‘Common security vulnerabilities in a digital wallet’ Considering these below mentioned vulnerabilities, it’s clear that Digital Wallet systems are in need of superior cyber security. For the sake of protecting users and bolstering the confidence in using these Digital Wallets, real time protection is essential.
Common security vulnerabilities in a digital wallet
- Registration process
One of the first steps in using a digital wallet is registration. This process includes steps to verify your identity. It’s important that this process is properly followed to also preserve the sanctity of your card details. Some common vulnerabilities include:
- A fraudulent user registering a digital wallet under a victim’s mobile number
- An overwhelmed registration process due to the registration of a large number of users using automated bots
- Taking over another user’s identity by re-registering as that user
- Enumerating a registered user’s personal information by exploiting weaknesses in the registration process
- The registration process does not identify fraud verification of the user’s information card information
- Generic mobile application vulnerabilities:
- Sensitive data like personal ID information and card information is stored in plain text form
- Sensitive data is also transmitted over the network in plain text
- There is little protection against generic MitM attacks like SSLStrip.
- The wallet app is also poorly protected against reverse engineering which steals encryption keys and executes other implantation methods
- Any user specific information being sent to 3rd Party APIs is vulnerable
These vulnerabilities are somewhat unique to digital wallets. They may differ between apps, but generally speaking they are a broad summary of common vulnerabilities.
- Some wallets may also have additional features which present unique vulnerabilities:
- A weak user identity verification which leads to an attacker impersonating a user
- The possibility to login as another user from a mobile device not belonging to the real user
- The possibility to replicate or guess tokens assigned to different users and transactions
- Insecurities in wallet replenishing and money transfers
- Refilling the wallet with more than the Net banking or Credit/Debit card transaction by using parameter or response manipulation
- Transferring money fraudulently from another user’s wallet account (swapping to and from the account numbers, or using negative amounts while transferring money)
- For any product related transactions (movie ticket buying, gift card, bill payments, etc.) tampering with parameters to perform transactions with less amounts than the original product cost
- Checking local storage for sensitive data such as PIN, stored payment tokens, encryption/decryption keys, etc.
- Transacting using NFC
- Checking if the tokens stored offline for wallet payments can be replayed—using them more than once
- Checking to see if the tokens stored in the local database are not encrypted and using them for direct transactions
- Checking for flaws in other methods of transactions using NFC
About: Paladion Networks,a Global IT security service provider and management company, with over a decade of experience, trusted by organizations from around the globe from Asia to the US to EMEA. Currently, actively servicing more than 700 satisfied clients while continuing to truly transform customer experience, with IT security , Paladion assists its Partners to improve their business operations by leveraging its industry-wide experience, expertise in cutting-edge technology and an extensive portfolio of services.