PRESS-NEWS.org - Press Release Distribution
PRESS RELEASES DISTRIBUTION

New study reveals loophole in digital wallet security—even if rightful cardholder doesn’t use a digital wallet

UMass Amherst researchers found major US banks prioritize convenience over security

New study reveals loophole in digital wallet security—even if rightful cardholder doesn’t use a digital wallet
2024-08-14
(Press-News.org) Digital wallets — like Apple Pay, Google Pay and PayPal — are projected to be used by more than 5.3 billion people by 2026. While these wallets promote increased security over traditional payment methods, reliance on outdated authentication methods and prioritizing convenience over security leaves digital wallets vulnerable, according to new research led by computer engineers at the University of Massachusetts Amherst. 

“What we have discovered is [that] these digital wallets are not secure,” says Taqi Raza, assistant professor of electrical and computer engineering and an author on the paper. “The main reason is that they have unconditional trust between the cardholder, the wallet and the bank.” 

In the normal digital wallet ecosystem, users start by inputting their credit or debit card number, called the primary account number (PAN), into the digital wallet. The user’s identity is authenticated as the rightful cardholder with a piece of information, such as a zip code or the last four digits of their social security number. Then, whenever a purchase is made, the wallet hides the PAN and shares a “token” with the vendor. The vendor attaches the token to the transaction. This information goes back through the bank’s payment network, converting the token back to the PAN. The bank then settles the payment with the vendor on behalf of the customer without ever revealing the PAN to the vendor. 

Unfortunately, there are ways that bad actors can circumnavigate this system to make purchases with other people’s credit cards. The major U.S. banks and digital wallet companies impacted by this are described in the paper. These companies were informed of the study findings prior to its publication and given ample time to make necessary security improvements. The researchers used their own cards to complete their tests and no fraudulent activity was performed in these security tests. 

First, there is the issue of the initial authentication. “Any malicious actor who knows the [physical] card number can pretend to be the cardholder,” says Raza. “The digital wallet does not have sufficient mechanism to authenticate whether the card user is the cardholder or not.” He emphasizes that existing authentication methods can easily be bypassed. 

Another issue is that, once a victim reports their card stolen, the banks only block transactions from a physical card, not ones made through a digital wallet. Banks assume that their authentication system has sufficient security to prevent attackers from adding someone else’s card to their wallet, which, as Raza points out, is not the case.  

Once stolen card numbers are saved in a digital wallet, it is virtually impossible for the cardholder to deactivate them. “Even if the cardholder requests a card replacement, banks do not re-authenticate the cards stored in the wallet,” says Raza. “What they do is they simply change the virtual number mapping to the new physical card number.”  

Here is a fictional example: The victim’s credit card number ends in 0123. An attacker adds 0123 to their digital wallet and starts making purchases. Again, digital wallets work by sending a virtual number to the vendor, so vendors receive the virtual number ABCD and take this number to the bank to get payment associated with account 0123.  

The victim discovers the fraudulent payments and asks the bank to issue a new credit card. The bank sends a new card with the number 4567 and, on the back end, remaps the virtual number: ABCD no longer links to 0123, it now links to 4567. The wallet automatically starts showing the new card to its user without any verification for the new card to be updated in the wallet. Vendors then go to the bank with ABCD, which has now been linked to 4567, the new and active number, and the purchase goes through. 

The researchers also tested this loophole on the digital wallet side of the equation and found similar vulnerabilities. “We want [the digital wallet companies] to take some responsibility as well because they are at the forefront of how these transactions happen,” says Raja Hasnain Anwar, a doctoral candidate in electrical and computer engineering and lead study author. “We want them to have solid coordination. That’s the whole point of the paper: there’s not. There’s a lack of coordination.” 

He highlights that many of these issues stem from new features offered by the banks. “For example, you could share your card within a family — one card could be added to multiple mobile phones,” he says. “Or if you have a Netflix subscription, the credit card company doesn’t want you to lose that subscription, so they will keep on charging your card, even though that card is locked. If the banks are trying to move all of their payment platforms digitally, they need to put in more effort to make that secure. They cannot just rely on existing technology to take care of it.”  
“It’s security versus convenience,” adds Raza. “And we found the banks give more priority to convenience than security. Security is taken for granted because they believe that the user-device verification being used is sufficient for wallet security. It’s not.” 

