Just a year ago, threat security experts were giving “digital wallets” like ApplePay and GooglePay a high-five. But a new study by researchers from Penn State and the University of Massachusetts Amherst – titled “In Wallet We Trust: Bypassing the Digital Wallets Payment Security for Free Shopping” – raises doubts about the security of those digital wallets.
The study's researchers say there’s a significant vulnerability in the authentication process used by these digital wallets and by exploiting this flaw, thieves can easily bypass security measures and go wild making fraudulent transactions – even after they've been reported lost or stolen by the owner.
The scammer’s journey explained
In the study’s description, the researchers laid out the path these bad actors take.
“First, an attacker adds the victim's bank card into their (attacker's) wallet by exploiting the authentication method agreement procedure between the wallet and the bank,” wrote UMass’ Raja Hasnain Anwar, Muhammad Taqi Raza and Syed Rafiul Hussein from Penn State.
“Second, they exploit the unconditional trust between the wallet and the bank, and bypass the payment authorization. Third, they create a trap door through different payment types and violate the access control policy for the payments.”
Even though the researchers haven't observed any widespread exploitation of this vulnerability, they say these findings are in practice over major US banks –”notably Chase, AMEX, Bank of America, and others” – and three digital wallet apps (ApplePay, GPay, and PayPal).
“We have disclosed our findings to all the concerned parties. Finally, we propose remedies for fixing the design flaws to avoid these and other similar attacks.”
Identity Theft Resource Center (ITRC) Chief Operating Officer, James Lee, agrees with the study’s findings on one hand, but thinks that the researchers may have their dots disconnected.
Lee claims that, yes, authentication in all kinds of account set-up, access, and transactions on the whole can and should be improved, “but the results from the limited study here have less to do with identity authentication and more to do with payment processors and card issuers continuing to accept cards after they were locked and/or reported stolen. The payment processor and card issuer determine if the transaction is valid, not the provider of the digital wallet.”
Do others agree?
Whether or not the study is a wake-up call, your bet is as good as ours. ConsumerAffairs reached out to all three companies for comment, but only Google wrote back.
“Security and privacy features are built into every part of Google Wallet. We work closely with our ecosystem partners to help prevent cases of fraud using our products, including sending risk signals to banks and card issuers to help them decide whether or not to tokenize a payment card added to Wallet,” a Google spokesperson wrote in an email to ConsumerAffairs.
Commenting on GooglePay, specifically, payments expert and founder of Chargebacks911, Monica Eaton-Cardone, said in a separate interview that no technology is going to be 100% safe.
“There are always going to be hackers, and tech is only ‘unhackable’ until somebody hacks it. That said, professionals within the financial industry generally regard Google Pay as safe — certainly safer than swiping a card or keying in your information.”
“The technology is even safer if the cardholder implements all the safeguards that Google recommends, including two-factor authentication on phones or other portable devices,” says Eaton-Cardone.
In the other corner – the ApplePay one – Scott Dylan, founder of NexaTech Venures, says that the implications for consumers are serious.
“What we need is a robust overhaul of how digital wallets interact with banks, with more secure, real-time authentication methods and transaction validation mechanisms to prevent this kind of exploitation.”
And Lee? He thinks that as far as things between the bank and the consumer go, all’s good. “The use of tokenization where the card and cardholder’s personal information never leaves the device with the digital wallet is still by far the safest way to use a payment card.”
If you’re keeping score, that’s two thumbs up and one that still needs some convincing. In other words, tap on but know that there appears to be more scammers and hackers laying in the weeds in those apps trying to get into your accounts than there likely have been in a while.