New study reveals security flaw in digital wallets, even if the legitimate cardholder does not use a digital wallet

Digital wallets, such as Apple Pay, Google Pay and PayPal, are expected to be used by more than 5.3 billion people by 2026. While these wallets offer increased security over traditional payment methods, the reliance on outdated authentication methods and the prioritization of convenience over security make digital wallets vulnerable, according to a new study by computer engineers at the University of Massachusetts Amherst.

“We found that these digital wallets are not secure,” said Taqi Raza, assistant professor of electrical and computer engineering and author of the study. “The main reason is that there is unconditional trust between the cardholder, the wallet and the bank.”

In the normal digital wallet ecosystem, users start by entering their credit or debit card number, called a primary account number (PAN), into the digital wallet. The user’s identity is authenticated as the rightful cardholder using a piece of information, such as a zip code or the last four digits of their social security number.

Then, every time a purchase is made, the wallet hides the PAN and shares a “token” with the seller. The seller associates the token with the transaction. This information passes through the bank’s payment network, which converts the token back into a PAN. The bank then settles the payment with the seller on behalf of the customer without ever revealing the PAN to the seller.

Unfortunately, there are ways for malicious actors to bypass this system and make purchases using other people’s credit cards. The major U.S. banks and digital wallet companies involved are profiled in the paper. These companies were notified of the study’s results before its publication and were given ample time to make necessary security improvements. The researchers used their own cards to conduct their tests, and no fraudulent activity was observed during these security tests.

First, there is the issue of initial authentication. “Any malicious actor who knows the (physical) card number can impersonate the cardholder,” Raza explains. “The digital wallet does not have sufficient mechanism to authenticate whether the card user is the cardholder or not.” He points out that existing authentication methods can be easily bypassed.

Another problem is that when a victim reports their card stolen, banks only block transactions made from a physical card, not those made through a digital wallet. Banks assume that their authentication system is secure enough to prevent attackers from adding someone else’s card to their wallet, which is not the case, as Raza points out.

Once stolen card numbers are stored in a digital wallet, it is virtually impossible for the cardholder to deactivate them. “Even if the cardholder requests a card replacement, banks do not re-authenticate the cards stored in the wallet,” Raza says. “They just change the virtual number to match the new physical card number.”

Here’s a fictitious example: The victim’s credit card number ends in 0123. An attacker adds 0123 to their digital wallet and starts making purchases. Again, digital wallets work by sending a virtual number to the seller, so the seller receives the virtual number ABCD and passes that number to the bank to get the payment associated with the 0123 account.

The victim discovers the fraudulent payments and asks the bank to issue a new credit card. The bank sends a new card with the number 4567 and, in the background, remaps the virtual number: ABCD is no longer linked to 0123, it is now linked to 4567. The wallet automatically starts showing the new card to its user without any verification for the new card to be updated in the wallet. The sellers then go to the bank with ABCD, which is now linked to 4567, the new active number, and the purchase is made.

The researchers also tested the flaw on the digital wallet side and found similar vulnerabilities. “We want the digital wallet companies to take some responsibility as well, because they’re on the front lines of how these transactions happen,” says Raja Hasnain Anwar, a PhD student in electrical and computer engineering and lead author of the study. “We want them to have strong coordination. That’s the whole point of the study: There isn’t. There’s a lack of coordination.”

He points out that many of these problems stem from new features offered by banks. “For example, it is possible to share your card within a family: a card can be added to several mobile phones,” he explains.

“If you have a Netflix subscription, the credit card company doesn’t want you to lose that subscription, so they’re going to keep charging your card even if it’s blocked. If banks are going to try to digitize all of their payment platforms, they need to do a lot more to secure that process. They can’t just rely on existing technology to do that.”

“It’s security over convenience,” Raza adds. “And we found that banks value convenience over security. Security is taken for granted because they think that verifying the user’s device is enough to keep the wallet secure. It’s not.”

Although this specific flaw has been fixed, researchers still recommend following security best practices: enabling email notifications when a card is added/removed from the wallet, enabling transaction alerts for credit cards, regularly checking credit card statements, and reviewing devices linked to credit cards via the bank’s web portal or mobile app account settings.