevant parties before making the public disclosure. In response, the concerned parties notified the researchers of partial or complete patch deployment.
Let us know your thoughts in the comments.