Digital wallets can allow purchases with stolen credit cards - #DigitalWalletSecurityFlaws
Security researchers have identified significant vulnerabilities in digital wallets like Apple Pay, Google Pay, and PayPal that could allow unauthorized transactions using stolen or canceled credit cards. These vulnerabilities, presented at the Usenix Security 2024 conference, enable attackers to exploit weaknesses in authentication and authorization processes, allowing stolen card numbers to be added to digital wallets. By opting for knowledge-based authentication over more secure multi-factor authentication, attackers can use easily obtainable personal information to bypass security. The flaw also permits unauthorized recurring transactions, even with locked payment cards. Banks and digital wallet providers, including Chase, Citi, and Google, have been notified and are working on resolutions. Recommendations include adopting stronger authentication methods, continuous token management, and verifying recurring transactions to enhance security.