Mobile Payment Security Threats and Challenges
Attributed to the popularity of smartphones, mobile payments have grown exponentially over the last few years. While smartphone users are expected to increase by 2 million every year, you can expect a compound annual growth rate of 30% in worldwide payment revenue alone with an expectation to hit $12.06 trillion by 2027!
As fraudsters become more and more advanced, now is the time to familiarize yourself with how to protect your personal information across all forms of technology. Just like how it’s important to use good security safeguards when making purchases online, you should pay just as much attention to mobile payment security threats and challenges.
How to ensure payment security
The mobile payment space has rapidly accelerated. To protect yourself, begin by studying secure payment practices not only online, but also through your mobile devices as well. To help you get started, we’ll cover the following in this guide:
- What constitutes a mobile payment and how do they work?
- Mobile payment security measures (tokenization and encryption)
- Are mobile payments actually secure?
- Top mobile payment security threats and challenges
- Products and features that protect from mobile security threats
- In-app payment security practices
- Which mobile payments are the most secure?
- The future of mobile payments
Armed with this guide, you can feel more confident about protecting yourself when making purchase decisions on your phone and combatting mobile payment security threats and challenges.
What are mobile payments, and how do they work?
“Mobile payments” refers to all forms of payments that are made through your mobile device including: mobile online browser, digital wallets, mobile money transfers, in-app purchases, and now with tap-to-pay / contactless options, and point-of-sale (POS) systems at brick-and-mortar stores.
Most mobile payments use a modern technology called Near-Field Communication, also known as NFC, that enables consumers and businesses to make and accept contactless payments.
When making contactless payments, you hold your mobile device near a POS terminal and NFC establishes a connection between your device and the terminal. NFC then uses close-proximity radio frequencies to send payment data from your phone to the card reader. Next, you may be prompted to validate your identity through a passcode, fingerprint, or other method. Once that’s done, money is transferred from your bank account to the merchant.
Mobile payment security measures
Similar to traditional credit card processing, extra security measures are implemented to combat top mobile payment security threats. The following are a few safeguards mobile companies and devices put into place to mask and to protect sensitive cardholder data:
Tokenization randomly generates keys by replacing sensitive debit or credit card data with a unique code called a token. It often comes up in the context of contactless payments. At the point of purchase, a randomized 16-digit number is created by token providers, such as Visa and Mastercard, and the real number is stored in a secure vault. This token has limited validity: it cannot be used outside of the payment authorization process, and if intercepted, it becomes void.
NFC uses tokenization as soon as the connection has been established between your mobile device and POS terminals. NFC transmits the tokenized number to the merchant, which then sends this data over to the token provider, who confirms that the token matches the real credit card and approves the transaction in a few seconds.
Instead of generating tokens, encryption uses a secret key to ensure private information is only accessible to the sending and receiving parties. Mobile devices rely on encryption to protect your data from falling into the wrong hands and to shield them from major mobile payment security threats. Without the right authentication key, the data is inaccessible even if the hardware is removed or placed into a different machine.
By default, most mobile devices are manufactured with some type of encryption programming, but you should research and confirm this before purchasing any type of mobile device.
Are mobile payments secure?
The short answer is, generally, yes.
Despite the rapid growth in mobile payments, there is still a predominant sense of uncertainty when it comes to the actual security of transferring and making payments through mobile devices.
According to a recent PEW survey, US consumers were more likely to believe that mobile payments were more “poorly protected” than paying with prepaid, debit, and credit cards. Even more so, for mobile payments that use a credit card, only 35% of consumers said that they were well protected compared to purchases made with a credit card on its own.
This uncertainty is understandable.
Ironically, mobile payments can actually be more secure than regular payments, provided other key safeguards have been implemented. With safeguards such as tokenization and encryption in place across most mobile devices and payment companies, mobile payments by default have more security measures in place.
Say, for example, that you’re paying for your goods at a convenience store and you’re choosing to pay with your physical credit card versus a mobile payment option. If a bad actor had hacked into the store’s POS system and you swipe your credit card, the bad actor could skim and steal your card information. If you instead choose to pay with mobile, the bad actor would not be able to easily decrypt the token. Consider that next time you’re shopping in person.
