Loophole in digital wallet security even if rightful cardholder doesn’t use one
A study from the University of Massachusetts Amherst reveals significant security vulnerabilities in digital wallets like Apple Pay and Google Pay, urging enhanced security measures and user vigilance to prevent unauthorized transactions.
Read original article
A recent study from the University of Massachusetts Amherst has identified significant security vulnerabilities in digital wallets such as Apple Pay and Google Pay. Despite their growing popularity, projected to reach over 5.3 billion users by 2026, these wallets rely on outdated authentication methods that prioritize convenience over security. The research highlights that malicious actors can exploit these weaknesses, particularly the lack of robust identity verification when adding credit card information to digital wallets. Once a card is compromised, banks often fail to block transactions made through digital wallets, assuming their existing security measures are sufficient. This oversight allows attackers to continue making purchases even after a cardholder reports their card as stolen. The study emphasizes the need for digital wallet companies and banks to enhance their security protocols and coordination to protect users effectively. Researchers recommend that users enable transaction alerts and regularly monitor their accounts to mitigate risks.
- Digital wallets are vulnerable due to outdated authentication methods.
- Malicious actors can exploit these vulnerabilities to make unauthorized purchases.
- Banks often do not block transactions made through digital wallets after a card is reported stolen.
- Enhanced security measures and better coordination between banks and digital wallet companies are necessary.
- Users are advised to enable alerts and monitor their accounts regularly for security.
Related
How MFA is falling short
Multi-factor authentication (MFA) faces challenges from cyber attackers exploiting weaknesses. Breaches despite VPN, SSO, and Google Authenticator usage show risks like phishing, vishing, and Man-In-The-Middle attacks. Recent developments include "Tycoon 2FA" targeting Microsoft 365 and Gmail accounts, emphasizing the need for stronger authentication methods.
The Sad State of Two-Factor Authentication in U.S. Banking (2020)
The article critiques U.S. banking's reliance on SMS-based two-factor authentication, highlighting its vulnerabilities. It advocates for stronger security measures, including hardware tokens and biometrics, urging consumers to demand better protections.
New Phishing Technique Bypasses Security on iOS and Android to Steal Bank Creds
A new phishing technique targets iOS and Android users via PWAs and WebAPKs, mimicking banking software to steal credentials. Attacks focus on users in the Czech Republic, Hungary, and Georgia.
New NGate Android malware uses NFC chip to steal credit card data
A new Android malware, NGate, exploits NFC technology to steal credit card data and PINs through social engineering. Users are advised to disable NFC and verify app sources for security.
Gift card scams generate billions as regulators fail to protect consumers
Gift card scams generate billions annually, particularly affecting seniors, with regulators failing to implement necessary protections. Victims often remain silent due to embarrassment, while the industry lacks transparency on fraud.
4 commentsWhen adding my cards (from different banks) to Google Pay, I had to authorise it via my bank's app (as all online payments, as per PSD2).
When my card expires, all subscriptions using it contact me to update it. Including Google Pay the wallet. If I don't, they stop working. I would assume the same would apply to lost/stolen cards.
So, US banking and most importantly, banking regulators, just need to follow the EU's lead. Banking here is around a decade ahead of the US.
“Here is a fictional example: The victim's credit card number ends in 0123. An attacker adds 0123 to their digital wallet and starts making purchases. Again, digital wallets work by sending a virtual number to the vendor, so vendors receive the virtual number ABCD and take this number to the bank to get payment associated with account 0123.
The victim discovers the fraudulent payments and asks the bank to issue a new credit card. The bank sends a new card with the number 4567 and, on the back end, remaps the virtual number: ABCD no longer links to 0123, it now links to 4567. The wallet automatically starts showing the new card to its user without any verification for the new card to be updated in the wallet. Vendors then go to the bank with ABCD, which has now been linked to 4567, the new and active number, and the purchase goes through.”
TFA seems to have left out the “…and then the attacker does…” part. Because now the token ABCD is disassociated with card number 0123, and 0123 should no longer work, right?
Apparently, the banks do not dissociate a stolen card in a digital wallet from your account so someone can steal a card, put it in a wallet and keep using it merrily.
Sounds like a basic thing to get right, but I am sure there are "good" reasons.
Related
How MFA is falling short
Multi-factor authentication (MFA) faces challenges from cyber attackers exploiting weaknesses. Breaches despite VPN, SSO, and Google Authenticator usage show risks like phishing, vishing, and Man-In-The-Middle attacks. Recent developments include "Tycoon 2FA" targeting Microsoft 365 and Gmail accounts, emphasizing the need for stronger authentication methods.
The Sad State of Two-Factor Authentication in U.S. Banking (2020)
The article critiques U.S. banking's reliance on SMS-based two-factor authentication, highlighting its vulnerabilities. It advocates for stronger security measures, including hardware tokens and biometrics, urging consumers to demand better protections.
New Phishing Technique Bypasses Security on iOS and Android to Steal Bank Creds
A new phishing technique targets iOS and Android users via PWAs and WebAPKs, mimicking banking software to steal credentials. Attacks focus on users in the Czech Republic, Hungary, and Georgia.
New NGate Android malware uses NFC chip to steal credit card data
A new Android malware, NGate, exploits NFC technology to steal credit card data and PINs through social engineering. Users are advised to disable NFC and verify app sources for security.
Gift card scams generate billions as regulators fail to protect consumers
Gift card scams generate billions annually, particularly affecting seniors, with regulators failing to implement necessary protections. Victims often remain silent due to embarrassment, while the industry lacks transparency on fraud.