Dive Brief:
- A trio of academic researchers want their study of digital wallet security to inspire companies like Apple and Google to make their products safer.
- Two cyber-security experts from the University of Massachusetts Amherst — Raja Hasnain Anwar and Muhammad Taqi Raza — and a third from Penn State — Syed Rafiul Hussain — released a study in mid-August that found shortcomings in the authentication process for digital wallets.
- If a bad actor steals a consumer's credit card information and adds it to their own digital wallet, that bad actor can still use it after the consumer cancels or locks the card, the researchers found.
Dive Insight:
Digital wallets contain information for various payment methods such as credit or debit cards. Apple and Google operate the two most prominent digital wallets.
The banks that issue credit cards tend to trust Apple and Google, but weak authentication practices make it easy for a thief or hacker to with stolen credit card information to add the card to their digital wallet and use it, the study concludes.
Once a card is included in a digital wallet, a bad actor can continue to use it, even after it is locked or reported stolen, the study says
Banks could also give people more information about what digital wallets are using their cards, which could give cardholders a heads-up if someone is misusing their credit card.
"I don't know which wallets have added these cards," Raza said. "There is no transparency from the bank side."
Raza is an assistant professor who studies the security and reliability of critical infrastructures, Anwar is a PhD student who studies cybersecurity and Hussain studies network and system security.
The three researchers, who used their own digital wallets for this study, acknowledged that gathering data only from their own experiences gives them a limited sample.
The researchers stressed that they have not seen any indication that hackers and thieves are exploiting the vulnerabilities they identified in their research.
"This is not a measurement study,” Raza said.
However, Raza and his fellow researchers contend that companies like Apple and Google should address the vulnerabilities outlined in their study.
Representatives of Apple did not respond to a request for comment for this article. A representative of Google sent a brief statement that did not address the research, but said the company's product is secure.
"Security and privacy features are built into every part of Google Wallet," the statement reads. "We work closely with our ecosystem partners to help prevent cases of fraud using our products, including sending risk signals to banks and card issuers to help them decide whether or not to tokenize a payment card added to Wallet.”