While this specific loophole has been resolved, researchers still recommend following security best practices: turn on email notifications when a card is added/removed from the wallet, turn on transaction alerts for credit cards, regularly check credit card statements and review devices linked to credit cards through the bank’s web portal or mobile app account settings. 

This work was done by researchers at UMass Khwarizmi Lab led by Raza. 

END

[Attachments] See images for this press release:
New study reveals loophole in digital wallet security—even if rightful cardholder doesn’t use a digital wallet

ELSE PRESS RELEASES FROM THIS DATE:

Researchers discover new way inflammation impacts cell communication

2024-08-14
INDIANAPOLIS – Indiana University School of Medicine researchers have made significant progress in understanding how cells communicate during inflammation. The study, recently published in PNAS, was conducted over a period of five years and focused on the molecules that enable cells to function during inflammation, particularly in the central nervous system where diseases like multiple sclerosis occur. “Communication is key in any relationship, even at the level of cells that cause disease,” said Mark Kaplan, PhD, chair of the Department of Microbiology and Immunology at the IU ...

Purdue physicists throw world’s smallest disco party

Purdue physicists throw world’s smallest disco party
2024-08-14
Physicists at Purdue are throwing the world’s smallest disco party.  The disco ball itself is a fluorescent nanodiamond, which they have levitated and spun at incredibly high speeds. The fluorescent diamond emits and scatters multicolor lights in different directions as it rotates. The party continues as they study the effects of fast rotation on the spin qubits within their system and are able to observe the Berry phase. The team, led by Tongcang Li, professor of Physics and Astronomy and Electrical and Computer Engineering at Purdue University, published their results ...

Tropical Atlantic mixing rewrites climate pattern rules

2024-08-14
The churning of the upper ocean in the tropics of Atlantic Ocean plays a crucial role in shaping long-term climate patterns across the world, a new study has found.  Researchers have discovered that changes in the ocean's mixed layer - the topmost section where wind and waves blend warm surface waters with cooler depths - are the primary force behind a climate phenomenon known as Atlantic Multidecadal Variability (AMV) in the tropics. The AMV has far-reaching effects on global climate. It influences weather patterns from North America to Europe and Africa, affecting everything from hurricane ...

New open access journal from APS and Sage expands publishing opportunity for psychological scientists

2024-08-14
The Association for Psychological Science (APS) and Sage announce the launch of Advances in Psychological Science Open, a fully open access journal that will publish high-quality empirical, technical, theoretical, and review articles, across the full range of areas and topics in psychological science. The journal will accept submissions in a variety of formats, including long-form articles and short reports, and APS is encouraging scientists to submit integrative and interdisciplinary research articles. “APS is always working to identify new ways to catalyze advances in psychological science,” said APS CEO Robert Gropp. “We are excited to announce ...

iFAB Tech Hub grows net-zero industrial chemical partnerships, champions bioeconomy

iFAB Tech Hub grows net-zero industrial chemical partnerships, champions bioeconomy
2024-08-14
In the wake of the $51 million funding announcement from the Economic Development Administration, momentum is tangible for the Illinois Fermentation and Agriculture Biomanufacturing (iFAB) Tech Hub. Today marks the beginning of a new collaboration to replace fossil fuel-derived petrochemicals with zero-emission alternatives produced through precision fermentation.  Industrial Microbes (iMicrobes) is partnering with the iFAB Tech Hub’s Integrated Bioprocessing Research Laboratory at the University of Illinois Urbana-Champaign to harness microbes to produce acrylic acid, a versatile chemical ...

Fracking frenzy in India: A water crisis in the making?

2024-08-14
India's plans to scale up fracking operations without robust regulations could spell disaster for the country's finely balanced water security, according to research from the University of Surrey.  India is positioning shale gas as a key transitional energy source and has announced 56 fracking projects across six states. Despite the promise of energy independence, Surrey’s study raises alarm bells about the country's preparedness to handle the unique water risks posed by fracking.  Hydraulic fracturing, or fracking, involves injecting high-pressure fluid into shale ...

New research identifies early sensorimotor markers for autism spectrum disorder

2024-08-14
New York, August 14 2024 – A study published in the journal iSCIENCE has uncovered significant findings related to the early sensorimotor features and cognitive abilities of toddlers who are later diagnosed with Autism Spectrum Disorder (ASD). The research, led by Kristina Denisova, a professor of Psychology and Neuroscience at the CUNY Graduate Center and Queens College, takes an important step toward better understanding ASD so that more precise, individually tailored interventions can be developed. Autism Spectrum Disorder, typically diagnosed around the ages of 4 to ...

