Digital wallets such as Apple Pay, Google Pay and PayPal can be used to carry out transactions with stolen and canceled debit cards, according to academic security researchers.
Credit Card vs Mobile Payment (Digital Wallet) | Which is safer?
These flaws – some of which have been addressed since responsible disclosure last year – allow an attacker armed with limited personal information to add an active stolen debit card number to a digital wallet and make purchases, even if the card is subsequently canceled and replaced.
A group of infosec boffins – Raja Hasnain Anwar (UMass Amherst), Syed Rafiul Hussain (Penn State) and Muhammad Taqi Raza (UMass Amherst) – detailed their findings in a paper presented last week at Usenix Security 2024.
The paper, titled "In Wallet We Trust: Bypassing the Digital Wallets Payment Security for Free Shopping," explores "critical flaws in authentication, authorization, and access control mechanisms for major digital wallet apps and U.S. banks," Anwar, a doctoral student in electrical and computer engineering and lead author, told The Register.
