Digital wallets like Apple Pay, Google Pay, and PayPal are becoming increasingly popular, with over 5.3 billion people expected to use them by 2026.
These wallets are often considered safer than traditional payment methods, but new research from the University of Massachusetts Amherst reveals a significant security loophole that could leave your credit or debit cards vulnerable, even if you don’t use a digital wallet yourself.
The study, led by computer engineers, highlights that digital wallets rely too heavily on outdated authentication methods, making them less secure than they appear.
“These digital wallets are not as secure as people think,” says Taqi Raza, an assistant professor of electrical and computer engineering and one of the study’s authors.
The main issue, according to Raza, is that there is an “unconditional trust” between the cardholder, the digital wallet, and the bank.
Here’s how digital wallets typically work: You start by entering your credit or debit card number into the wallet.
The wallet then verifies your identity by asking for information like your zip code or the last four digits of your Social Security number.
When you make a purchase, the wallet hides your actual card number and instead sends a “token” to the vendor. This token is then converted back to your card number by the bank to complete the transaction.
However, the research shows that hackers can exploit this system to make unauthorized purchases with your card. One of the biggest problems is that anyone who knows your card number can add it to their digital wallet without needing much verification.
“The digital wallet doesn’t have strong enough mechanisms to check if the person adding the card is the real cardholder,” Raza explains.
Even more concerning is that if your card is stolen and you report it to the bank, the bank usually only blocks transactions made with the physical card, not those made through a digital wallet.
This means that if a thief has already added your card to their digital wallet, they can continue making purchases even after you’ve reported your card stolen.
The study also points out that when banks issue you a new card after a theft, they don’t re-check the cards stored in your digital wallet. They simply link the new card number to the existing digital token. So, if a thief already has your card in their wallet, they can keep using it without any further verification.
The researchers tested this loophole and found that it could easily be exploited, showing that both banks and digital wallet companies need to improve their security measures.
“Digital wallet companies should take responsibility too,” says Raja Hasnain Anwar, the lead author of the study. “They need better coordination with the banks to ensure these transactions are secure.”
While this particular loophole has been fixed, the researchers still advise being cautious. To protect yourself, they recommend turning on email notifications when a card is added or removed from your wallet, setting up transaction alerts, regularly checking your credit card statements, and reviewing devices linked to your cards through your bank’s website or mobile app.
This research serves as a reminder that while digital wallets offer convenience, they aren’t foolproof. Staying vigilant and following security best practices is essential to keeping your finances safe.