New Research Exposes Security Flaws In Popular Digital Wallets

A research paper published today by the University of Massachusetts Amherst has revealed significant security vulnerabilities in popular digital wallets like Apple Pay, Google Pay, and PayPal. The study highlights how these technologies, projected to be used by over 5.3 billion people by 2026, could be compromised because of outdated authentication methods that place convenience before security.

The university announcement also explains that the researchers have identified a flaw in how banks handle stolen cards. Banks typically block the physical card but fail to address transactions through digital wallets, where the token system does not require re-authentication after the card is replaced.

As a result, attackers can still use stolen card details for purchases even after the victim has received a new card. This exposes a critical security gap that needs to be addressed to protect against fraudulent transactions.

Taqi Raza, one of the paper’s authors, states in the announcement, “Any malicious actor who knows the [physical] card number can pretend to be the cardholder, […] The digital wallet does not have sufficient mechanism to authenticate whether the card user is the cardholder or not.”

Furthermore, the study reveals that attackers can exploit these digital wallets through various means. First, they can add a victim’s bank card to their own wallet by bypassing the authentication agreement between the wallet and the bank.

Second, they exploit the inherent trust between the wallet and the bank to bypass payment authorization. Third, attackers can manipulate payment types to circumvent access control policies, allowing them to make unauthorized purchases despite the card being reported as stolen.

The study examined vulnerabilities in major U.S. banks and digital wallet apps, revealing that even after banks were notified, the issues persist. Researchers found that new card details are linked to the old virtual token without re-authentication, enabling ongoing fraudulent activity.

To address these issues, the study proposes several countermeasures. One major recommendation is to replace outdated one-time password (OTP) systems with more secure multi-factor authentication (MFA) methods.

Additionally, the study suggests implementing continuous authentication for token management to enhance security. Currently, payment tokens remain valid indefinitely after initial authentication. The recommendation is for banks to use periodic re-authentication and token refreshes, especially after critical events like card loss.

Finally, the research recommends improving transaction authorization by analyzing transaction metadata, such as time and frequency, to distinguish between one-time and recurring transactions. This would help prevent misuse of transaction labels and ensure transactions match their intended types and amounts.