Apple Pay, Android Pay, Samsung Pay and similar mobile services might be safer to use than consumers tend to think.
“I think customers should feel as comfortable or more comfortable using those services as they do any other payment method,” said Dawn Colegrove, vice president of payment services at Georgia Credit Union Affiliates.
These apps are called mobile wallets and tech companies made a big deal out of them when they began to roll out in 2014. Apple and Samsung execs touted the convenience of tapping your phone to pay at your favorite stores. No cash or plastic required.
Despite its convenience, the trend has been slower to catch on with customers.
By the end of 2016, 85 percent of smartphone users still weren’t using them to pay for purchases, according to a Consumer Reports article. And the Federal Reserve’s 2016 Consumers and Mobile Financial Services report found that 67 percent of those users were too afraid the new apps weren’t safe.
Mobile wallets are still in their infancy, but so far the facts don’t support consumers’ fears.
Physical cards swiped through a terminal directly use a customer’s banking information to complete the transaction. Over the years, savvy criminals have learned to create skimmers, small devices that can scan cards and store that information for later use, according to an article on Investopedia.
But Colegrove said that’s less of a danger with mobile wallets.
“One of the important pieces of mobile wallet transactions is that they use tokenization,” she said. “And that actually replaces that clear card number that’s often being compromised at merchants. So, that makes it more secure.”
When a consumer scans her Apple Pay or Samsung Pay app at a store, the apps create tokens. These ‘tokens’ are one-time, random codes consisting of 15 or 16 digits. They look and work like credit card numbers, but they’ll be useless if stolen.
The tokens are sent to the banks, where they’re decrypted and the payment authorized.
That portion of the mobile apps aren’t unique. The same sort of tokens are created by newer credit and debit cards with E.M.V chips which are inserted into machines at retailers.
The mobile apps just do it faster.
And those apps are harder for thieves to crack into if the physical mobile device has been lost or stolen than credit cards would be. A quick thief can pick up a lost card, use its chip and drop it again before the victim realizes the cards are gone.
But most mobile consumers lock their smart phones. Some require passcodes, thumbprints or even facial recognition to open. That gives victims more time to deactivate any accounts they have on a stolen mobile device.
Colegrove said most mobile payments also require biometrics — like a thumbprint — to complete a transaction.
“It’s also varifying the consumer’s identity that way,” Colegrove said. “So putting financial information into a phone and using it that way should be more secure.”
Still, tech safety experts point out that customer’s financial information are still stored in their phones if they’re using mobile wallet – and those phones aren’t impossible to hack. The Register, a technology news source in the U.K., interviewed a security researcher at the University of London named Steven Murdoch.
Murdoch said it could actually be easier for technologically-savvy thieves to steal financial information from mobile phones, especially if those phones are “running software from potentially dubious sources.”
The Register article points out most major mobile companies have safeguards against those kinds of dangers. But some do it better than others. Apple updates its software promptly and uses iOS Secure Enclave. Android phones tend to delay their security updates and doesn’t tend to make good use of hardware security features, according to the Register article.
Colegrove said she’s less concerned right now about the safety of making payments with mobile wallets — and more concerned about the ease with which criminals can make fake mobile wallet accounts with identities they’ve already stolen.
“There are a lot of security measures around that — a lot of questions that are asked and a lot of items that are verified to authenticate that the person is who they say,” Colegrove said. “But if the person has committed identity theft prior to this and has enough information about the victim, they potentially could register a card into a mobile wallet.”
Colegrove said financial institutions were seeing a lot of fraud during the authentication process associated with mobile wallets when they first rolled out. Criminals were even calling financial institutions posing as their victims to try to fish for more information they could use to register a mobile wallet.
But she said she’s seen that threat diminish over the years.
“Financial institutions have learned,” Colegrove said. “Also we’ve had some very large data breaches where it has been very obvious that credit bureau data has been compromised. So the credit unions and other financial institutions have tightened up what they’re authenticating and validating.”
American consumers have been learning, too. Experts expect the average customer in the United States to feel increasingly comfortable with mobile wallets in the coming years. According to data from a BI Intelligence report compiled in 2016, the volume of mobile in-store payments made by Americans should reach $503 billion by 2020. That’s up from $75 billion in 2016.
In fact, Americans are expected to use mobile wallets more frequently than credit or debit cards by 2020, according to statistics from WorldPay compiled by BlueSnap.
Colegrove said she believes that’s a positive step toward financial security. But she advised that consumers always remain vigilant about their money no matter what kind of payment they’re using.
“The big thing — the same as when you’re using a card or any other payment method — is to check your account often. Very often,” Colegrove said. “If you see anything unusual, contact your financial institution. Let them know. Get it looked into.”