Came here after reading the article to say that I don't have the issues described in the article, and you have bet me too it (In the UK here).
> First, there is the issue of the initial authentication. "Any malicious actor who knows the [physical] card number can pretend to be the cardholder," says Raza. "The digital wallet does not have sufficient mechanism to authenticate whether the card user is the cardholder or not." He emphasizes that existing authentication methods can easily be bypassed.
When adding my physical card to Apple Pay, I had to auth my card being added with my bank via the banking app. (I also had a message in my "recent activity" section of my banking app that the card had been added to Apple Pay).
> Another issue is that, once a victim reports their card stolen, the banks only block transactions from a physical card, not ones made through a digital wallet. Banks assume that their authentication system has sufficient security to prevent attackers from adding someone else's card to their wallet, which, as Raza points out, is not the case.
My bank offers Virtual Cards, which I can use online via the "virtual" PAN issued or add the virtual card to Apple pay and use that to pay in store. Personally I found this more convenient with budgeting than using my physical card, so I choose to use my banks "Freeze Card" option on my physical card because honestly I only use it once in a blue moon, so might as well "freeze" it, just in case I misplace the wallet I keep it in and use virtual card(s) in Apple Pay IRL. The second I froze the physical card in the banking app I got a notification from Apple Pay telling me that card was no longer usable as a payment method. (The same would happen if I lost the card, its just that my banks process for reporting a card lost/stolen involves you freezing the card first)
So IMO, its not an issue with "digital wallet security", but how card issuers handle that security.
I've been thinking about this and there might be ways to do it without regulations.
The "big gun" without regulation would be if the likes of Apple and Google (and/or Visa / MasterCard) telling the card issuers that they have to use these security standards. But in my "ideal world" I don't like giving Visa/MC even more "power", however in this case at least it would be kicking the card issuers and not the consumer (same could be said for Apple/Google)
The other way would be to hit the US card issuers in their pocket via class action that they were not using these security practices which could have protected customers from fraud.
But yeah you are right, until external forces (be it the card networks, digital wallets, lawsuits, the feds, etc) make entities do the "right thing" they will often just do the bare minimum.
> First, there is the issue of the initial authentication. "Any malicious actor who knows the [physical] card number can pretend to be the cardholder," says Raza. "The digital wallet does not have sufficient mechanism to authenticate whether the card user is the cardholder or not." He emphasizes that existing authentication methods can easily be bypassed.
When adding my physical card to Apple Pay, I had to auth my card being added with my bank via the banking app. (I also had a message in my "recent activity" section of my banking app that the card had been added to Apple Pay).
> Another issue is that, once a victim reports their card stolen, the banks only block transactions from a physical card, not ones made through a digital wallet. Banks assume that their authentication system has sufficient security to prevent attackers from adding someone else's card to their wallet, which, as Raza points out, is not the case.
My bank offers Virtual Cards, which I can use online via the "virtual" PAN issued or add the virtual card to Apple pay and use that to pay in store. Personally I found this more convenient with budgeting than using my physical card, so I choose to use my banks "Freeze Card" option on my physical card because honestly I only use it once in a blue moon, so might as well "freeze" it, just in case I misplace the wallet I keep it in and use virtual card(s) in Apple Pay IRL. The second I froze the physical card in the banking app I got a notification from Apple Pay telling me that card was no longer usable as a payment method. (The same would happen if I lost the card, its just that my banks process for reporting a card lost/stolen involves you freezing the card first)
So IMO, its not an issue with "digital wallet security", but how card issuers handle that security.