3 major mobile payment security risks, and how to avoid them

Two-factor authentication and secure Wi-Fi can protect your mobile wallet from thieves

Brady Porche
Staff Reporter
Focusing on credit scores and what consumers can do to improve them

3 major mobile payment security risks, and how to avoid them

As paying with your smartphone replaces swiping and dipping your card, can a checkout line phone tap pull you into a fraud trap?

Mobile payments – using virtual smartphone wallets such as Apple Pay, Samsung Pay and Chase Pay to make purchases – have grown in popularity among consumers since 2011. However, uptake has been slow, and many consumers find it inconvenient to tap their phones against checkout line card readers instead of just swiping or dipping a card or plunking down cash.

Consumers are also concerned about the security of paying with a smartphone. In a 2016 survey, Accenture found 21 percent of respondents were reluctant to enter their payment card details into their smartphones, and 19 percent said they believed paying with their phones could lead to fraud.

However, many experts say mobile payment methods offered by major providers are more secure than physical cards and cash. This is because mobile wallets use methods such as encryption and tokenization to mask payment card account numbers when you enter them and when you pay.

“With cash, you have no recourse, so you have no way of dealing with a product that was not delivered or was defective,” said Rob Clyde of cybersecurity advisory firm Clyde Consulting. “With a check or a physical credit card, you have the risk of somebody copying those numbers down and committing fraud with them.”

Despite technologically advanced protections, mobile payments aren’t immune to intrusions by hackers and identity thieves. Here are some of the biggest mobile payment security risks, and steps you can take to protect yourself.

3 big mobile payment security risks

  1. Losing your phone. It’s like losing your credit card.
  2. Cyberthieves who spoof your mobile wallet.
  3. Malware on your cellphone.

1. Losing your phone is like losing your credit card

Your smartphone is a small, slippery object that provides a huge window into your personal life. A typical iPhone or Samsung Galaxy contains the names and contact information of every key acquaintance in a person’s life, his personal photo collection and social media apps. It also can provide access to credit and bank accounts via a mobile wallet and payment apps.

If you unwittingly drop your phone at a restaurant or leave it at an airport charging station, it’s up for grabs for any unscrupulous person who would rather disrupt your life than return your lost property.

What to do: Most smartphones contain built-in protections that can prevent a phone thief from using your mobile wallet to rack up fraudulent charges. The best way to keep a thief out of your phone is to require two-factor authentication to unlock it – ideally, a PIN combined with a biometric method such as your fingerprint, facial recognition or an iris scan.

Some consumers are reluctant to use biometric authentication due to privacy concerns. But the major mobile operating systems have measures in place to protect biometric data. For example, Apple’s Touch ID feature uses a mathematical representation of your fingerprint instead of the actual print. And many of today’s smartphones have security-grade storage mechanisms, such as Samsung Knox.

“A biometric stored on a mobile device offers the advantage of authenticating yourself without any concern of it being stored in a database where it can potentially be breached,” said Shirley Inscoe, senior analyst at Aite Group.

But these methods aren’t 100-percent foolproof. In May 2017, hackers found a way to pass the Samsung Galaxy 8’s iris scan with a person’s photo and a contact lens. If you aren’t comfortable entering your fingerprint into your phone or scanning your eye, there are other security measures available. Many smartphones allow you to erase your data or turn on password authentication remotely, using a PC or a tablet if your smartphone is lost or stolen. 

2. Cyberthieves can ‘spoof’ your mobile wallet

When you add a credit or debit card to your mobile wallet, the card number is stored securely via encryption, which disguises it with a code created by an algorithm. Additionally, the major mobile wallet providers use randomly generated payment tokens to ensure your card information is not seen by merchants or even the wallet providers when you make purchases.

The risk that a cybercriminal can steal your account numbers is small, but it grows if you add cards to your mobile wallet while using an unsecured public Wi-Fi network. Clyde noted that hackers who lurk on such networks can re-create, or “spoof,” a mobile wallet’s registration system, for which you’re required to enter your card’s data.

What to do: Load your cards into your mobile wallet while at home, using your own password-protected Wi-Fi network. If you need to manage your mobile wallet while away from your home, consider setting up a personal virtual private network (VPN) for your phone.

“I always have my VPN turned on, whether I’m wandering the streets or in the airport,” said Rusty Carter, vice president of product management at mobile app security firm Arxan. “My phone is always communicating, and if it connects to [public] Wi-Fi before I’ve turned on my VPN, I’m exposed for that period of time.”

3. Your phone can become infected with malware

Cyber criminals use malware to remotely commandeer computers, smartphones and other devices or steal users’ passwords and other private information. Malware infection typically results from an unwitting user clicking on a sketchy ad or a phony link sent by a malicious third party.

Computers are generally more vulnerable than cellphones, but mobile malware is a growing threat. Cybersecurity firm McAfee reported in April that the number of mobile malware samples doubled in 2016 year-over-year. 

“Mobile malware is becoming more prevalent, and some of it is very destructive,” Inscoe said.

One such piece of malware called Fakedtoken is capable of overlaying banking and other apps that prompt Android phone users to enter payment card details. IPhones are less vulnerable to malware due to Apple’s strict quality control standards for apps, but they’re not immune. In September 2015, Chinese developers identified a piece of malware that infected nearly 3,500 iPhone apps.

"Mobile malware is becoming more prevalent, and some of it is very destructive."

What to do: Smartphones are generally safer than computers when it comes to malware. A bank or card issuer can employ security features on its own payment or banking app, but it can’t control the security features of third-party browsers where many customers manage their online accounts.

Nevertheless, avoid clicking on links included in suspicious ads, email or text messages from unfamiliar sources. And Clyde recommends installing anti-virus software on your phone as an extra safeguard.

“I always like to say anything is possible,” he said. “Just as you’re careful on your PC and what you click on or might accidentally download, you should be careful on your phone.” 

Tap with confidence – and some caution

No payment method is completely safe from theft. Wallets both virtual and tangible can be stolen from their owners, and even armored cars are robbed from time to time.

But mobile wallets offer many technologically advanced security measures, and competition between providers surely means improvements are yet to come.

“You should always be somewhat concerned,” Clyde said. “But if you’re worried about using a mobile payment method versus a traditional method, you’re probably missing the boat.”

See related: 7 easy ways to protect your credit while holiday shopping, New iPhone X's facial recognition makes Apple Pay cooler 


Join the discussion
We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.

The editorial content on CreditCards.com is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.




Weekly newsletter
Get the latest news, advice, articles and tips delivered to your inbox. It's FREE.


Updated: 07-18-2018