Digital payment wallets have exploded in recent years and are expected to reach 5.2 billion users globally by 2026. But despite the popularity of quick payments offered by ApplePay, GPay, and PayPal, a new study is questioning their security and warning that changes in authentication methods are necessary to avoid identity theft and fraud.
Researchers from the University of Massachusetts Amherst and Pennsylvania State University analyzed the security of financial transactions through digital wallets, focusing on authentication, authorization, and access control security functions.
One of the issues identified is a weakness in how authentication methods are determined. Banks usually delegate the choice of user authentication method to the wallet. Generally, two types of authentication methods are used: knowledge-based authentication (KBA) and multi-factor authentication (MFA). When it comes to cardholder verification methods (CVMs) on smartphones the choices fall to either a passcode, pattern or the biometric authentication native to the device.
But while delegating authority for authentication is efficient and scalable, this compromises security, the researchers argue.
“We identify that a foolproof and uniform authentication policy enforcement by the bank is missing for all wallets,” the study says. “Such delegation of authentication is flawed in that an attacker can dictate the bank to accept a weak authentication procedure which gives birth to a number of security vulnerabilities.”
The paper, titled “In Wallet We Trust: Bypassing the Digital Wallets Payment Security for Free Shopping,” warns that some attacks could lead to serious consequences, including thieves making purchases with stolen bank cards despite banks blocking them. As digital wallets require sensitive personal and financial information, security issues may lead to identity theft and financial fraud.
The researchers propose several solutions to fix security issues in digital wallets, including adopting push MFA and passcodes instead of traditional OTP-based authentication methods. The paper does not explicitly refer to server-side biometrics. Other solutions include using continuous authentication in token management and distinguishing one-time from recurring transactions. Increasing payment apps’ security and security against card skimmers will also be necessary, the paper concludes.
Digital wallets continue to gain traction, meanwhile, not just for payments, but also identity verification and access control.