Mutation detection of phosphatidylinositol-4,5-bisphosphate 3-kinase catalytic subunit alpha for treatment guidance in breast cancer

2024-08-14
Breast cancer remains a significant health concern worldwide, with diverse molecular subtypes that necessitate personalized therapeutic approaches. Recent advances have highlighted the importance of molecular signatures in guiding breast cancer treatment. Among these, the phosphatidylinositol-4,5-bisphosphate 3-kinase catalytic subunit alpha (PIK3CA) gene mutation has emerged as a crucial factor in determining the efficacy of targeted therapies, particularly in advanced breast cancer. This review explores the role of PIK3CA mutation detection in breast cancer and its implications for personalized treatment strategies. Breast Cancer Heterogeneity Breast ...

State COVID-19 vaccine mandates and uptake among health care workers in the US

2024-08-14
About The Study: This repeated cross-sectional study found that state COVID-19 vaccine mandates for health care workers (HCWs) were associated with increased vaccine uptake among HCWs, especially among younger HCWs and those in states with no test-out option. These findings suggest the potential for vaccine mandates to further promote vaccinations in an already highly vaccinated HCW population, especially when no test-out option is in place.  Corresponding Author: To contact the corresponding author, Charles Stoecker, ...

Depressive symptoms in adolescence and young adulthood

2024-08-14
About The Study: This panel cohort study found that increases in depressive symptoms in adolescence persisted into young adulthood, suggesting the need for primary prevention and mental health resources during the adolescent years.  Corresponding Author: To contact the corresponding author, Katherine M. Keyes, PhD, email kmk2104@columbia.edu. To access the embargoed study: Visit our For The Media website at this link https://media.jamanetwork.com/ (doi:10.1001/jamanetworkopen.2024.27748) Editor’s Note: Please see the ...

LAST 30 PRESS RELEASES:

Rapid growth of global wildland-urban interface associated with wildfire risk, study shows

Generation of rat offspring from ovarian oocytes by Cross-species transplantation

Duke-NUS scientists develop novel plug-and-play test to evaluate T cell immunotherapy effectiveness

Compound metalens achieves distortion-free imaging with wide field of view

Age on the molecular level: showing changes through proteins

Label distribution similarity-based noise correction for crowdsourcing

The Lancet: Without immediate action nearly 260 million people in the USA predicted to have overweight or obesity by 2050

Diabetes medication may be effective in helping people drink less alcohol

US over 40s could live extra 5 years if they were all as active as top 25% of population

Limit hospital emissions by using short AI prompts - study

UT Health San Antonio ranks at the top 5% globally among universities for clinical medicine research

Fayetteville police positive about partnership with social workers

Optical biosensor rapidly detects monkeypox virus

New drug targets for Alzheimer’s identified from cerebrospinal fluid

Neuro-oncology experts reveal how to use AI to improve brain cancer diagnosis, monitoring, treatment

Argonne to explore novel ways to fight cancer and transform vaccine discovery with over $21 million from ARPA-H

Firefighters exposed to chemicals linked with breast cancer

Addressing the rural mental health crisis via telehealth

Standardized autism screening during pediatric well visits identified more, younger children with high likelihood for autism diagnosis

Researchers shed light on skin tone bias in breast cancer imaging

Study finds humidity diminishes daytime cooling gains in urban green spaces

Tennessee RiverLine secures $500,000 Appalachian Regional Commission Grant for river experience planning and design standards

AI tool ‘sees’ cancer gene signatures in biopsy images

Answer ALS releases world's largest ALS patient-based iPSC and bio data repository

2024 Joseph A. Johnson Award Goes to Johns Hopkins University Assistant Professor Danielle Speller

Slow editing of protein blueprints leads to cell death

Industrial air pollution triggers ice formation in clouds, reducing cloud cover and boosting snowfall

Emerging alternatives to reduce animal testing show promise

Presenting Evo – a model for decoding and designing genetic sequences

Global plastic waste set to double by 2050, but new study offers blueprint for significant reductions

[Press-News.org] New study reveals loophole in digital wallet security—even if rightful cardholder doesn’t use a digital wallet
UMass Amherst researchers found major US banks prioritize convenience over security