Digital wallets like Apple Pay, Google Pay, and PayPal have surged in popularity, to the point that in some cases, they are used as often as more traditional payment methods.
In 2023, half of all online transactions were made via digital wallets, and more than 5.3 billion people are expected to use them by 2026. One reason for this growth is that they are often considered safer than traditional payment methods. Nearly half of shoppers surveyed by Paze earlier this year said they prefer bank-backed digital wallets over guest checkout options. Over 80% of respondents place more trust in their bank’s safety and security than in alternative payment options.
However, there may be security issues that digital wallet users have overlooked. A separate study from computer engineers at the University of Massachusetts Amherst, points out a significant security loophole that could leave credit or debit cards vulnerable. This could pose a threat even if consumers don’t use a digital wallet.
The problem, according to the researchers, is that digital wallets rely on outdated authentication methods. When someone makes a purchase using a digital wallet, it sends a token to the vendor rather than sending the actual card number. This token is then converted back to the card number by the bank to complete the transaction.
Criminals only need to access a card number once to start using it without restriction. Once they have the number, they can add it to their own digital wallet and use it without needing to verify it again.
Reporting the Problem Is Not Enough
A consumer in this predicament may not be able to resolve it simply by reporting the card as stolen. While a bank will usually block transactions made with the physical card, it may not automatically address transactions made through a digital wallet. “This is because once the cardholder is authenticated, the bank establishes an unconditional trust with the wallet,” the paper noted.
Additionally, deactivating a card number that has been saved in a digital wallet can be challenging for cardholders.
“Even if the cardholder requests a card replacement, banks do not re-authenticate the cards stored in the wallet,” Taqi Raza, a co-author on the paper, told MSN. “What they do is they simply change the virtual number mapping to the new physical card number.”
Digital wallet users can protect themselves from these threats by turning on email notifications for when a card is added or removed from a wallet. Additionally, it’s advisable to set up transaction alerts for every card use and to regularly check credit card statements.
