[Openid-specs-fapi] (FYI) In Wallet We Trust: Bypassing the Digital Wallets Payment Security for Free Shopping
Anders Rundgren
anders.rundgren.net at gmail.com
Mon Sep 2 15:39:49 UTC 2024
On 2024-09-02 14:54, Nat Sakimura via Openid-specs-fapi wrote:
> I have only read the abstract and a Japanese report on it, but it looks pretty intriguing.
>
> As one of the mitigation, it is proposing Push-based MFA authentication method.
>
> * The abstract: https://www.usenix.org/conference/usenixsecurity24/presentation/anwar <https://www.usenix.org/conference/usenixsecurity24/presentation/anwar>
> * The paper: https://www.usenix.org/system/files/usenixsecurity24-anwar.pdf <https://www.usenix.org/system/files/usenixsecurity24-anwar.pdf>
Thanx, this was interesting.
Most real-world fraud is likely to be rooted in identity fraud rather than weaknesses in wallets and protocols.
The paper does not mention device attestations. Although currently in limited use, device attestations can vouch for the authenticity of the wallet application. Together with per/application keys, issuers should feel fairly confident about the wallet part, even if the user installs malware.
Wallets for A2A payments like EPI differ since there are no "SEPA cards" to clone.
As the paper mentions, recurring payments represent another venue for fraud. However, asking for wallets to take part in anything but the initial authorization is probably not going to happen.
P2P payments remain a thorny problem. Seems we have ran out of silver bullets.
Cheers,
Anders
>
> Cheers,
>
> Nat Sakimura
>
>
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-fapi
More information about the Openid-specs-fapi
mailing list