Common Security Vulnerabilities in aDigital Wallet

Dinesh Kumar Barai
By Dinesh Kumar Barai

January 19, 2017

A 2015 survey among mobile payment users in the US found that 20% of them had concerns that someone might intercept their mobile payment information or other data. Another 13 % feared their phones being hacked. Due to the rise in cashless transactions, a number of digital wallets have been launched by many companies. The recent demonetization event by the Indian Government has caused a sudden surge in the number of people using digital wallets in their day-to-day transactions for the sake of transaction ease.

Why digital wallets are preferred over cash transactions

Digital Wallets are software applications—predominantly mobile—where your payment information is stored in a unique form. This information may include encrypted card data as well as other unique user information such as social security, ID, etc. In its simplest form it is a cache of your deposited money, and can be used for transactions on certain wallet applications. The money can be used to recharge or pay your mobile bill, book a movie ticket, and even to transfer funds to other wallets. Many online merchants have integrated with digital wallets as one of the payment methods at a checkout.

How does a server host a digital wallet?

A Digital Wallet is basically a virtual account. Once you sign up for a Digital Wallet, a virtual account is created and you’re ready to transact. Money can be transferred and converted into wallet currency by using a Net banking account or any Debit/Credit card. Today, most wallets also create a virtual Debit Card once your account is created. Your virtual debit card can be used for online transaction like a normal debit card.

Advantage of digital wallets over card based transactions

  • No need to carry cash and issue change
  • It’s secure, simple and convenient to transact via your mobile phone
  • There are a number of benefits, discounts and rewards
  • You have access to multiple features in one app
  • Collaboration with major E-commerce and merchant sites let you integrate your wallet as a checkout payment method.

Common security vulnerabilities in a digital wallet

  • Registration process

One of the first steps in using a digital wallet is registration. This process includes steps to verify your identity. It’s important that this process is properly followed to also preserve the sanctity of your card details. Some common vulnerabilities include:

    • A fraudulent user registering a digital wallet under a victim’s mobile number
    • An overwhelmed registration process due to the registration of a large number of users using automated bots
    • Taking over another user’s identity by re-registering as that user
    • Enumerating a registered user’s personal information by exploiting weaknesses in the registration process
    • The registration process does not identify fraud verification of the user’s information card information
  • Generic mobile application vulnerabilities:
    • Sensitive data like personal ID information and card information is stored in plain text form
    • Sensitive data is also transmitted over the network in plain text
    • There is little protection against generic MitM attacks like SSLStrip.
    • The wallet app is also poorly protected against reverse engineering which steals encryption keys and executes other implantation methods
    • Any user specific information being sent to 3rd Party APIs is vulnerable

These vulnerabilities are somewhat unique to digital wallets. They may differ between apps, but generally speaking they are a broad summary of common vulnerabilities.

  • Some wallets may also have additional features which present unique vulnerabilities:
    • A weak user identity verification which leads to an attacker impersonating a user
    • The possibility to login as another user from a mobile device not belonging to the real user
    • The possibility to replicate or guess tokens assigned to different users and transactions
    • Insecurities in wallet replenishing and money transfers
    • Refilling the wallet with more than the Net banking or Credit/Debit card transaction by using parameter or response manipulation
    • Transferring money fraudulently from another user’s wallet account (swapping to and from the account numbers, or using negative amounts while transferring money)
    • For any product related transactions (movie ticket buying, gift card, bill payments, etc.) tampering with parameters to perform transactions with less amounts than the original product cost
    • Checking local storage for sensitive data such as PIN, stored payment tokens, encryption/decryption keys, etc.
    • Transacting using NFC
    • Checking if the tokens stored offline for wallet payments can be replayed—using them more than once
    • Checking to see if the tokens stored in the local database are not encrypted and using them for direct transactions
    • Checking for flaws in other methods of transactions using NFC

Considering these vulnerabilities, it’s clear that Digital Wallet systems are in need of superior cyber security. For the sake of protecting users and bolstering the confidence in using these Digital Wallets, real time protection is essential.

Tags: blog