Academics question digital wallet security


Due to lax authentication practices, a thief or hacker can easily add a stolen credit card to their own digital wallet, the study concluded

Digital wallets contain information for various payment methods such as credit or debit cards. Apple and Google operate the two most prominent digital wallets. 

The banks that issue credit cards tend to trust Apple and Google, but weak authentication practices make it easy for a thief or hacker to with stolen credit card information to add the card to their digital wallet and use it, the study concludes.

Once a card is included in a digital wallet, a bad actor can continue to use it, even after it is locked or reported stolen, the study says

Banks could also give people more information about what digital wallets are using their cards, which could give cardholders a heads-up if someone is misusing their credit card.

"I don't know which wallets have added these cards," Raza said. "There is no transparency from the bank side."

Raza is an assistant professor who studies the security and reliability of critical infrastructures, Anwar is a PhD student who studies cybersecurity and Hussain studies network and system security.

The three researchers, who used their own digital wallets for this study, acknowledged that gathering data only from their own experiences gives them a limited sample.

The researchers stressed that they have not seen any indication that hackers and thieves are exploiting the vulnerabilities they identified in their research.

"This is not a measurement study,” Raza said.

However, Raza and his fellow researchers contend that companies like Apple and Google should address the vulnerabilities outlined in their study.

Representatives of Apple did not respond to a request for comment for this article. A representative of Google sent a brief statement that did not address the research, but said the company's product is secure.

"Security and privacy features are built into every part of Google Wallet," the statement reads. "We work closely with our ecosystem partners to help prevent cases of fraud using our products, including sending risk signals to banks and card issuers to help them decide whether or not to tokenize a payment card added to Wallet.”


By Patrick Cooley on Sep 4, 2024
Original link