Whose hand might be in YOUR digital wallet?

Helen received an email alert from her bank letting her know she had overdrawn her primary checking account. Shortly thereafter, she received another for her savings account, two other bank accounts, and multiple credit card alerts. Helen's inbox was always full of unread emails, and these alerts just sat there like many of her other emails, ignored until she needed to purchase her morning Starbucks. Her Apple Pay was denied, her Starbucks app pay was denied, and her many other digital wallets all seemed to deny payment.

Helen, forced to pull out the little cash from her purse, paid for her latte and rushed to work. Once there, she sat at her desk and began investigating the matter. She went to her personal email account and quickly saw the emails from her bank and credit card accounts. Puzzled, Helen contacted the accounts that seemed suddenly cleared of all balances.

What is a digital wallet?

A digital or e-wallet or mobile wallet is a virtual container on your smartphone or computer.  A digital wallet is an application that houses items like event tickets, boarding passes, workplace credentials, and payment information. They allow the user a level of convenience to pay for items or access places without having to manage more traditional credentials or payment methods. Though all of these digital wallet providers primarily focus on security, like anything in technology, bad actors constantly look for a hole they can exploit.

Some popular digital wallets include Apple Pay, PayPal, Google Wallet, Samsung Pay, Airpay, and many more. Don’t forget the many retailer mobile apps that store your payment methods, making it easy to place your order ahead of time or while at a location and pay through the app.

Helen’s digital wallet was stuffed!

Though Helen reported the issue to her bank and credit card companies and was told she would have the resources restored to her accounts, she was puzzled about how she had become a victim of these bad actors. While answering some of her bank's cyber risk investigators' questions, she realized she had an email alerting her to an issue with her PayPal account last week.

Helen continued to filter through her personal email account while at her work computer, which was a violation of most companies' resource use policies, and she could not find that email. Then she realized it was on her work email account. She opened up her Outlook, and the email was in her inbox. She quickly contacted her support desk, which walked her through how to report the suspicious email. Though Helen was struck, she wondered how many others in her company could have been, too.

Helen went to her PayPal account and was unable to log in. Her credentials were no longer valid. Through a somewhat complex process, Helen eventually regained access and realized that every account accessed was listed in her PayPal account, including her work credit card! The spam email she responded to gave the cyber thieves access to every payment method registered to her PayPal digital wallet! Further discovery revealed the work credit card was charged in excess of $20K.

Access Wallets

The theft of Helen’s digital wallet was a financial inconvenience; it could have had a much more significant impact. Factors that might have made this worse might have been the time period and the items the thieves had access to. A growing type of digital wallet includes site access and multi-factor authentication (MFA) apps. These types of applications can be beneficial but have some unique threats.

Site access wallets can provide user access in various ways. The most common these days are Radio-Frequency Identification(RFID) and near-Field Communication (NFC). NFC is more common when using a smartphone and allows your phone to communicate with other Internet of Things(IoT) items by broadcasting your credentials.  Your phone becomes a small radio broadcast station to a facility access receiver, and when it provides the proper credentials, access is granted. However, capturing those credentials by another reader near the access point is easy. This process is often called skimming and is a common way to steal credit cards with RFID chip technology.

Since we as smartphone owners rarely leave our phones for too long, using them as a delivery method for payments and access makes sense for convenience, but potentially costs us when there are security gaps.

MFA is a great security tool, but it is also not impenetrable. Depending on the security used to access your MFA, various vulnerabilities exist. Let me propose this simple example. You use Microsoft Authenticator, and to keep this example short, a bad actor has gained access to your email and password combination.  They can install Microsoft Authenticator on a dummy phone, enter the credentials, and recover your authenticator backup, restoring all your saved MFA credentials.  Now, they can access your account linked to Microsoft Authenticator whenever they wish to access those codes!

MS Authenticator is not the only MFA tool that could be tricked. Virtually any ‘brand’ could be tricked. Stolen Multi-Factor Authentication (MFA) credentials can lead to various serious consequences, including unauthorized access to systems and data, financial losses, and reputational damage. Attackers can use stolen MFA credentials to bypass security measures and gain access to sensitive information, including personal data, corporate resources, and financial records.  The cost to companies when this access is violated is immeasurable!

What could Helen do to avoid this in the future?

Helen could have avoided this by applying some simple rules. You probably have heard these rules multiple times through work’s cyber awareness training, news reporting, or many other places.

Always isolate your work accounts from your personal accounts. Helen had her work credit card information linked to her personal PayPal account. She clicked on a Spam or phishing email sent to her work email and entered her PayPal credentials. Her first error was not checking to ensure the email was not spam or phishing. The second was to access her personal account from a work computer. The last was to have her work credit card information associated with her personal PayPal account. Furthermore, she had viewed her personal email account from a work computer, and if the bad actor had some other form of malware installed from her clicking on the email, they could have gained further access to her work and personal data.

Minimize the data you associate with a digital wallet or consider not using it. Hard credit cards have risks, but require obtaining a physical copy or capturing the card information through an NFC reader. Still, people tend to use one card at a time, which would only put that single card at risk. Consider associating only the minimal payment methods you require when using a digital wallet. Perhaps set aside one card to be used specifically for your digital wallet, so if ever compromised, not all your financial information is at risk.

When using your digital wallet, whether financial or access, in its NFC state, be aware of the environment. Look for skimmers, items placed above or around the reader area, and openings or other equipment close by that seem out of place. Report it before using your credentials.

MFA recovery settings should be set for more than just your email or standard credentials. Consider using another device you have for authentication, such as a cell phone, a backup email address, or another recognized, authenticated device.  Though less convenient when recovering your account, it's better than handing over ‘the keys to the kingdom!’

Good email management could have made a difference with Helen. Had she caught the spam/phishing email at work and reported it, her whole tragedy could have been avoided. Had she stayed on top of the emails coming into her account, she would have noticed multiple alerts, including a change of account credentials, account warnings, and more.

Make a plan and record it (perhaps without specific details like card info) of how you will use and associate your digital footprints and what you might need to recall for recovery purposes. Recovering MFAs and other digital wallets can be tricky if you are unaware of the information required to verify ownership when you no longer have access.

Last, be aware of your accounts. Watch your spending and, at a minimum, review the purchases monthly to ensure they are valid. I noticed an odd transaction on one of my bank accounts a few times, which was a test transaction. I caught it in time to cancel the card linked to the account and reverse the transaction. Had I not kept a close eye on it, the bad actor could have kept submitting transactions for more significant amounts, never triggering an alert, or they could have just tried one large amount. The point is, we cannot rely solely on our financial institution's safety tools.

In summary, is convenience worth it?

I wish there were a simple answer to the question. I minimize my digital wallets and heavily secure my MFA, but I am overly cautious. If someone were to apply the rules above to isolate their wallet use from accessing crossover accounts, it could minimize any negative impact if accessed. Still, perhaps ask yourself if the convenience of using our phone, smartwatch, or other smart device is worth the risks?

Companies should require their employees to isolate the tools and accounts used digitally, either by implementing personal and work profiles on smartphones or, at minimum, by ensuring that employees do not link any work digital wallet to a personal email address or account.

Next month, we will explore your ability to recover the critical data that is most valuable to you and your company.

James Knox is a resiliency expert with an innovative spirit who thrives when building meaningful solutions to various daily problems in the corporate world. He is an avid outdoorsman and loves extreme rock crawling, fishing, and hunting. As a survivalist, James has learned from necessity how to prepare for life’s bumps and thrive with practical and sensible solutions, supporting his family's self-sustaining lifestyle.