It’s that time of the year again. Hackers, like malicious little elves, rub their hands with glee, with thoughts of targeting shoppers dancing in their heads. And consumers, intent on finding something special for each person on their list, furiously browse through merchandise in person and online.
More than ever before, consumers are completing purchases on their mobile devices, potentially opening themselves up to cybercriminals searching for stocking stuffers of their own.
Paying in cash, of course, is the safest way to protect personal and financial information while shopping. But cash lacks the delivery convenience and credit benefits of online shopping—including the accrual of miles, points, and cash-back rewards, and Deloitte’s holiday season report for 2017 says digital shopping is on the rise.
READ MORE ON PAYING SAFELY ONLINE
Primer: How to protect your payment apps
How to send money securely
How to deal with Equifax and our ‘broken’ credit protection systemGive smart: 4 tips to avoid charity scams
Cybercriminals’ money-laundering backbone: Cash-strapped consumers
Parallax Primer: What’s in a banking Trojan?
‘Doom’ hack reveals more weak security in retail POS readers
Of the more than 5,000 Americans Deloitte surveyed in September, 22 percent say they’ll use a mobile-wallet app to buy gifts, 40 percent expect to use a retailer’s app, and 36 percent plan to use a mobile-payment app such as Apple Pay, Android Pay, and Samsung Pay.
Mobile-payment apps are the most secure way to pay electronically, experts say. That’s because they don’t directly share credit card numbers with merchants. Instead, they create a one-time digital token for each transaction.
“Unlike a credit card number, even if the attacker is able to monitor this transaction and steal the token, the unique token is used only once, meaning the attacker won’t be able to use it to drain your account,” says Wendy Nather, principal security strategist at Duo Security, “and the bank can quickly identify the fraudulent charge based on the token number.”
But Pay apps face risks, says Shawn Kanady, principal security consultant of SpiderLabs at Trustwave, simply because they reside on your phone.
“While the application itself may be hardened, the majority of consumers are not using mobile protections on their phone, such as a PIN or password, to unlock…nor are they updating their mobile devices when prompted,” Kanady says. “This gives an attacker another gateway to your sensitive data, and some of these newer payment applications do not have the same alerting or monitoring features that the banks have to notify you when a fraudulent transaction may have occurred,” he says.
Kanady advises users to keep their smartphones current with the latest software updates.
Although the Pay apps can be used for in-person and online purchases, they don’t work for everyone, or everywhere. They require newer smartphones, plus support from the bank and the retailer—which is not always a given. And although peer-to-peer payment apps such as PayPal are more popular and accessible at this point, they aren’t quite as safe as their “Pay”-branded cousins.
PayPal, Venmo, Square, Facebook Payments, Google Wallet, and other similar services are set up to facilitate payments to both friends and merchants. To use a peer-to-peer payment app, you can link a credit card or bank information to your account, then authorize charges to other accounts. You can use them via a computer, smartphone, or in person via a card reader, and because they directly connect with financial institutions, they’re more broadly accepted.
Nather of Duo Security recommends sticking with well-known peer-to-peer payment apps, which generally have been under the watchful eye of security researchers for at least a couple years.
“And if you must use one, link it to your credit card rather than your bank account, so that you can dispute any charges,” she says.
Peer-to-peer payment services are still safer to use than direct payments to online merchants, says Dennis Egen, president of technology and security-consulting company Engine Room Technology, because they share credit card or bank information only with the payment service.
While these apps could be hacked into—Egen notes that PayPal has definitely had its share of breaches—they offer fraud protection similar to that of bank or credit card providers.
“Keep your debit card at home.”—Wendy Nather, principal security strategist, Duo Security
“As long as you are diligent with watching your accounts, these can be OK to use,” Egen says. You must be more diligent, he warns, if you link your payment app account to a bank account, which a successful attacker could drain.
At the bottom of the electronic payment safety list: credit cards and debit cards used on unprotected websites and apps. Consumers should avoid using debit cards altogether, Nather says, because of their direct connection to checking accounts.
“Keep your debit card at home,” she says. “It has the fewest consumer protections, as you may not be able to recover money stolen through fraud, depending on the policies of your bank.”
While retail purchases have become somewhat more secure since the adoption of credit card EMV chip readers, the chip technology is less effective in the United States than abroad—and it has little impact on online purchases, which come with legally mandated higher protections.
Under the Truth in Lending Act, a consumer’s maximum liability for an unauthorized use at retail is $50. For online fraud, it’s $0.