Top mobile payments security threats and challenges
The biggest challenges and threats to mobile payments fall under these categories:
Personal lost or stolen devices
Losing a device or having it stolen happens more often than you might think. An estimated 70 million smartphones are lost each year, with only 7% of them recovered. And these days, smartphones act a lot like wallets since users store almost everything on their devices, from contact names, addresses, passwords, online banking apps, and mobile wallets. If your phone isn’t properly protected, you risk having all of this private information stolen or leaked. We’ll cover more on how to ensure your mobile device has all of the security measures needed should you ever lose your phone.
Using public and unsecured wifi
Online skimming can easily occur when fraudsters take advantage of unsecured wifi to steal a user's private information when shopping online. Bad actors will infect specific websites or unsecured networks with malicious code. They can gain access to payment pages where they can steal payment information like card numbers, CVV numbers, expiration dates, and more. Unfortunately, once the malware has been injected it is very difficult to trace, leading to unexpected or undetected fraudulent activity.
With that said, any time you are accessing private information such as bank information or making mobile payments online, make sure you are on a secure network first. Below are a few ways to make sure you are using a safe network:
- Use multiple firewalls. Firewalls are created to build a barrier between your network and any unauthorized users. Install a firewall on top of your antivirus software.
- Turn off your WPS (WiFi protected setting). The WPS is the function that lets devices like your phone and mobile devices pair with your internet network. This setting is convenient, especially when you have multiple devices, but it does leave large vulnerabilities for hackers to get in.
- Use a VPN (virtual provider network). VPNs hide your activity online so that no one can track what you’re doing. This is a must-have when you’re on a public network.
Late security updates
Users tend to delay software and mobile updates, which leaves them vulnerable to shifting mobile payment security threats. Typically, each update includes new security protocols and bug fixes built to safeguard attacks and the latest vulnerabilities. Despite this, according to a study by The Journal of Cybersecurity, only 54% of participants actually updated their software, and 65% of those updates were delayed.
In 2017, around a quarter of a million Windows computers around the world were infected with malware “WannaCry”. The victims were locked out of their computers, and the only way to regain access was to transfer $300-$600 worth of Bitcoin to the fraudsters. This could have been wholly prevented had the affected updated their software on time.
Software updates can sometimes take a few hours to complete, but it’s in your online security’s best interest to do them as soon as you can. And be sure to have them updated as soon as possible across all mobile devices - including tablets and laptops - so that any malware can’t be leaked cross-platforms.
Fraudsters can easily tap into phishing scams on mobile devices. If you see a sketchy email, be wary of the email’s sender, formatting, potential spelling errors, and other red flags. If something seems off, don't click anything. Bad actors often take advantage of smaller mobile screens to hide malicious links and pop-ups.
Likewise, mobile phishing scams can also come in the form of texts and app notifications. If you see a text from someone you don’t recognize, don’t click it. Instead, delete it immediately. Clicking into a malicious link could result in unintentionally downloading bad software onto your device.
Easily, the most common way that fraudsters get a hold of private information is through hacking weak passwords. For all accounts that are accessible through your mobile device, make sure you have used a password generator, such as 1Password, to ensure that your passwords are strong. And, of course, make sure you never carry your phone around unlocked.
Products and features that protect from mobile security threats
In addition to what you should watch for when making mobile payments, there are products and features you should add to your security toolkit.
How to make sure your phone is secure
Beyond regular software and security updates, there are a few options you can enable on your mobile device for added security.
- Set up all locked security features. Beyond the phone password, don’t ignore the other security benefits that most mobile devices offer such as facial recognition, iris scans, and fingerprint recognition. These were created to help you!
- Set up 2FA. Two-Factor Authentication (2FA) is a security measure that prompts users to verify their identity in two different ways. In most cases, this will be an account password plus a code sent to an email address or phone number. 2FA makes it more difficult for hackers to access accounts as it requires another device login outside of just a password. Make sure that 2FA is turned on for all accounts that your mobile device is linked to, including email, sensitive work documents, and financial accounts.
