Experts say mobile payments are safer than physical cards and cash, but they aren’t hacker-proof.
As paying with your smartphone replaces swiping and dipping your card, can a checkout line phone tap pull you into a fraud trap?
Mobile payments – using virtual smartphone wallets such as Apple Pay, Samsung Pay and Chase Pay to make purchases – have grown in popularity among consumers since 2011. However, uptake has been slow, and many consumers find it inconvenient to tap their phones against checkout line card readers instead of just swiping or dipping a card or plunking down cash.
Consumers are also concerned about the security of paying with a smartphone. In a 2016 survey, Accenture found 21 percent of respondents were reluctant to enter their payment card details into their smartphones, and 19 percent said they believed paying with their phones could lead to fraud.
3 big mobile payment security risks
However, many experts say mobile payment methods offered by major providers are more secure than physical cards and cash. This is because mobile wallets use methods such as encryption and tokenization to mask payment card account numbers when you enter them and when you pay.
“With cash, you have no recourse, so you have no way of dealing with a product that was not delivered or was defective,” said Rob Clyde of cybersecurity advisory firm Clyde Consulting. “With a check or a physical credit card, you have the risk of somebody copying those numbers down and committing fraud with them.”
Despite technologically advanced protections, mobile payments aren’t immune to intrusions by hackers and identity thieves. Here are some of the biggest mobile payment security risks, and steps you can take to protect yourself.
1. Losing your phone is like losing your credit card
Your smartphone is a small, slippery object that provides a huge window into your personal life. It contains the names and contact information of every key acquaintance in your life, your personal photo collection and social media apps. It also can provide access to credit and bank accounts via a mobile wallet and payment apps.
If you unwittingly drop your phone at a restaurant or leave it at an airport charging station, it’s up for grabs for any unscrupulous person who would rather disrupt your life than return your lost property.
What to do: Most smartphones contain built-in protections that can prevent a phone thief from using your mobile wallet to rack up fraudulent charges. The best way to keep a thief out of your phone is to require two-factor authentication to unlock it – ideally, a PIN combined with a biometric method such as your fingerprint, facial recognition or an iris scan.
Some consumers are reluctant to use biometric authentication due to privacy concerns. But the major mobile operating systems have measures in place to protect biometric data. For example, Apple’s Touch ID feature uses a mathematical representation of your fingerprint instead of the actual print. And many of today’s smartphones have security-grade storage mechanisms, such as Samsung Knox.
“A biometric stored on a mobile device offers the advantage of authenticating yourself without any concern of it being stored in a database where it can potentially be breached,” said Shirley Inscoe, senior analyst at Aite Group.
But these methods aren’t 100-percent foolproof. In May 2017, hackers found a way to pass the Samsung Galaxy 8’s iris scan with a person’s photo and a contact lens.
If you aren’t comfortable entering your fingerprint into your phone or scanning your eye, there are other security measures available. Many smartphones allow you to erase your data or turn on password authentication remotely, using a PC or a tablet if your smartphone is lost or stolen.
2. Cyberthieves can ‘spoof’ your mobile wallet
When you add a credit or debit card to your mobile wallet, the card number is stored securely via encryption, which disguises it with a code created by an algorithm. Additionally, the major mobile wallet providers use randomly generated payment tokens to ensure your card information is not seen by merchants or even the wallet providers when you make purchases.
The risk that a cybercriminal can steal your account numbers is small, but it grows if you add cards to your mobile wallet while using an unsecured public Wi-Fi network. Clyde noted that hackers who lurk on such networks can re-create, or “spoof,” a mobile wallet’s registration system, for which you’re required to enter your card’s data.
What to do: Load your cards into your mobile wallet while at home, using your own password-protected Wi-Fi network. If you need to manage your mobile wallet while away from your home, consider setting up a personal virtual private network (VPN) for your phone.
“I always have my VPN turned on, whether I’m wandering the streets or in the airport,” said Rusty Carter, vice president of product management at mobile app security firm Arxan. “My phone is always communicating, and if it connects to [public] Wi-Fi before I’ve turned on my VPN, I’m exposed for that period of time.”
See related: New iPhone X’s facial recognition makes Apple Pay cooler
3. Your phone can become infected with malware
Cyber criminals use malware to remotely commandeer computers, smartphones and other devices or steal users’ passwords and other private information. Malware infection typically results from an unwitting user clicking on a sketchy ad or a phony link sent by a malicious third party. Computers are generally more vulnerable than cellphones, but mobile malware is a growing threat.
“Mobile malware is becoming more prevalent, and some of it is very destructive,” Inscoe said.
One such piece of malware called Fakedtoken is capable of overlaying banking and other apps that prompt Android phone users to enter payment card details. iPhones are less vulnerable to malware due to Apple’s strict quality control standards for apps, but they’re not immune. In September 2015, Chinese developers identified a piece of malware that infected nearly 3,500 iPhone apps.
What to do: A bank or card issuer can employ security features on its own payment or banking app, but it can’t control the security features of third-party browsers where many customers manage their online accounts.
Nevertheless, avoid clicking on links included in suspicious ads, email or text messages from unfamiliar sources. And Clyde recommends installing anti-virus software on your phone as an extra safeguard.
“I always like to say anything is possible,” he said. “Just as you’re careful on your PC and what you click on or might accidentally download, you should be careful on your phone.”
Tap with confidence – and some caution
No payment method is completely safe from theft. Wallets both virtual and tangible can be stolen from their owners, and even armored cars are robbed from time to time.
But mobile wallets offer many technologically advanced security measures, and competition between providers surely means improvements are yet to come.
“You should always be somewhat concerned,” Clyde said. “But if you’re worried about using a mobile payment method versus a traditional method, you’re probably missing the boat.”