New Research Exposes Security Flaws In Popular Digital Wallets - 1

Image by Jcomp, from Freepik

New Research Exposes Security Flaws In Popular Digital Wallets

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

A research paper published today by the University of Massachusetts Amherst has revealed significant security vulnerabilities in popular digital wallets like Apple Pay, Google Pay, and PayPal. The study highlights how these technologies, projected to be used by over 5.3 billion people by 2026, could be compromised because of outdated authentication methods that place convenience before security.

The university announcement also explains that the researchers have identified a flaw in how banks handle stolen cards. Banks typically block the physical card but fail to address transactions through digital wallets, where the token system does not require re-authentication after the card is replaced.

As a result, attackers can still use stolen card details for purchases even after the victim has received a new card. This exposes a critical security gap that needs to be addressed to protect against fraudulent transactions.

Taqi Raza, one of the paper’s authors, states in the announcement, “Any malicious actor who knows the [physical] card number can pretend to be the cardholder, […] The digital wallet does not have sufficient mechanism to authenticate whether the card user is the cardholder or not.”

Furthermore, the study reveals that attackers can exploit these digital wallets through various means. First, they can add a victim’s bank card to their own wallet by bypassing the authentication agreement between the wallet and the bank.

Second, they exploit the inherent trust between the wallet and the bank to bypass payment authorization. Third, attackers can manipulate payment types to circumvent access control policies, allowing them to make unauthorized purchases despite the card being reported as stolen.

The study examined vulnerabilities in major U.S. banks and digital wallet apps, revealing that even after banks were notified, the issues persist. Researchers found that new card details are linked to the old virtual token without re-authentication, enabling ongoing fraudulent activity.

To address these issues, the study proposes several countermeasures. One major recommendation is to replace outdated one-time password (OTP) systems with more secure multi-factor authentication (MFA) methods.

Additionally, the study suggests implementing continuous authentication for token management to enhance security. Currently, payment tokens remain valid indefinitely after initial authentication. The recommendation is for banks to use periodic re-authentication and token refreshes, especially after critical events like card loss.

Finally, the research recommends improving transaction authorization by analyzing transaction metadata, such as time and frequency, to distinguish between one-time and recurring transactions. This would help prevent misuse of transaction labels and ensure transactions match their intended types and amounts.

New Agreement Gives Actors Control Over AI Voice Replication - 2

Image by ufcw770, from Wikimedia Commons

New Agreement Gives Actors Control Over AI Voice Replication

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

The Hollywood union SAG-AFTRA has announced today a new agreement with Narrativ — an online platform that allows actors to license their digital voice replicas to advertisers. This agreement is set to mark a significant step in addressing the growing concerns surrounding AI and its impact on the entertainment industry.

This agreement follows a series of union strikes protesting the controversial use of artificial intelligence in the sector. Union leaders sought new contracts to protect actors from having their voices or likenesses replicated by AI without consent or compensation.

Under this new agreement, members of SAG-AFTRA who choose to license their digital voice replicas through Narrativ will benefit from enhanced control and fair compensation.

“Not all members will be interested in taking advantage of the opportunities that licensing their digital voice replicas might offer, and that’s understandable […] But for those who do, you now have a safe option,” SAG-AFTRA official Duncan Crabtree-Ireland said in a statement reported by Reuters .

Performers can set their own rates for using their digital voice replicas. Although there are SAG-AFTRA minimums to ensure fair pay, they can negotiate higher fees if desired. Contributions to health and retirement benefits will be based on the compensation received, helping performers qualify for benefits.

Additionally, performers have control over the types of ads they are willing to support and can opt out of categories they prefer not to promote. If a performer chooses to leave the platform, Narrativ must delete their digital voice replica and any associated recordings.

“This streamlined process allows performers to generate income while maintaining full control over their brand and likeness,” SAG-AFTRA said in a statement reported by Forbes .