- Set up Find My Phone. If your phone is lost or stolen, you can use this to locate your device. If there are any suspicions that the phone has been stolen, take action immediately. Close your cards and change the login information on all of your high stake accounts that are connected to your mobile device.
- Familiarize yourself with your rights. Since 2018, the Technological Advisory Council (TAC) reported that all phones manufactured after 2015 would enable users to:
- Remotely wipe the authorized users’ data (such as contacts, photos, and emails) from the smartphone if lost or stolen.
- Render the smartphone inoperable to an unauthorized user, such as locking the smartphone so it can’t be used without a password.
- Prevent reactivation and any kind of hard resets without the authorized user’s permission.
- Reverse inoperability if the smartphone is recovered.
Most mobile companies have added this to their product safety guardrails to prevent common mobile payment security threats. If you have an iPhone, you can access “Lost Mode”. Lost Mode locks your iPhone and Apple devices so that others can’t access your personal information. It will also display a phone number and a message on the screen so that if someone finds it, they will be able to contact you and nothing else. If you didn’t have a passcode set up, this option will prevent your iPhone from being unlocked. Likewise, if you have an Android, you can use Android Device Manager to locate a lost or stolen phone.
Use a virtual card when shopping on mobile (plus a travel hack!)
In spur of the moment events - whether you are purchasing tickets last minute or accessing your bank account when you’re on the go - online skimming can happen.
If you are in need of making an emergency purchase when you’re on unsecured wifi, we strongly suggest you use a secure virtual card like the ones offered by Privacy. You can generate a virtual card on the go, and create a Single-Use Card that will automatically close two minutes after the transaction goes through.
For example, say that you are traveling abroad and in need of buying train tickets while on the move. When connected to the public wifi, simply go into your Privacy app, generate a card, and use the one-time number at checkout. If a bad actor somehow gets a hold of this information, they won’t be able to access this payment method. You will even be notified if someone attempts to do so.
We also recommend using this strategy for all of your mobile purchases. Consider designating Privacy Cards strictly for your phone purchases via apps and online.
Practice online shopping safeguards, even on mobile
Follow the same online shopping security practices as you do when making purchases online. Mobile payment security threats occur just as frequently through purchases that are made on a mobile web. Refer to our guide that covers all the basics you need to know to prevent online shopping fraud, including mobile purchases.
In-app payment security practices
Apps are a common place that bad actors access. If you are making purchases through an app, follow these guardrails:
- Use a trusted platform and conduct due diligence. If you are going to add payment information to your smartphone, always make sure that you’re using the most updated version of a trusted third party vendor. Read through the privacy policies, make note of how many times the app has been downloaded, read the reviews to learn about other users’ experiences, and make sure that the permissions that you are granting the app are appropriate to what you are using it for. For instance, there’s no need for a banking app to have access to your text messages.
- Set up payment notifications across all your apps. App notifications can be annoying for some, but not when it comes to your payments. Once enabled, you can be alerted each time a transaction is made. And if it’s unauthorized, you can handle it immediately. Similarly, if you are sending money to a friend, you can quickly confirm whether the transaction went through or not.
- Enable automatic app updates. Similar to making sure that your mobile device software is up to date, automatic app updates will activate each time the relevant app is upgraded with security enhancements and bug fixes. This is an easy way of managing your apps and making sure that evolving mobile payment security threats are addressed.
- Use QR codes when possible. For peer-to-peer money transfers, always look up a user’s QR code, instead of typing in a user name when sending cash. It’s not uncommon for scammers to impersonate someone you may know by changing their profile picture and creating a similar username. In the case of any typos, duplicate fraudulent accounts, or phishing accounts, looking up a user’s QR code will guarantee that you are sending payments to the account you intend to.
- Hide your transaction activity. Some payment apps thrive on the social connectivity between friends and your community. For example, on Venmo, you can see transaction activity between your friends, and even engage with them with likes and comments. However, to stay vigilant, we recommend that you hide your footprint, including your friends lists. Not everybody needs to see your business - and in the long run, you will be protecting yourself and your contacts from any malicious outside parties.
What mobile payments are the most secure?
