Weaknesses in mobile payment wallets and how to avoid data breaches
The convenience that comes with mobile wallets or mobile payment apps is top-notch. These apps make purchases easier and are more possessive than a physical wallet since they are installed on our mobile devices. It's projected that more than half of the world, or 4.8 billion mobile citizens will embrace digital wallets by 2025. However, as mobile wallet adoption continues to grow, they are becoming the primary targets of fraudsters. It has been estimated that 20% of current fraud cases are attributed to digital wallet hacking, and the statistics are growing.
Attackers target both mobile payment app vendors and their customers. Mobile payment wallets weaknesses and attacks include:
- the use of transparent or malicious overlays placed on top of the application’s legitimate page to capture users’ data
- the use of malware keyloggers to gather usernames, passwords, credit card information, and more
- breaking weak encryption during a more persistent attack by threat actors
- weaponising the mobile wallets that use emulators, simulators, and other automated systems
- man-in-the-middle attacks, password cracking, and outdated software vulnerability
- digital wallet trojans or mobile wallet clones that look similar to the legitimate app.
To stay safe and mitigate the attack:
- it is recommended to put some security measures in place to detect when overlay screens or malware keyloggers are running on your device to inform the mobile wallet vendors
- mobile wallet developers and security professionals should prevent the mobile wallet from running on jailbroken or rooted devices, including blocking advanced rooting and root-hiding tools
- mobile wallet vendors should ensure that all digital wallets data stored locally is encrypted at rest and use advanced white box cryptography and threat-aware encryption keys to encrypt app sandbox, encrypt files, strings, resources, preferences, and native libraries
- as a mobile wallet users, you should have strong passwords that contain 12 characters or more including a combination of upper and lowercase letters, numbers, punctuations, and special symbols. You should update your mobile wallet app when necessary and avoid accessing your wallet using public WiFi.
Also, mobile wallet vendors should implement runtime application self-protection (RASP) methods, particularly anti-tampering, anti-debugging, and emulator protections, to hide VPN. They are required to use Mobile Privacy Prevention to ensure Android and iOS apps will not be copied or become trojan apps after being published on the public app store.