Security experts often speak highly of ApplePay and GooglePay. However, a new study from Penn State and the University of Massachusetts Amherst is questioning just how secure these payment methods really are.
The study is titled “In Wallet We Trust: Bypassing the Digital Wallets Payment Security for Free Shopping,” and it highlights a flaw in how these wallets authenticate users.
According to the researchers, this vulnerability allows criminals to sidestep security features and make fraudulent purchases, even after a digital wallet has been flagged as lost or stolen.
The researchers Raja Hasnain Anwar and Muhammad Taqi Raza from UMass, along with Syed Rafiul Hussein from Penn Stat said: The process outlined by the research team is straightforward but alarming. First, the attacker adds the victim’s card to their own digital wallet by exploiting weaknesses in the authentication handshake between the bank and the wallet.
Next, they bypass payment authorization by taking advantage of the implicit trust between the wallet and the bank. Finally, they manipulate different payment methods to evade security controls and gain unauthorized access.”
While the researchers haven’t seen widespread abuse of this flaw yet, they stress that the vulnerability is relevant to major U.S. banks such as Chase, AMEX, and Bank of America, as well as popular digital wallet apps like Apple Pay, GPay, and PayPal.
The team has informed all parties involved and has proposed fixes to address these design flaws and prevent similar attacks in the future.
James Lee, COO of the Identity Theft Resource Center (ITRC), partially agrees with the study’s findings but suggests that the researchers may be missing a key point.
While he acknowledges that authentication procedures need improvement, Lee argues that the real issue lies with payment processors and card issuers continuing to approve transactions after cards are reported lost or stolen. According to Lee, it’s these entities, not the digital wallet providers, that ultimately validate transactions.
Leave a Reply