There are a variety of different mobile payment options available, but these are the most popular:
- Apple Pay
- Google Pay
If data privacy is your biggest concern, choose apps from Apple or Google in general. Separately, if avoiding sending money to the wrong person is a higher priority, select payment apps that let the recipient use a QR code or shared link, such as PayPal, Square, or Venmo. Regardless of which payment method you choose, each has its pros and cons when it comes to fighting mobile payment security threats.
Across the board, all the listed apps have a bounty net program in place, which allows users to report scams or exploits in exchange for cash. This incentivizes users to take notice of malicious behavior and reduce fraud. Additionally, every app also has a method of passcode-locking to prevent unauthorized users from initiating a payment without you. If a bad actor got ahold of this app, they wouldn’t be able to use it without your passcode.
On the flip side, unfortunately none of the apps offer compensation for fraud losses on personal transactions. If you accidentally fall for a scam, for example, there generally is not much you can do to recover your losses from the company behind an app.
When it comes to data privacy, all of these payment apps share some level of personal information with third parties, such as banks or fraud-monitoring services. However, Google and Apple generally do not go beyond what is required for transaction approvals. Others like Square, Venmo, and Zelle do sell data for marketing purposes, so you may want to keep that in mind when you’re making transactions using these services.
The future of mobile payments
As consumers have quickly adapted to an environment where cash is no longer king, the rise of mobile payments will undoubtedly continue to develop and accelerate. The convenience and accessibility they bring will ensure that they remain a consumer staple.
Beyond mobile wallets, contactless payments, and the rise of smartphone apps, other alternative payment platforms will begin to be more widely accepted, such as cryptocurrency. In fact, according to a Deloitte survey, 75% of US retailers plan to accept payments in crypto within the next two years. Several NFL athletes have already accepted crypto over cash salaries, and a region in Switzerland even accepts Bitcoin and Ethereum as tax payment methods. Mobile payments are just the tip of the iceberg of how consumers will be able to make payments in the future.
As fraudsters become more tech savvy, it’s important to practice all the security safeguards needed when making purchases online, through phone, and via alternative payment methods. Mobile security threats and challenges will continue to evolve as fraudsters continue to become more nimble. Armed with the right practices and knowledge, however, you can feel secure when making all of your purchase decisions.
Mobile security checklist
We covered a lot in this guide, so we created a quick checklist to ensure that you are properly protecting yourself from mobile payment security threats and challenges.
- Set all security passwords on your phone - including phone lock, face recognition, and fingerprint accessibility, if available. If your phone is lost or stolen, your data is protected.
- Make mobile payments only when you are on a secure wifi network. If you absolutely need to make a purchase when you are not on a secured network, consider using a virtual card provider, such as Privacy, that has a Single-Use payment option. As soon as the transaction goes through, the card will automatically close so it cannot be used anywhere else.
- Make sure that all of your mobile devices have the latest software update installed.
- Be wary of phishing scams. If you see a sketchy email or text from an unrecognized user, do not click into it and delete immediately.
- Use a secure password generator for all accounts that your mobile device is connected to.
For your phone:
- Double check that all security features have been enabled.
- Set up 2FA on all accounts that are connected to your mobile device.
- Enable “Find Your Phone”.
- If you have an iPhone, use “Lost Mode” if your phone has been lost or stolen. On Android, use the Android Device Manager. Regardless of device type, understand that you have the legal right to protect your mobile data, as covered by the TCA.
For phone apps and in-app purchases:
- Do proper due diligence on payment apps you’re looking to download. Things to check include the privacy policies, how many times it has been downloaded, and reviews. Only enable access to data to pieces that are appropriate for the app.
- Turn on payment notifications. Confirm every time a transaction has gone through, and be notified immediately if a payment is unauthorized.
- Enable automatic app updates. Similar to device updates, make sure that your apps are up to date with the latest security protocols and bug fixes.
- For peer-to-peer payment apps, use QR codes to look up the recipient. Typos can easily occur and fake duplicate accounts from scammers are common. QR codes will guarantee that you are sending the transaction directly to the recipient you intend to.
Cited information, research, and links in this piece are current as of 6/30/2022.