Is mobile payment technology secure? While companies such as Google, Apple and Venmo are racing to assure consumers their data is safe and sound, users aren’t convinced. As noted by TechTarget, just 3 percent of mobile phone owners in the United States accessed their mobile wallets in-store over the past three months. However, it isn’t all bad news for mobile payment developers, since 57 percent of consumers polled reported they were interested in these technologies. Are consumers just cautious, or are mobile payments not quite ready for mainstream adoption?

The Problem With Payment Technology

According to a recent Forbes article, some layers of the mobile payment process are secure. For example, near field communication (NFC) means no physical credit cards are necessary. However, there are other ways for malicious actors to get their hands on consumer data, and it all depends on the security of a vendor’s mobile payment product. The following is a look at how some of the big-name players stack up:

Apple Pay

Available for iPhone 6 and iPhone 6 Plus users, Apple Pay uses a form of tokenization to protect consumer data. First, users send encrypted payment card details to Apple, which decrypts the data, identifies the card’s payment network and then re-encrypts the data with a key only the payment network can use. The network then creates a device-specific Device Account Number that is encrypted and sent back to Apple.

The device manufacturer does not keep a copy of the number, and while this data is added to the Secure Element of a user’s iPhone, it is kept separate from iOS, never sent to Apple servers or backed up in the cloud. The result is a reasonably secure payment method, since no real credit card data is ever sent via NFC, only a user’s unique payment number.

This isn’t to say Apple Pay is entirely problem-free. A recent ZDNet article reported that lapses in verification between Apple Pay and banks could make it possible for cybercriminals to link stolen credit cards to the system using card verification values gleaned from hacking online stores. While this isn’t a widespread problem, it points to a broader issue: No payment technology system is perfect.

Google Wallet

Rolled out in 2011, Google Wallet offers similar functionalities to Apple Pay but hasn’t enjoyed the same scale of adoption. As noted by TechRepublic, setting up the Wallet is easy: Users simply download the app, create a PIN, link their favorite cards and then swipe their phone near a participating retailer’s NFC reader. The big difference comes from how Google stores data. The Wallet app stores credit and debit card information on secure servers and then encrypts this data using a Secure Socket Layer. Full credit card details are not shared with merchants and do not appear in the app, but unlike Apple, there is no use of tokens to bridge the gap.

For users who don’t feel comfortable using the Wallet app as a direct payment method, another option is the Google Wallet Card. This is a physical card linked to the Wallet app. Money can be added to the card via Wallet or Gmail transfers or by using a linked credit or debit card. Think of it like a hybrid form of mobile payment; it is linked to the app but not entirely dependent on it.


Venmo could be the next big thing in mobile payment technology. Unlike Apple Pay and Google Wallet, Venmo isn’t used to pay merchants or retailers. Instead, it is used to send money between friends. Users download the app and set up a funding source, which could be their Venmo balance, a credit or debit card or a U.S. bank account. Then, they can send money to other Venmo users or even people who don’t use the app by providing phone number and email address details.

Despite the app’s simplicity and popularity, some security concerns have emerged. For example, Slate reported that one Venmo user was the victim of fraudulent transactions just under the weekly sending limit of $2,999 when malicious actors hacked his account. The victim said he wasn’t notified when another email address and mobile device were added to his profile or when multiple user settings were changed without his consent.

Venmo has now updated its security protocols to include multifactor authentication. If a sign-in attempt is made from a phone or browser that is not already linked to a user’s Venmo account, the company sends out an alert with a six-digit text code to the primary mobile number. In theory, this should prevent the situation described by Slate, since cybercriminals would need both user credentials and access to their mobile device.

Calling All Cards

Are mobile payment technologies safe? Mostly. Companies are making an effort to encrypt, tokenize and authenticate user credentials before allowing transactions to proceed, but no system is foolproof. Interest in these technologies is high, but they’re short on history, suggesting myriad undiscovered attack vectors. The bottom line? Both vendors and users are warming up to the idea of leaving cards at home and going mobile, but this is no sure thing; anything shared has the possibility of being stolen.

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…