New Study Reveals Loophole in Digital Wallet Security—Even If Rightful Cardholder Doesn’t Use a Digital Wallet

Unfortunately, there are ways that bad actors can circumnavigate this system to make purchases with other people's credit cards. The major U.S. banks and digital wallet companies impacted by this are described in the paper. These companies were informed of the study findings prior to its publication and given ample time to make necessary security improvements. The researchers used their own cards to complete their tests and no fraudulent activity was performed in these security tests.

First, there is the issue of the initial authentication. "Any malicious actor who knows the [physical] card number can pretend to be the cardholder," says Raza. "The digital wallet does not have sufficient mechanism to authenticate whether the card user is the cardholder or not." He emphasizes that existing authentication methods can easily be bypassed.

Another issue is that, once a victim reports their card stolen, the banks only block transactions from a physical card, not ones made through a digital wallet. Banks assume that their authentication system has sufficient security to prevent attackers from adding someone else's card to their wallet, which, as Raza points out, is not the case.

Once stolen card numbers are saved in a digital wallet, it is virtually impossible for the cardholder to deactivate them. "Even if the cardholder requests a card replacement, banks do not re-authenticate the cards stored in the wallet," says Raza. "What they do is they simply change the virtual number mapping to the new physical card number."

Here is a fictional example: The victim's credit card number ends in 0123. An attacker adds 0123 to their digital wallet and starts making purchases. Again, digital wallets work by sending a virtual number to the vendor, so vendors receive the virtual number ABCD and take this number to the bank to get payment associated with account 0123.

The victim discovers the fraudulent payments and asks the bank to issue a new credit card. The bank sends a new card with the number 4567 and, on the back end, remaps the virtual number: ABCD no longer links to 0123, it now links to 4567. The wallet automatically starts showing the new card to its user without any verification for the new card to be updated in the wallet. Vendors then go to the bank with ABCD, which has now been linked to 4567, the new and active number, and the purchase goes through.

The researchers also tested this loophole on the digital wallet side of the equation and found similar vulnerabilities. "We want [the digital wallet companies] to take some responsibility as well because they are at the forefront of how these transactions happen," says Raja Hasnain Anwar, a doctoral candidate in electrical and computer engineering and lead study author. "We want them to have solid coordination. That's the whole point of the paper: there's not. There's a lack of coordination."

Public link

Please use the above public link if you want to share this noodl on another website.