Two-factor authentication and secure Wi-Fi can protect your mobile wallet from thieves
Focusing on credit scores and what consumers can do to improve them
As paying with your smartphone replaces swiping and dipping
your card, can a checkout line phone tap pull you into a fraud trap?
Mobile payments – using virtual smartphone wallets such as
Apple Pay, Samsung Pay and Chase Pay to make purchases – have grown
in popularity among consumers since 2011. However, uptake has been slow, and
many consumers find it inconvenient to tap their phones against checkout line
card readers instead of just swiping or dipping a card or plunking down cash.
Consumers are also concerned about the security of paying with a smartphone. In a
Accenture found 21 percent of respondents were reluctant to enter their payment
card details into their smartphones, and 19 percent said they believed paying
with their phones could lead to fraud.
However, many experts say mobile payment methods offered by
major providers are more secure than physical cards and cash. This is because
mobile wallets use methods such as encryption and tokenization to mask payment
card account numbers when you enter them and when you pay.
“With cash, you have no recourse, so you have no way of
dealing with a product that was not delivered or was defective,” said Rob Clyde
of cybersecurity advisory firm Clyde Consulting. “With a check or a physical
credit card, you have the risk of somebody copying those numbers down and
committing fraud with them.”
Despite technologically advanced protections, mobile
payments aren’t immune to intrusions by hackers and identity thieves. Here are
some of the biggest mobile payment security risks, and steps you can take to
3 big mobile payment security risks
- Losing your phone. It’s like losing your credit card.
- Cyberthieves who spoof your mobile wallet.
- Malware on your cellphone.
1. Losing your phone
is like losing your credit card
Your smartphone is a small, slippery object that provides a
huge window into your personal life. A typical iPhone or Samsung Galaxy contains
the names and contact information of every key acquaintance in a person’s life,
his personal photo collection and social media apps. It also can provide access
to credit and bank accounts via a mobile wallet and payment apps.
If you unwittingly drop your phone at a restaurant or leave it
at an airport charging station, it’s up for grabs for any unscrupulous person
who would rather disrupt your life than return your lost property.
What to do: Most smartphones
contain built-in protections that can prevent a phone thief from using your
mobile wallet to rack up fraudulent charges. The best way to keep a thief out
of your phone is to require two-factor authentication to unlock it – ideally, a
PIN combined with a biometric method such as your fingerprint, facial
recognition or an iris scan.
Some consumers are reluctant to use biometric authentication
due to privacy concerns. But the major mobile operating systems have measures
in place to protect biometric data. For example, Apple’s Touch ID feature uses
a mathematical representation of your fingerprint instead of the actual print. And
many of today’s smartphones have security-grade storage mechanisms, such as Samsung Knox.
“A biometric stored on a mobile device offers the advantage
of authenticating yourself without any concern of it being stored in a database
where it can potentially be breached,” said Shirley Inscoe, senior analyst at Aite Group.
But these methods aren’t 100-percent foolproof. In May 2017,
hackers found a way to pass the Samsung Galaxy 8’s iris scan with a person’s
photo and a contact lens. If you aren’t comfortable entering your
fingerprint into your phone or scanning your eye, there are other security
measures available. Many smartphones allow you to erase your data or turn on
password authentication remotely, using a PC or a tablet if your smartphone is lost or
2. Cyberthieves can
‘spoof’ your mobile wallet
When you add a credit or debit card to your mobile wallet,
the card number is stored securely via encryption, which disguises it with a
code created by an algorithm. Additionally, the major mobile wallet providers
use randomly generated payment tokens to ensure your card information is not
seen by merchants or even the wallet providers when you make
The risk that a cybercriminal can steal your account numbers
is small, but it grows if you add cards to your mobile wallet while using an
unsecured public Wi-Fi network. Clyde noted that hackers who lurk on such
networks can re-create, or “spoof,” a mobile wallet’s registration system,
for which you’re required to enter your card’s data.
What to do: Load
your cards into your mobile wallet while at home, using your own
password-protected Wi-Fi network. If you need to manage your mobile wallet
while away from your home, consider setting up a personal virtual private network
(VPN) for your phone.
“I always have my VPN turned on, whether I’m wandering the
streets or in the airport,” said Rusty Carter, vice president of product
management at mobile app security firm Arxan. “My phone is always
communicating, and if it connects to [public] Wi-Fi before I’ve turned on my
VPN, I’m exposed for that period of time.”
3. Your phone can
become infected with malware
Cyber criminals use malware to remotely commandeer
computers, smartphones and other devices or steal users’ passwords and other
private information. Malware infection typically results from an unwitting user
clicking on a sketchy ad or a phony link sent by a malicious third party.
Computers are generally more vulnerable than cellphones, but
mobile malware is a growing threat. Cybersecurity firm McAfee reported
in April that the number of mobile malware samples doubled in 2016
“Mobile malware is becoming more prevalent, and some of it
is very destructive,” Inscoe said.
One such piece of malware called Fakedtoken
is capable of overlaying banking and other apps that prompt Android phone users
to enter payment card details. IPhones are less vulnerable to malware due to
Apple’s strict quality control standards for apps, but they’re not immune. In
September 2015, Chinese developers identified a piece of malware that infected
nearly 3,500 iPhone apps.
“Mobile malware is becoming more prevalent, and some of it is very destructive.”
What to do: Smartphones
are generally safer than computers when it comes to malware. A bank or card
issuer can employ security features on its own payment or banking app, but it
can’t control the security features of third-party browsers where many
customers manage their online accounts.
Nevertheless, avoid clicking on links included in suspicious
ads, email or text messages from unfamiliar sources. And Clyde recommends
installing anti-virus software on your phone as an extra safeguard.
“I always like to say anything is possible,” he said. “Just
as you’re careful on your PC and what you click on or might accidentally
download, you should be careful on your phone.”
Tap with confidence –
and some caution
No payment method is completely safe from theft. Wallets
both virtual and tangible can be stolen from their owners, and even armored
cars are robbed
from time to time.
But mobile wallets offer many technologically advanced
security measures, and competition between providers surely means improvements
are yet to come.
“You should always be somewhat concerned,” Clyde said. “But
if you’re worried about using a mobile payment method versus a traditional
method, you’re probably missing the boat.”
See related: 7 easy ways to protect your credit while holiday shopping, New iPhone X’s facial recognition makes Apple Pay cooler
Three most recent Emerging payment systems: Prepaid, debit, gift cards stories: