Is mobile payment technology secure? While companies such as Google, Apple and Venmo are racing to assure consumers their data is safe and sound, users aren’t convinced. As noted by TechTarget, just 3 percent of mobile phone owners in the United States accessed their mobile wallets in-store over the past three months. However, it isn’t all bad news for mobile payment developers, since 57 percent of consumers polled reported they were interested in these technologies. Are consumers just cautious, or are mobile payments not quite ready for mainstream adoption?
The Problem With Payment Technology
According to a recent Forbes article, some layers of the mobile payment process are secure. For example, near field communication (NFC) means no physical credit cards are necessary. However, there are other ways for malicious actors to get their hands on consumer data, and it all depends on the security of a vendor’s mobile payment product. The following is a look at how some of the big-name players stack up:
Available for iPhone 6 and iPhone 6 Plus users, Apple Pay uses a form of tokenization to protect consumer data. First, users send encrypted payment card details to Apple, which decrypts the data, identifies the card’s payment network and then re-encrypts the data with a key only the payment network can use. The network then creates a device-specific Device Account Number that is encrypted and sent back to Apple.
The device manufacturer does not keep a copy of the number, and while this data is added to the Secure Element of a user’s iPhone, it is kept separate from iOS, never sent to Apple servers or backed up in the cloud. The result is a reasonably secure payment method, since no real credit card data is ever sent via NFC, only a user’s unique payment number.
This isn’t to say Apple Pay is entirely problem-free. A recent ZDNet article reported that lapses in verification between Apple Pay and banks could make it possible for cybercriminals to link stolen credit cards to the system using card verification values gleaned from hacking online stores. While this isn’t a widespread problem, it points to a broader issue: No payment technology system is perfect.
Rolled out in 2011, Google Wallet offers similar functionalities to Apple Pay but hasn’t enjoyed the same scale of adoption. As noted by TechRepublic, setting up the Wallet is easy: Users simply download the app, create a PIN, link their favorite cards and then swipe their phone near a participating retailer’s NFC reader. The big difference comes from how Google stores data. The Wallet app stores credit and debit card information on secure servers and then encrypts this data using a Secure Socket Layer. Full credit card details are not shared with merchants and do not appear in the app, but unlike Apple, there is no use of tokens to bridge the gap.
For users who don’t feel comfortable using the Wallet app as a direct payment method, another option is the Google Wallet Card. This is a physical card linked to the Wallet app. Money can be added to the card via Wallet or Gmail transfers or by using a linked credit or debit card. Think of it like a hybrid form of mobile payment; it is linked to the app but not entirely dependent on it.
Venmo could be the next big thing in mobile payment technology. Unlike Apple Pay and Google Wallet, Venmo isn’t used to pay merchants or retailers. Instead, it is used to send money between friends. Users download the app and set up a funding source, which could be their Venmo balance, a credit or debit card or a U.S. bank account. Then, they can send money to other Venmo users or even people who don’t use the app by providing phone number and email address details.
Despite the app’s simplicity and popularity, some security concerns have emerged. For example, Slate reported that one Venmo user was the victim of fraudulent transactions just under the weekly sending limit of $2,999 when malicious actors hacked his account. The victim said he wasn’t notified when another email address and mobile device were added to his profile or when multiple user settings were changed without his consent.
Venmo has now updated its security protocols to include multifactor authentication. If a sign-in attempt is made from a phone or browser that is not already linked to a user’s Venmo account, the company sends out an alert with a six-digit text code to the primary mobile number. In theory, this should prevent the situation described by Slate, since cybercriminals would need both user credentials and access to their mobile device.
Calling All Cards
Are mobile payment technologies safe? Mostly. Companies are making an effort to encrypt, tokenize and authenticate user credentials before allowing transactions to proceed, but no system is foolproof. Interest in these technologies is high, but they’re short on history, suggesting myriad undiscovered attack vectors. The bottom line? Both vendors and users are warming up to the idea of leaving cards at home and going mobile, but this is no sure thing; anything shared has the possibility of being stolen.