HOUSTON— Digital wallets are widely viewed as a secure and efficient way to make purchases, but researchers say they have found a loophole that can let thieves keep using a credit card even after it has been reported stolen.
The flaw was outlined in findings from University of Massachusetts Amherst and Pennsylvania State University researchers, along with testing by Galatic Advisors, and supported by information from Consumer Reports, the American Bankers Association, Google and PayPal.
As the report noted, digital wallets rely on tokenization, which replaces a user’s credit card number with a unique code for each transaction. But researchers say tokenization also allows wallets to be automatically updated with new card information when the original card is blocked, Yahoo reported.
What One Tester Found
Bruce McCully, a cybersecurity expert with Galatic Advisors, said he tested the issue after reporting his credit card compromised. Although his bank issued a new card, his digital wallet was automatically updated, allowing the account to continue being used, according to the report.
“I went ahead and tested it to see, and my card still continued to work,” McCully said.
McCully warned that thieves who either steal a phone containing a digital wallet or use stolen personal information to set up their own wallet could continue charging purchases even after the cardholder reports the account stolen.
Precautions Urged
Consumer Reports’ Lisa Gill urged cardholders to take extra precautions, including requiring additional authentication such as a password, facial recognition or fingerprint scan before using a digital wallet, Yahoo said. She also recommended enabling the Find My app so phones and wallets can be wiped remotely if stolen, and setting up account alerts to monitor transactions.
McCully is advising consumers to ask their financial institution not only for a replacement card, but also for a new token or to have their digital wallet account wiped when reporting a card lost or stolen.
