Despite a surging popularity in mobile payments and near-daily breaches of popular online services, payment apps ranging from PayPal to Apple Pay have thus far managed to avoid widescale (or at least widely publicized) hacks.
That, of course, doesn’t make them immune.
Thanks to strong antifraud laws, consumer savings, checking, and credit card accounts are generally well insured against theft. But payment apps are still susceptible to attacks that can physically compromise and infect your smartphone with malware, take over your payment account, or steal your credit card number and use it elsewhere.
“If you’re loading stored value into an account, and that stored value gets wiped out, you might not be able to recover it,” cautions Julie Conroy, a data security and fraud expert, as well as research director for retail banking at Aite Group.
“When it comes to enabling mobile apps, security starts from the first click or download,” says Mary Ann Miller, a former PayPal executive now serving as an antifraud senior director at financial-services company NICE Actimize. “The risks are varied and complex, depending on the service being offered.”
“For the most part, designers aren’t thinking deeply about security systems because they don’t have the ability or resources to.”—Sarah Henry, user experience engineer
Payments facilitated via mobile apps and “contactless” taps of phones against point-of-sale devices are expected to reach $410 billion by 2020, according to a study by Javelin Research. And more than a third of U.S. smartphone users are expected to use peer-to-peer payment apps such as Venmo or Square Cash at least once a month by 2018.
When Apple Pay debuted, incidents of fraud followed close behind because the system made it easy to load a credit card number onto the phone—even one stolen from somebody else, such as in a credit card breach.
“Out of every $100 of transactions, $6 was fraud,” Conroy says. “Now we’ve seen a lot of registration fraud come down, but it’s still higher than most issuers would like.”
In addition to using a service such as HaveIBeenPwned.com to keep tabs on whether your personal information might have been swept up in a service breach, experts advise taking several steps to protect against threats related to payment apps.
Lock your phone
To reduce the risk of having your phone physically compromised, Kyle Marchini, a fraud and security analyst at Javelin Research, recommends to “always use a lockscreen,” and to consider switching from a password to a biometric log-in.
“If you’re authenticating with your voice or face, it’s harder for somebody who wants to steal your phone,” he says. And if your phone does manage to get lost or stolen, he recommends using an app to remotely wipe it, to further ensure that your accounts are secure.
Set up two-factor authentication
Because many payment apps, including PayPal and Venmo, have traditional Web interfaces to complement their apps, Marchini recommends protecting your accounts with two-factor authentication.
That’s not always an easy switch to flip. Security settings are rarely at the forefront of design concerns, says Sarah Henry, a user experience engineer who has worked on payment apps.
“Design builds trust. I trust Signal because I know the backstory, not because I understand PGP keys,” she says. But she cautions that making users feel safe is different from actually creating hard-to-hack systems.
“For the most part,” she says, “designers aren’t thinking deeply about security systems because they don’t have the ability or resources to.”
Download only trusted apps from trusted stores
Of course, consumers’ own priorities are often tied to how app design resources are allocated. While there is evidence that adoption of contactless payment “wallets,” such as Apple Pay, Android Pay, and Samsung Pay have stalled, respondents to a survey said security concerns weren’t among their reasons for not using the them.
Mobile malware is more of a threat in Eastern Europe and Asia than it is in the United States right now, Marchini says, with most of it downloaded from third-party app stores and designed to look like legitimate, popular apps like Pokemon Go or major banking apps.
So stick to highly rated—or personally recommended—apps from your devices’ native app stores, such as Apple’s App Store or Google’s Play.
“Anytime you have a popular app released for a single geographic area or operating system, you see mobile malware flood the market,” he says.