Episode
66

eWallets: Approaching a Contactless Future

In recent years, purchasing methods of consumers have drastically changed. Relative to the security space, the introduction of Electronic Wallets (eWallets) and the need for convenience and safety has become crucial.

Today, the team at Vancord discusses this topic of eWallets, mention their recommendations for use, and addresses a few of the security concerns you should consider. The team believes this up-and-coming feature will be the new reality over the coming years.

CyberSound ep66

Episode Transcript

00:01
This is CyberSound. Your simplified and fundamentals-focused source for all things cybersecurity, with your hosts, Jason Pufahl, Steven Maresca and Matt Fusaro.

Jason Pufahl 00:13
Welcome to CyberSound. I’m your host, Jason Pufahl, joined, as always, by Steve Maresca and Matt Fusaro. Hey guys. So coming out of our pandemic, or maybe we’re out of our pandemic, but we are going to talk today about the proliferation of sort of eWallets. And I say that because the, you know, the title of the episode is going to be contactless future. And really, they had a huge gain in popularity throughout the pandemic, as people were concerned about exactly that, right? Putting their cards places, touching things, right. So I think I read a stat that said something like 70% of people are now using eWallets. I’m not a huge fan of the stat.

Matt Fusaro 00:21
Hello.

Expand Transcript

Steven Maresca 00:21
Hey there. I disbelieved it when you said it to me.

Jason Pufahl 01:02
So I think we’re gonna spend some time talking about the types of eWallets that exist. And sort of what I learned even spending some time on this was, it’s a pretty broadly defined category.

Steven Maresca 01:16
So what’s an eWallet to, you know, your siblings?

Jason Pufahl 01:20
So I’ll say this, I picture an eWallet a little bit more akin to a traditional wallet where you can put your store cards, you can put your bank cards, your driver’s license, etc. and there are things that are similar to that, right, your Apple Wallet, I think has qualities that are similar to that although it doesn’t necessarily cover everything. When you start to look at it though, it’s wallets for cryptocurrency, it is wallets so that you can facilitate payments within an online gaming, you know, gambling online gaming type forum, wallets for things like Starbucks, like they would call your Starbucks card an eWallet, which I suppose, right? So I feel like I’ve got 25 eWallets and you know, not one single location, which is challenging. But I think it is useful to kind of maybe go through the different types that are out there, right, that traditional wallet model is built into your Google phones and your Apple phones with your Apple Wallet, and Apple Pay and Google Wallet and I think Android Pay is the other option there. So, you know, have a credit card loaded, walk up to a terminal, tap it on there using NFC, it’s something I think Steve will spend some time on maybe, maybe it’s a fine time to talk NFC for a second anyway, before we get down to the other pieces.

Steven Maresca 02:38
I mean, sure, people who are used to using their phones or something like that to begin a transaction, I mean, it’s convenient, right, you don’t have to pull out your wallet, you don’t have to take something that could be private, that you don’t want other people looking at and, you know, put it within an inch of whatever you’re trying to buy and you’re done. Near Field Communication is what NFC stands for, and ultimately all that means is that there’s a little bit of radio signal between your device and a reader to exchange information that would otherwise be read with magnetic stripe or you know, the pin, or the chip and pin whatever aspect of it, it’s just another way of getting that data to the merchant. Generally speaking, people perceive it as secure because you know, you only you can only be within an inch of whatever you’re,

Jason Pufahl 03:26
Like four centimeters I think, right, is the spec?

Steven Maresca 03:29
Hypothetically, right, it’s low power. So that’s the point of it. Is it really safe? Sure. Maybe. If you have a big enough antenna, can you pick it up from 300 feet away? Yeah, absolutely. But there are ways that it’s protected, nevertheless.

Matt Fusaro 03:45
Yeah, most of the time, even if you have someone skimming or something like that, with a large antenna, it’s still gonna ask if you want to proceed with that transaction. There needs to be some type of user interaction most of the time, not all the time, depends on what it is you’re using, but most of the time, there’s something in front of that.

Jason Pufahl 04:02
The and really, I’m sure a lot of people have experienced, even if they haven’t loaded a Payment Guardian, experience the use of an Apple Wallet or something similar when going to sporting events or boarding a plane, right, those types of tickets are incredibly helpful.

Steven Maresca 04:16
Right, and this is adjacent to RFID, which is of course ubiquitous in all sorts of other ways, you know, tapping on a terminal at the subway, it’s exactly the same stuff, happens a little differently, but the idea’s the same.

Jason Pufahl 04:27
And it’s nice to centralize it into a single device, you’re carrying your phone all the time anyway. So there’s huge, huge conveniences that we’re going to see in this space. The sort of the next type of wallet would be what I’ll call this the payment wallet where you’re using Venmo directly or maybe Zell or PayPal. I think even you’re seeing some of those features now in Apple, you know Apple Wallet and Apple Pay because I think you can do some some cashless or cash sending to friends, etc. Lots of people clearly using Venmo or its competitors nowadays. Your hardware, well, hardware and software based crypto wallets, hardware being, you know, exactly that right, transferring your cryptocurrencies onto a piece of hardware keeping them offline versus maybe an online wallet, you know, and again, you’re going to need multiple of those because they, they don’t all support sort of the same chaining technologies, right? So you’re gonna have a few of those to support whatever currencies you’ve got. And that, you know, and then finally, right, some really, really niche ones where they’re designed specifically for in-game purchases, or gambling, etc. So, pretty wide range, it’s probably others, quite frankly, you do a search on it, password managers might actually come up so you know, people, the web sometimes refers to LastPass, and Dashlane, etc. is wallets.

Steven Maresca 05:53
Certainly browsers are close enough, they ask if they, you know, they want to remember your credit card after you’ve used it once. Same idea.

Jason Pufahl 05:59
So I think it’s fair for us to make that assumption that they’re just going to get more popular. We’re gonna see more integrations, you’re gonna see more integrations with Apple Wallet, you know, Google Wallet, with all of your apps that we talked about, right? Your Starbucks, your Ticketmasters, etc. This is a security podcast, so I think the question is, how do we make, you know, what are the security concerns here? You alluded a little bit, maybe Steve showed the risk around NFC and, you know, the drive by interception, perhaps of data?

Steven Maresca 06:36
Sure. I’ll describe that as not a current risk when you’re exercising a transaction, I mean, per your point Matt, you know, you’re confirming actively as a participant, but it’s more of an after the fact risk, you know, if the transaction is possible to observe, that means enough data was exchanged to actually initiate a transaction, that means all of the components that facilitate exchange of money, therefore, if you’re sitting on it, and there’s a weakness in some sort of an eWallet, or a weakness in the protocol on the card, potentially, then an attacker could just collect 1,000 or 10,000 of them and then pull out whatever they can six months later. That’s entirely reasonable. I made reference to it, the talk I attended, turns out a long time ago, in 2009, where passports which have RFID chips in them these days, were siphoned by someone with just an antenna and a backpack is totally viable. Part of the purpose of the convenience is in sharing something. Therefore, there isn’t a huge degree of security protecting that actual interchange. Is there some? Yes. But the truth is, it’s observable because it’s part of the purpose of the eWallet for NFC, therefore, you know, it’s, there’s a window for exposure.

Matt Fusaro 08:01
Yeah, especially when you have physical cards or IDs, you know, a passport or a credit card that’s got that, there’s not really much interaction from the user besides it being present. Right and putting it in the right area, so that the signal happens.

Steven Maresca 08:15
It’s an important point, if you’re in the US, Card-Present, Card-Not-Present Transactions are far more flexible than say they are in Europe. Europe has had the chip and PIN for an eternity. The US, because of implementation issues, basically, is loose about it. Whereas if you’re in France, and you have a chip and PIN card, if you can’t supply your PIN, you’re not, you’re not transacting. In the US, similarly with Near Field Communications in general, crypto wallets, eWallets, things are permissive. And that’s a problem to me.

Jason Pufahl 08:56
So I’m trying to listen to this and think, well, one thing comes to mind for me is, is it arguably more secure to have a credit card loaded on the phone, potentially, than a credit card sitting in your wallet? So you know, because what you just described, Matt, was somebody scanning for a passive, basically a passive card, wherever you described, Steve, was eavesdropping on a payment action, essentially once it’s been authorized, right, so you’re actively in the act of paying versus really that passive, hey I’m walking by with a card in my wallet.

Matt Fusaro 09:30
Yeah, I mean, they each have their own risks.

Steven Maresca 09:32
Yeah, I would say it’s net less risk because,

Jason Pufahl 09:36
Less risk to use an eWallet.

Steven Maresca 09:40
Yes, for all the reasons that you would typically articulate, you have fewer, you have fewer opportunities for direct exposure, ultimately.

Matt Fusaro 09:50
I mean, you lose your phone, someone’s still going to need to be able to get into the phone, you lose your card, it’s usable, most of the time.

Steven Maresca 09:57
You know, just a mugging, you know, say it’s a pickpocket, you know, they have your card now. It’s a Card Present transaction with no effort whatsoever. If you lose your phone, you need biometrics, you need a pin to get into it, kinda which is your point ultimately. So it’s more secure. You have fewer things to carry, you can protect what you’re carrying more effectively, if you have fewer things to carry. I mean, it’s just easier to articulate in that sense.

Matt Fusaro 10:22
So if you mug someone, you’re gonna take their phone and get their face ID and their finger. This is a long transaction now. Maybe this will cut down on crime.

Jason Pufahl 10:31
This has gotten a lot darker though.

Steven Maresca 10:32
Well, this has been in movies for 25 years. Now, it’s just reality, I guess.

Jason Pufahl 10:37
Well the thumb degrades after some period of time, I suppose.

Matt Fusaro 10:40
Okay, this is true.

Jason Pufahl 10:40
This is true.

Matt Fusaro 10:43
But you also have a problem where you’ve got nefarious friends, that you’re sleeping on a couch, guess what, and your phones out?

Jason Pufahl 10:51
That’s true.

Matt Fusaro 10:52
You know, face ID works, right?

Jason Pufahl 10:53
Right, yeah, I mean, certainly my kids, if they need to get access, they quickly hold it up to me, and then scurry off to do whatever they need to do.

Steven Maresca 11:01
Meanwhile, my daughter looks close enough to me that she can unlock my phone with her face.

Jason Pufahl 11:05
Really?

Steven Maresca 11:05
Yeah, it’s a little creepy.

Jason Pufahl 11:07
She has that much facial hair already?

Steven Maresca 11:10
Anyway, yeah, I think eWallets are safer, let’s be honest.

Jason Pufahl 11:20
So let’s talk a little bit about sort of data protection or app protection, or is there anything, NFC aside, right, because we talked a little bit about the eavesdropping stuff. We talked about locking your phone with a PIN. And certainly, certainly that’s a requirement if you’re going to use any of this. And I think it actually forces you to do that if you try to use Apple Pay or whatever. Biometrics, like face ID or thumbprints for older phones, things like that. So in a lot of ways, pretty similar protective technologies as for anything else, right, two-factor being being a key one here. Anything else people really need to do? I don’t think it’s anything so unique.

Matt Fusaro 12:02
Yeah, making sure that it has some type of two-factor, with, like you said, whether it’s biometrics or pins, or whatever it might be, right, and make sure it’s not something simple. When you go into the offline cold storage type thing, say, like a ledger for crypto, that stuff is, the whole point of it is to keep it offline, right? So that it’s not accessible. Yeah, with things like that, if you if you’re, if you have an online wallet, typically you don’t own the wallet anyway, it’s a hosted service by Coinbase or something like that. This is really to keep that stuff offline so you’re not susceptible to attacks.

Jason Pufahl 12:41
Right. And the interesting point being there in many ways is your money in your bank is protected by law, right? FDIC and whatever, I think but a big part of the crypto issues were that there wasn’t any kind of federal protection for your money there. So you really didn’t want to keep it offline and protected better.

Steven Maresca 13:03
Some folks with crypto would assert that that’s a feature not a bug like right, ultimately, though, eWallets built for consumer use are based around accessibility and convenience. They tend not to fall over immediately. A crypto wallet that’s, you know, a hard token of some kind that has a PIN you have to remember, you have to remember or you can’t, you can’t ever use it. There’s a good example from I don’t know, earlier this year, like January 2022. Joe Grand, well known hardware hacker from the last 30 years, broke into a crypto wallet to recover 2 million approximately in theta tokens, you know, sort of a fringe cryptocurrency but the point is, you know, it required massive effort to break into a legitimately owned and legitimately forgotten device. The end of the day, if you can’t get access to what you’re storing in your wallet,

Jason Pufahl 14:06
Right. Yeah, I mean, it’s still on you to remember passwords, right? It’s still on you to make sure that you have access to the data, essentially, that you’re storing.

Steven Maresca 14:15
Backing way up, you know, what’s the risk? Just the same as using your card in public. Can it be skimmed? Yeah, let’s just assume that it can be right. You have to keep track of your transactions, know what you’ve spent, know where you’ve spent it, review it on a regular basis, the same rules apply.

Jason Pufahl 14:31
Right. And you gain really huge convenience benefits because you are going to carry, mostly everybody’s going to carry their phone all the time. So you’re not dealing with peculiar form factors for things like airline tickets or whatever the case might be, reduces to some degree what you’re carrying, I think. I mean, I can say for me personally, it’s rare I carry cash and frankly, a lot of times I’m comfortable walking out of the house without my wallet perhaps with the exception of not having my licence on me, right? But you can do everything you need to at this point on your phone.

Matt Fusaro 15:04
And to add to it, be careful the merchants that you’re spending your money with too, you know, if you’re on the side of a road, getting gas from a gas station that looks like it’s been run over, maybe don’t use anything but cash there. You know, if you can, obviously you might be in a bad spot but,

Steven Maresca 15:22
An interesting point about the license just for people who aren’t aware, there are some states that permit storage of your driver’s license in your Apple Wallet, for example. Yeah, Connecticut is, I believe, a physical license state.

Jason Pufahl 15:22
That’s fair. Yeah, an Apple Wallet, I think the only ones I think it’s Arizona and Maryland are the only two options that show up in the wallet that I’ve seen. Not to say there’s not ways to enable more.

Steven Maresca 15:46
Doesn’t matter, necessarily just you know, know what your local laws are. But the point is, some people do not need at all their wallet that they used to carry. It’s an interesting new reality.

Jason Pufahl 15:57
I mean, honestly, there’s a piece of me that’s looking forward to that, because I do tend to use the wallets pretty regularly. And I think the more I use it, the more I realize they just aren’t convenient. And I think as long as you’re, you’re like anything, properly protect it, there’s no reason not to sort of move that direction. So any closing words at all? I feel like we’ve covered this pretty, pretty thoroughly.

Steven Maresca 16:19
Use reputable wallets, don’t use, you know, your browser just because it happens to have a credit card remembering function, use something a little more, you know, vetted. That’s all. Centralize, use something that’s, well known, that’s it.

Jason Pufahl 16:35
So it’s an interesting point. And I don’t know that we’ll be able to solve this problem here. But when I started Googling for wallets, there’s hundreds of them and there’s ones that are really obvious, you know, your Coinbase, your Bank of America’s and Apple, Google, etc. Boy, you get some crazy wallets out there. And I don’t know how you would make the determination of whether or not they were safe or not in some of the cases. So I think maybe to your point, it is safer to be mainstream, let things get some subtraction before we really look at it. But there are a lot of things out there.

Matt Fusaro 17:08
Use something sponsored by your financial institution, whatever it might be, because they typically do the vetting for you or, you know, Apple Pay, Google Wallet are pretty well vetted, so.

Steven Maresca 17:19
This is actually another one of those scenarios where know where you live or know where you’re visiting, for that matter. And know what’s the norm, because US dollars, just the US dollar. Yes, it’s internationally recognized. But you know, if you’re in Australia, you’re using different apps. If you’re, if you’re in Europe, that’s true. If you’re, you know, Polynesia, the same thing is accurate. It’s just, know what’s accepted where you’re going. Same thing, same rules with all the currency

Jason Pufahl 17:49
So for everybody going to Polynesia, I just think that’s an interesting spot just to pick out of thin air.

Steven Maresca 17:57
Just just random roll the dice.

Jason Pufahl 18:01
So on that, you know, as always, we do hope people sort of got some value out of this. We appreciate everybody listening, I think eWallets is a really interesting topic. Certainly, we’re going to see more and more activity in this space. So I think it’d be it’s worth being mindful of what’s going on and paying attention to how you’re managing and protecting credit, funds, etc. So thanks for listening. Enjoy.

18:25
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn or on Twitter at Vancordsecurity. And remember, stay vigilant, stay resilient. This has been CyberSound.

Episode Details

Hosts
Categories