New research numbers show that more than 25% of US smartphone owners use mobile payment apps at least once a month.
You may do all of your banking on a mobile app, or pay your credit cards with one or several. Maybe you even use peer-to-peer payment apps such as PayPal’s Venmo to pay the babysitter, or buy your morning coffee with the Starbucks app.
Apps like these make it convenient to manage all of your personal finances right in the palm of your hand. But would you still love your on-the-go convenience payment apps if they came at a steep price?
Well, actually, they do. No, we’re not talking about usage fees, though those certainly exist; we’re talking about risking your privacy and online security.
The truth is, mobile payment apps are way less secure than we’ve been led to believe. We’ve been trusting these apps with our most valuable and private information—bank account numbers, credit card security codes, etc.—but what if we’ve been living in a fool’s paradise this whole time?
Oh wait! We have…
What Do People See in Mobile Payment Apps Anyway?
A study from Barclays showed that 47% of credit card fraud around the world happens in the US, even though America represents only 24% of the global credit card volume.
Since credit card fraud is so rampant, it only makes sense that consumers want to store their payment information with secure, encrypted apps on their password-protected phones.
Apple Pay, for example, wants to virtually eliminate stolen credit card usage. Just hold your iPhone to the register’s pay terminal while keeping your fingerprint on Apple’s Touch ID technology sensor to confirm your identity. Even if someone stole your phone, they can’t steal your fingerprint.
Not having to pull out your wallet also saves a ton of time during check out.
The “Starbucks’ mobile app is the most used digital payment app in America. About 10 million customers pay for their lattes with the app, making more than 5 million transactions per week.”
Future Market Insights estimates the global mobile payment market to reach $2.8 trillion by 2020. But this can’t happen unless the security of these apps gets a serious upgrade.
Don’t Laugh at How Vulnerable Mobile Payment Apps Are—Be Warned
Bluebox Security’s Payment App Security Study discovered high level flaws in over 10 mobile payment apps for both iOS and Android devices.
“Our starting hypothesis was that mobile apps handling financial information would have more rigorous security compared to other mobile apps, but our research uncovered the opposite,” Andrew Blaich, lead security analyst at Bluebox Security, said.
The company won’t release the names of the apps they tested or the specific security issues they found so as not to jeopardize existing user accounts.
Another study tested 126 of the most popular finance and banking apps and FDA-approved health apps to gauge their privacy protection protocols. Researchers discovered that 90% of these apps were rampant with critical security risks identified by the Open Web Application Security Project.
Dubbed the Mobile Top 10, these risks are categorized as:
M1: Improper Platform Usage (e.g., platform permissions, misuse of features, etc.)
M2: Insecure Data Storage (leading to unintended data leaks)
M3: Insecure Communication (like incorrect SSL versions)
M4: Insecure Authentication (weakness in identity detection)
M5: Insufficient Cryptography (poor encryptions)
M6: Insecure Authorization (allowing hackers high-level role access)
M7: Client Code Quality (coding mistakes)
M8: Code Tampering (leaving the app vulnerable to hacker modification)
M9: Reverse Engineering (easy for hackers to figure out how the app works)
M10: Extraneous Functionality (safety functions hidden for testing that mistakenly got released)
Every single finance app tested had at least one of these risks. Another point to note: 100% of the tested iOS apps had at least three of these top risks, but only 59% of Android apps did.
As Patrick Kehoe, CMO at Arxan, writes for Security Intelligence, there are two categories of binary-based vulnerabilities that hackers love to exploit:
- Code Modification or Code Injection, which is when a hacker modifies a mobile app by injecting their own code into the app’s binaries (or the instructions the app uses to function), to reprogram the app to do anything they want, such as bypassing authentication protocols or disabling security code.
- Reverse Engineering or Code Analysis occurs when a hacker analyzes an app’s code and works backwards to unlock proprietary code, IP information, and supposedly-secure data.
Once a hacker knows how to copycat code, they can create dummy apps that trick customers into downloading malware and handing over their information unknowingly.
Unfortunately, there is no perfect mobile payment app.
“The focus largely in the mobile industry is to have a visually appealing app that can do what it needs to do, and if a security problem comes up, then they’ll figure a way of fixing it later,” Blaich commented.
So what does this mean for you?
What You’re Really Risking with Mobile Payment Apps
When more than 900 cybersecurity professionals were surveyed about mobile payments, 47% of them admitted that they are not secure and “carry significant perceived security risks.”
According to results from the ISACA, survey respondents believe the biggest threat to app security is:
- Use of public WiFi 26%
- Lost/Stolen passwords 21%
- Phishing via email/text 18%
- Weak passwords 13%
- User error 7%
Verizon’s Data Breach Investigations Report noted that 63% of confirmed breaches in financial services involved leveraging weak, default, or stolen passwords.
Since most people tend to repeat their easy-to-remember password, a hacker will have access to countless other accounts with just one password.
“Unfortunately, a lot of companies don’t realize just how vulnerable their apps are and what the potential is for leaking their customers’ personal information,” Gary Miliefsky, CEO of SnoopWall, a company that specializes in cybersecurity says.
The Clearing House, an advocacy group owned by the world’s largest commercial banks, collaborated on a report arguing that even though mobile payment providers are subject to data-security requirements, they’re not held to the more extensive regulatory oversight that banks have to comply with when it comes to cybersecurity.
Their point is that it’s easier for basic security flaws to go unnoticed until a breach actually happens and consumers suffer. Customers will already have their information stolen on top of their money disappearing. Some apps aren’t even FDIC insured so this money will never be recovered.
Blaich stressed that “security needs to be integrated early in the development process with threat modeling occurring at each step of the way to determine what is and is not a risk factor to ensure that the security gets built properly.”
Should You Stop Using Mobile Payment Apps to Protect Your Privacy?
When John Pironti, president of IP Architects, issued a press release announcing the findings of the ISACA security study, he made a point to explain that his members, “who are some of the most cyber-aware professionals in the world”, aren’t shying away from mobile payment apps.
“[They’re] using mobile payments while simultaneously identifying and contemplating their potential security risks. This shows that fear of identity theft or a data breach is not slowing down adoption — and it shouldn’t — as long as risk is properly managed and effective and appropriate security features are in place.”
Follow these tips to protect yourself and minimize your risk of becoming a victim of cyber fraud:
“Anybody who is going to do a payment through a mobile phone needs to be paying close attention to their account,” Sarah Jane Hughes, a commercial law professor at Indiana University, tells US News.
Find apps that issue immediate electronic receipts of your transactions so you always know what’s going on with your account. Check your statements at least once a month.
Always Choose Two-Factor Authentication
Two-factor authentication, which is when you have to provide two forms of identification—such as a password and a code texted to your phone—adds another layer of protection that hackers will need to overcome if they want your info.
Know Where Your Information Is Stored
Charlie Fairchild discourages consumers from apps that save personal information directly on your device.
Mobile payment apps on iOS should store your data in the encrypted data part of the iOS keychain; Android-based apps should save your data “within encrypted storage in the internal app data directory, and the app should be marked to disallow backup.”
Download Apps From Trusted Sources Only
With these trusted stores, there’s literally no chance for malware to creep in unless the developer makes a small error–which is certainly possible (technically anything is possible, right?), but a rarity.
Mobile payment apps are not going away, but they need to get more secure — fast. They may look convenient, but there’s nothing convenient about dealing with the world of hurt that comes with a hack that compromises your financial well being. Resist until the price of convenience doesn’t come at the expense of privacy. Then, everyone wins — except the hackers.