9 tips for using mobile gift cards safely
A growing number of mobile gift cards and apps let you give, receive and use gift cards all on your smartphone -- no traditional wallet needed. Convenient, right? But they also present new security issues.
The benefits of texting someone a gift card or storing your own cards in a virtual wallet are undeniable. On the way to a party and forgot to buy a gift? No worries, you can send the guest of honor a gift card from your smartphone in minutes. Worried you'll misplace a plastic gift card? You can input the information on your mobile phone.
Not many Americans are using these tools now, but more are expected to in the future. A survey by point-of-sale technology provider InComm found that 53 percent of total respondents, and 79 percent of those aged 18 to 35, are interested in storing and using gift cards on their phones. Similar numbers are interested in storing digital gift cards on their phones for self-use.
Electronic gift cards of up to $2,000 are already available from a variety of retailers. They make up a small fraction of the gift card market but the segment is expected to grow, with consumers predicted to spend $10 billion on mobile and eGift cards in 2016, according to CEB TowerGroup.
The sums of money involved, however, make tempting targets for criminals. Mobile malware is still relatively new, but it's growing. "The white hats will be researching [mobile gift cards] looking for holes to plug, and the black hats will be researching these for other reasons," says Mike Park, managing consultant at Chicago-based cyber security firm Trustwave.
How mobile gift card apps work
You can choose from several different types of mobile gift card apps:
Retailer-specific apps let you buy, send, store and spend electronic gift cards from a particular retailer. For example, with Target, you can create an online account (linked to a credit card) at Target.com, download the Target gift card app and then buy and send gift cards via text.
The recipient can redeem the card by clicking the link within the text to pull up a bar code that can be scanned at the register or an account number that cashiers can input manually. Recipients can also save the card to a Target mobile gift card account, says Target spokeswoman Meghan Cushing.
Mobile wallets let you store mobile gift cards or input the information from plastic gift cards to store them electronically. For example, Google Wallet, Amazon Wallet (in beta testing as of Dec. 3, 2014) and Apple's Passbook all allow you to upload gift cards, but you cannot buy gift cards through the apps.
Video: Tips for using mobile gift cards
Mobile gift card apps let you buy, send, store and spend electronic gift cards from a variety of retailers. Gyft and GoWallet both offer these features.
With Gyft, you can buy a mobile gift card in the app and send it by emailing the recipient, posting it on the recipient's Facebook wall (only the Facebook account holder can activate it) or texting a link to the gift card, says Gyft spokeswoman Jen Rhee.
The recipient can use the gift card with Gyft's mobile app or can add it to Apple's Passbook app or Google Wallet, Rhee says. "If you're at the store and you want to use a gift card, you can just show the cashier the card through the app, the cashier scans it and that's it," says Rhee.
GoWallet works in a similar way, though the website warns that some retailers may not be able to scan the bar code of a gift card that has been uploaded to your phone. You may also need to carry a printout or plastic version of the card just in case.
Buying, receiving and storing mobile gift cards safely
Gift cards don't enjoy the same kinds of protections that debit and credit cards do. And the market is littered with scammers. Follow these tips to keep safe.
1. Buy gift cards from trustworthy sites.
Stick to well-known reputable websites, says Jeff Foresman, information security compliance lead with Rook Security in Indianapolis.
"If you get an email or a text message offering a deal on a mobile gift card, research the source," Foresman says. "Is the URL the correct URL for that company? Is it spelled correctly? Also, if it sounds too good to be true, it probably is. If someone is offering you a big discount on a Target mobile gift card, it's better to go directly to the Target site."
2. Be cautious about text messages saying you've received a mobile gift card. "Make sure it's a legitimate gift card before you click on the link," says Foresman. "It could be someone linking you to a malicious site to download malware to your phone."
It's always best to check with the giver first to make sure the gift card is legitimate, Foresman says. For example, he occasionally sends his college-aged son gift cards. "The first time I sent him one, he got an email and he thought it was some sort of scam," Foresman says. "Even though the mobile gift card said it came from me, he texted me and said ‘Did you send me a gift card?' I trained him well."
3. Lock your phone with a complex PIN. To protect mobile gift cards you've received or bought for yourself, first protect your mobile phone. About half of smartphone owners don't even use a four-digit PIN to unlock the phone, according to surveys from Confident Technologies and from a group of Cisco partner firms.
And while a four-digit PIN is better than no PIN at all, a four-digit PIN has only 10,000 possible permutations and can be cracked in about 20 minutes, Park says. An eight-digit PIN is obviously harder to crack. Don't use easy-to-guess passwords either, such as 12345678.
The only reason my Apple gift card is on my device now is because I'm going to use it today
|-- Mike Park
Managing consultant, Trustwave
4. Keep your phone away from strangers. Shoulder-surfing bystanders can take a picture of your mobile gift card when you've got it pulled up on the screen. Fraudsters may also be able to determine your PIN by looking at your phone's touch screen and seeing where the fingerprints are heaviest, says Park. So, if your PIN is 3579, there might be lots of fingerprints where the numbers 3, 5, 7 and 9 are on the screen.
5. Treat mobile gift cards like cash. That means not uploading a gift card to your phone until you're ready to use it. "If someone gets hold of that gift card and uses it before I do, I've lost it," Park says. "The only reason my Apple gift card is on my device now is because I'm going to use it today."
6. Don't post pictures of your gift card. This should be a no-brainer; unfortunately, it isn't. "A lot of people, especially younger folks, do this (post photos of gift or credit cards) on social media thinking it's safe," Park says. "Most of the ones I've seen are ‘Look I've just gotten my cool new credit card. See how cool my signature is.' You've just given me all the information that's on the card. I can log into Best Buy and make an order just as easily as you can."
7. Use app PINs and passwords too. Many apps require a PIN or password to access the account. Others make it optional, but it's best to use one. An app password provides a second layer of defense, along with a phone PIN, in case your phone is lost or stolen.
8. If your PIN is compromised, act quickly. You may be able to suspend or deactivate your account -- but you'll need to do so before someone spends the gift card balance. "Unfortunately, if we are not able to put a pause on the user's account before the perpetrator spends the gift card, it is out of our control if the gift card has been redeemed already," Gyft's Rhee says. "Therefore, we highly recommend that our users place a passcode on their account and/or contact us ASAP before the perpetrator is able to access their account."
9. Know your rights. Some mobile wallet providers also run their own analytics to detect fraud. GoWallet, for example, can suspend or deactivate an account based on fraudulent use patterns detected by company monitoring, Campos says. Google Wallet has 24/7 fraud monitoring and a fraud protection guarantee, which covers 100 percent of transactions made without your authorization.
But generally, mobile and e-gift cards are nonrefundable. They don't enjoy the same protections as app-based credit or debit card payments. Target is one company that makes some exceptions. The retailer will replace any Target gift card, e-gift card or mobile gift card that has a remaining balance and valid proof of purchase, Cushing says.
- Are mobile card readers safe for small businesses? – Mobile point-of-sale devices equipped with payment technology from companies such as Square and PayPal are convenient for small businesses, but are vulnerable to cybercriminals ...
- How to send, receive money using Zelle – Zelle, the easy-to-use person-to-person payment service now used by more than 100 banks in the U.S., is becoming increasingly popular -- but its simplicity may also make it vulnerable to fraud ...
- How to send, receive money using Venmo – Venmo is a peer-to-peer payment app owned by PayPal. Whether you're a Venmo aficionado or considering opening an account, here's what you need to know, including fees, security, privacy and card use options ...