The ease of using mobile payment apps like Venmo and Square Cash has made carrying cash a choice, rather than a necessity. But as convenient as they may be, there are risks involved with giving third-party apps like these full access to your digital wallet.
Each of these apps has already been proven susceptible to fraudsters. Ever wonder what happened to all that user information that was stolen in those giant data breaches at Target and Home Depot last year? A new report shows that hackers used some of them to find a clever way around Apple Pay’s fingerprint-protected system. They simply used the stolen identities and credit card numbers to set up entirely new iPhone and Apple Pay accounts and then purchased expensive products, mostly from the Apple store.
And last week, Venmo’s chief security officer apologized to customers for the PayPal-owned company’s lackluster efforts to respond to customer complaints about fraudulent transactions. The letter was in response to a report on Slate.com in which a Venmo customer claimed someone hacked his account and was able to transfer $2,850 from his bank account. While his bank, Chase, quickly refunded his money, he waited nearly two days for a response from Venmo’s support team. Even CurrentC, the mobile payments startup backed by a consortium of big retailers, had to alert beta users that some of their email addresses had been accessed by hackers last fall.
“I grew up in an era 20 years ago when you handed people checks, which had your bank account number, your name, phone number, even Social Security number on it sometimes,” says Jim Bruene, founder of Finovate, an international financial and banking technology conference. “E-payments solved that problem, but they have created new ones along the way. It’s this constant battle between making new improvements to security and crooks catching up to them.”
A weary consumer could look at headlines like these and swear off mobile payment apps for good. But let’s face it: Even before teenagers were splitting dinner bills on their smartphones, there never really has been a 100% risk-free way to manage cash.
“There are always going to be growing pains with these new apps,” says Shaun Murphy, a former Department of Defense communication systems and security expert, who co-founded data security firm Private Giant in 2012. “As consumers, we want things to work right away... but there are [vulnerabilities] that you don’t necessarily know about until after a product launches.”
These newer free money transfer apps are meant to make it easy to send a friend that $30 you owe her for dinner last night. You connect the app to your bank account, debit card or credit card account, and send the money to the recipient. They’re a nice alternative to traditional money transfer tools offered by banks like Chase, Wells Fargo and Bank of America, which only allow instant transfers if both parties are account holders at the same bank. Otherwise, transfers can take a few days to process.
There are basic ways to add extra layers of protection to your financial information when using mobile payment apps. We asked Murphy for a few guiding principles.
Sign up for two-factor authentication, if the app offers it. Two-factor authentication requires the user to log in to the app with their password and then enter a unique code sent via text message to their mobile phone. Unfortunately, this extra step kind of ruins the whole “super easy and convenient” factor that makes payment apps so appealing. Neither Venmo nor Square Cash offer two-factor authentication, but given the current scrutiny over their security practices, this is a feature that might be added in the future. Google Wallet does ask users to verify their identity by punching in a code sent to their mobile device the first time they transfer money and anytime they sign into the service from a new device.
Only purchase apps from official app stores. It’s common for fraudsters to create fake apps that look legit and market them on the web in emails or social media. Don’t download any apps unless you’re shopping in an official store, like the iTunes or Google Play stores. Android users are particularly vulnerable to these kinds of scams, Murphy says.
Secure the device itself. No matter how secure your apps are, it means nothing if a thief can access your device. At the very least, set up a PIN and for another layer of security, record your fingerprint if you have an iPhone. Murphy also suggests checking your phone’s privacy settings to ensure that all the stored information is encrypted by default.
Link apps to your credit card accounts rather than to debit card and bank accounts. Credit card users almost always have zero fraud liability, which means any funds you lose through fraudulent activity will be returned to you. It’s a lot worse if your bank account is hacked, since you may need that cash for immediate expenses like rent or bills and could wind up in trouble if you have to wait for a refund.
Use a trusted Internet connection: It might be time to invest in a bigger data plan, especially if you often find yourself using your phone’s Internet connection on the go. Relying on public wi-fi hotspots can put you directly in harm’s way, as this is a popular hunting ground for “middle man” attacks, which is when hackers intercept your information while you’re logged into public networks. Murphy suggests turning off wi-fi when you’re not near a trusted connection, like at the airport or a coffee shop.
Ask for alerts when any transactions or account changes are made. Not all apps automatically send you alerts when you’ve sent or received a payment, so it’s important to adjust your settings to make sure alerts are activated. For example, you need to visit your settings tab in Venmo to turn on transaction notifications. You can also tell Venmo to set a lower limit for money transfers (currently, all Venmo transfers are capped at $2,900, although we’d recommend setting your limit much lower). Some banks and credit card companies also allow you to set up alerts for large transactions. Most apps send transaction notifications via text, email or push notification.
Make sure you’re transferring money to the right person. A 2014 MIT study found one major flaw in the way Venmo works: Because people select recipients of money transfers by selecting their username from a list of “friends,” it’s possible that hackers could trick them into sending money to the wrong people by simply mimicking the handles of their existing contacts. These so-called “social engineering” scams are the same kinds of maneuvers at play when you receive an email that appears legitimate -- say, from your cellphone provider -- telling you your account has been locked and you need to email your account information immediately to rectify matters. The best way to prevent situations like these, especially on money transfer apps, is to double-check the username with the friend you intend to pay and follow up to make sure they received the transfer, Murphy says. If they haven’t, report it to the app’s customer service department, stat.
Check out more from Mandi: