Digital Wallets Security

-

Introduction to digital wallets 

Digital wallet, also referred as "e-Wallet" allows people to perform electronic transactions without the need to have physical cards.

Not only does it allows to perform payment and transactions, but also is handy to store other identity documents such as loyalty card(s) within the wallet. It also eliminates the need to carry multiple physical cards.

Now as we have understood in simple words the meaning of digital wallets let us understand how do digital wallet transactions work.

Steps of a digital wallet transaction being performed

  • To use a digital wallet, the user needs to open the wallet application on mobile. To do this users can either use facial recognition, fingerprint identification, or PIN codes (based on the phone model and the configuration)

  • Post unlocking the application, the user next selects the stored payment method for use, as digital wallets allows to store multiple cards

  • There can be two type of transactions for digital wallets.

  • In-person purchases: Digital wallets use wireless and magnetic capabilities to transmit payment data from a mobile device to the payment device

  • Online purchases: The user selects a digital payment (such as payment via google pay/ apple pay etc.) and do the succeeding steps.

In person purchases happen via “Contactless” medium via the below technologies:

1.      Near-field communication (NFC)

Near-field communication (NFC) is the most common contactless payments. These allows devices to transmit payment information to payment terminals in close proximity with mobile device and removing the need to have physical contact.

2.      Magnetic secure transmission (MST)

Magnetic secure transmission (MST) is allows smartphones to emit an encrypted signal similar to the magnetic stripe on credit and debit cards to facilitate payments.

3.      QR codes

Quick response (QR) codes offers another medium of payment (popular with UPI applications), which post scanning, facilitates payment.

Key features of digital wallets include:

1.      Users can do a one-time setup in their digital wallet, eliminating the need to enter details such as PIN for each transaction

2.      Payments are quicker and convenient via smartphones, tablets, or computers.

3.      Security: Digital wallets use various security measures, such as encryption and authentication methods, to protect users' information.

Popular digital wallets include:

  • Apple Pay: Enables users to make payments using their iOS devices.

  • Google Pay: Enables users to make payments using Android devices.

  • Samsung Pay: Enables Samsung’s mobile users to pay via both NFC and traditional magnetic stripe card terminals.

All the above wallets having linked payment cards do not store any actual data or share it with the payment processor during transactions, which makes it highly secure.

The saved cards use a concept called "tokenization" which allows replacing confidential data against non-confidential data/ tokens. Think of it like a one way process where the the confidential data is used to create a token, however the inverse is not possible. These tokens are called EMVs.

These tokens are managed by "Token service providers" or TSPs which are registered with EMVco. (EuroPay, Mastercard, Visa) Ultimately these TSPs offer their tokenization services to "Token requestors" or TR to initiate the requests.

Let's see the process using a visual diagram

  1. Card holder enters card details in the digital wallet application

  2. The application sends data to Token Requestor (TR)

  3. The TR send it ahead to Token Service Provider (TSP) which makes the request for generating a token

  4. The TSP validates the cad details with the card issuing authority

  5. The card details are linked with a token stored in a vault which is then shared with the digital wallet application.

  6. For all transactions, now the mobile device is used for contactless payment which goes through the payment network which validates the generated TSP tokens and the issuer bank to complete the transaction.


Now let's understand how individual digital wallets work?

Apple Pay:

Apple Pay component security

Apple Pay has several components as part of its overall system to provide secure payment options

1.      Secure Element (SE)

The Secure Element is an industry-standard, certified chip running the Java Card platform, which is compliant with financial industry requirements for electronic payments. This Secure Element IC and the Java Card platform are certified with the EMVCo Security Evaluation process.

2.      NFC controller

The NFC controller handles Near Field Communication protocols and routes communication between the Application Processor and the Secure Element, and between the Secure Element and the point-of-sale terminal.

3.      Secure Enclave

On apple devices with Touch ID, the Secure Enclave manages the authentication process and allows a payment transaction to proceed. On Apple Watch, the device must be unlocked, and the user must double-click the side button. This double-click is detected and passed directly to the Secure Element or Secure Enclave, where available, without going through the Application Processor.

4.      Apple Pay servers

The Apple Pay servers manage the setup and provisioning of credit, debit, access cards etc. in Apple Wallet. The servers also manage the Device Account Numbers stored in the Secure Element. They communicate both with the device and with the payment network or card issuer servers. The Apple Pay servers are also responsible for re- encrypting payment credentials for payments within apps or on the web.

I have made a simple diagram to explain the process from the stage of setting up a card in Apple Pay all the way to transactions being performed



Similar to the above- Google pay and Samsung pay have similar functionalities and use the near same mechanism.


