Convenience Over Security
New Study Reveals Loophole in Digital Wallet Security
Digital wallets — like Apple Pay, Google Pay, and PayPal — are projected to be used by more than 5.3 billion people by 2026. While these wallets
promote increased security over traditional payment methods, reliance on outdated authentication meth- ods and prioritizing convenience over security leaves digital wallets vulnerable, according to new research led by computer engineers at UMass Amherst.
“What we have discovered is these digital wallets are not secure,” said Taqi Raza, assistant professor of Electrical and Computer Engineering and an author on the paper. “The main reason is that they have unconditional trust between the cardholder, the wal- let, and the bank.”
In the normal digital wallet ecosystem, users start by inputting their credit or debit card number, called the primary account number (PAN), into the digital wallet. The user’s identity is authenticated as the rightful cardholder with a piece of information, such as a ZIP code or the last four digits of their Social Security number.
Then, whenever a purchase is made, the wallet hides the PAN and shares a ‘token’ with the vendor. The vendor attaches the token to the transaction. This information goes back through the bank’s pay- ment network, converting the token back to the PAN. The bank then settles the payment with the vendor on behalf of the customer without ever revealing the PAN to the vendor.
Unfortunately, there are ways that bad actors
can circumnavigate this system to make purchases with other people’s credit cards. The major U.S. banks and digital-wallet companies impacted by this are described in the paper. These companies were informed of the study findings prior to its publication and given ample time to make necessary security improvements. The researchers used their own cards to complete their tests, and no fraudulent activity was performed in these security tests.
First, there is the issue of the initial authentica- tion. “Any malicious actor who knows the [physical] card number can pretend to be the cardholder. The digital wallet does not have sufficient mechanism to authenticate whether the card user is the cardholder or not,” Raza said, emphasizing that existing authenti- cation methods can easily be bypassed.
Another issue is that, once a victim reports their card stolen, the banks only block transactions from a physical card, not ones made through a digital wallet. Banks assume that their authentication system has sufficient security to prevent attackers from adding someone else’s card to their wallet, which, as Raza
Continued from page 36
automatically starts showing the new card to its user without any verification for the new card to be updated in the wallet. Vendors then go to the bank with ABCD, which has now been linked to 4567, the new and active number, and the purchase goes through.
The researchers also tested this loophole on the digital wallet side of the equation and found similar vulnerabilities.
“We want [the digital wallet compa- nies] to take some responsibility as well because they are at the forefront of how
these transactions happen,” said Raja Hasnain Anwar, a doctoral candidate in electrical and computer engi- neering and lead study author. “We want them to have solid coordination. That’s the whole point of the paper: there’s not. There’s a lack of coordination.”
He added that many of these issues stem from new features offered by the banks. “For example, you could share your card within a family — one card could be added to multiple mobile phones. Or, if you
  RAJAHASNAINANWAR
take care of it.”
points out, is not the case.
Once stolen card numbers are saved in a digital
wallet, it is virtually impossible for the cardholder to deactivate them. “Even if the cardholder requests a card replacement, banks do not re-authenticate the cards stored in the wallet,” Raza said. “What they do is they simply change the virtual number mapping to the new physical card number.”
“If the banks are trying to move all of their payment platforms digitally, they need to put in more effort to make that secure. They cannot just rely on existing technology to
  “We found the banks give more priority to convenience than security. Security is taken for granted because they believe that the user-device verification being used is sufficient for
wallet security. It’s not.”
have a Netflix subscription, the credit card company doesn’t want you to lose that subscription, so they will keep on charging your card, even though that card is locked. If the banks are trying to move all of their payment platforms digitally, they need to put in more effort to make that secure. They can- not just rely on existing technology to take care of it.”
As Raza noted, “it’s security versus convenience. And we found the banks give more priority to convenience than security. Security is taken for granted because they believe that the user- device verification being used is suffi-
 >>
Broadband
TAQI RAZA
Case in Point
Here is a fictional example. The victim’s credit card number ends in 0123. An attacker adds 0123 to their digital wallet and starts making purchases. Again, digital wallets work by sending a virtual num- ber to the vendor, so vendors receive the virtual num- ber ABCD and take this number to the bank to get payment associated with account 0123.
The victim discovers the fraudulent payments and asks the bank to issue a new credit card. The bank sends a new card with the number 4567 and, on the back end, remaps the virtual number: ABCD no lon- ger links to 0123; it now links to 4567. The wallet
“Modern networks require constant investment and innovation to remain resilient, secure, and future-ready.”
Into the Future
Meanwhile, private-sector efforts to connect com- munities continue. Comcast recently announced high- er upload and download speeds are now available to all customers in Holyoke, Longmeadow, West Spring-
cient for wallet security. It’s not.”
While this specific loophole has been resolved,
researchers still recommend following security best practices: turn on email notifications when a card is added or removed from the wallet, turn on transac- tion alerts for credit cards, regularly check credit card statements, and review devices linked to credit cards through the bank’s web portal or mobile app account settings.
This work was done by researchers at UMass Khwarizmi Lab, led by Raza. BW
field, and Westfield. In addition, work is nearly com- plete to provide these faster speeds to all customers in Southwick and Springfield, with the vast majority of those customers already experiencing these faster speeds.
“Modern networks require constant investment and innovation to remain resilient, secure, and future- ready,” the company noted. “The need for fast, reli- able, and secure Internet will continue to grow, and Comcast is ensuring customers can stream, surf, and share on a network and service they can rely on today and in the future.” BW
 distributing devices, expanding literacy, and creating financial resources to help last-mile neighborhoods and remote locations.
In short, the MBI’s Municipal Digital Equity Plan- ning Program aims to accomplish two goals: to guide municipal decision making and investments that will increase access, adoption, and usage of the internet, and also to prepare municipalities to submit grant proposals to state or federal programs to support digi- tal equity activities.
BusinessWest
<< TECHNOLOGY >>
SEPTEMBER 2, 2024 37