Source: Apple Pay Website, Wiki, Internet research


Comments

  1. Optimum Cyber, LLC1 February 2021 at 13:14

    Hey nice blog,Thanks for this helpful information come back again for more interesting information. Keep it up! Network Security Providers

    ReplyDelete
  2. emailtaai1 February 2021 at 14:55

    The Apartment Entry Systems in the lobby allows you to select the person or apartment you would like to contact. The classic system includes a one or two-line display that allows the visitor to scroll through a list of apartments. Once they select the apartment, they can push the call button to notify the tenant that they are in the lobby.The latest lobby intercoms include a large touch-screen panel. This multi-tenant intercom system provides a wireless connection from the lobby intercom station to an app on your smartphone.

    ReplyDelete
  3. YASARARAFAT16 February 2021 at 13:43

    Awsome blog, thanks for sharing.ISO 27001 Certification in UAE

    ReplyDelete
  4. areebashaikh23 February 2021 at 21:22

    computer repair new jersey I have read all the comments and suggestions posted by the visitors for this article are very fine,We will wait for your next article so only.Thanks!

    ReplyDelete
  5. oswincontrols2 April 2021 at 15:59

    Home security is critical to you since you need to keep your family and your home liberated from hurt. Perhaps the main components of home security are keeping robbers from accessing your property.

    Thanks
    Security and surveillance system

    ReplyDelete
  6. Tabletvilla3 April 2021 at 20:18

    Wonderful article, Thank you for sharing amazing blog write-ups.

    You can also check out another blog on Cryptography and Network Security

    ReplyDelete
  7. Dbcomp27 April 2021 at 09:54

    I read your post, Great post with Nice information.Thanks for all the information.

    ReplyDelete
  8. Unknown5 May 2021 at 22:33

    A good way to say your words. Please also visit my site and let me know what do you think about my thoughts. Construction Site Security

    ReplyDelete
  9. Unknown5 May 2021 at 22:34

    A good way to say your words. Please also visit my site and let me know what do you think about my thoughts. Fire Watch Security Services

    ReplyDelete
  10. Unknown5 May 2021 at 22:34

    A good way to say your words. Please also visit my site and let me know what do you think about my thoughts. Security Services Edmonton

    ReplyDelete
  11. Muhammad Ejaz7 May 2021 at 11:38

    This blog has valuable information, and the writer's written style is amazing. I want to appreciate it. Also, request the writer to write some more blogs on the Information Security Services for us. Thank You.

    ReplyDelete

Post a Comment

Popular posts from this blog

Arbitrary file upload and RCE in Wonder CMS - CVE-2017-14521

-
Image
By- Samrat Das Hi Readers Recently in one of my pentest research, I found a CMS " WonderCMS" hosted in github. Curious to explore its functionalities, I downloaded and set it up in my local system. After fiddling with the source code, I found that it did not have any kind of file upload security mechanism and allowed the user to upload any file type! After reporting it to them, I did not receive any security relevant response, hence decided to publish a blog on this. Title of the Vulnerability:   Arbitrary File Upload Vulnerability Class: Security Misconfiguration Technical Details & Description: The application source code is coded in a way which allows arbitrary file extensions to be uploaded. This leads to uploading of remote shells/ malicious Trojans which can lead to complete system compromise and server takeover. CVE ID allocated :  CVE-2017-14521 Product & Service Introduction: Wonder CMS 2.3.1 WonderCMS is an open source CMS (Content Ma
Read more

Cross Site Request Forgery- Intex Router N-150 | CVE-2018-12529

-
Image
By- Navina Asrani Hi Readers, Recently while tinkering with my wifi router, I was curious to find if it has possible loopholes and vulnerabilities. Curious to explore its functionalities, I started probing with the options. Title of the Vulnerability:   Cross Site Request Forgery Vulnerability Class: Code Execution/ Privilege Escalation Technical Details & Description: The firmware allows malicious request to be executed without verifying source of request. This leads to arbitrary execution with malicious request which will lead to the creation of a privileged user. CVE ID allocated: -  CVE-2018-12529 Product & Service Introduction: Intex Router Steps to Re-Produce – 1.        Visit the application 2.         Go to any router setting modification page and change the values, create a request and observe the lack of CSRF tokens. 3.        Craft an html page with all the details for the built-in admin user creation and host it on a server
Read more

Stored XSS in Wonder CMS- CVE-2017-14522

-
Image
By- Samrat Das Hi Readers Recently in one of my pentest research, I found a CMS " WonderCMS" hosted in github. Curious to explore its functionalities, I downloaded and set it up in my local system. After fiddling with the source code, I found that it did not have any kind of security mechanism to filter any user input and accepted and stored in blindly without any sort of input validation Title of the Vulnerability:   Stored XSS Common Vulnerability Scoring System:  7.0 Vulnerability Class:  Injection Technical Details & Description:  The application source code is coded in a way which allows user input values to be stored and processed by the application. CVE ID allocated :  CVE-2017-14522 Product & Service Introduction:  Wonder CMS 2.3.1 WonderCMS is an open source CMS (Content Management System) built with PHP, jQuery, HTML and CSS (Bootstrap responsive). WonderCMS doesn't require any configuration and can be simply unzipped a
Read more