How Secure Are Mobile Payment Apps Anyway?

The latest trend in the card payment universe are the mobile payment apps that let you use a smart watch or smartphone in place of a credit card.  Just how secure are these payment systems?  One of my regular readers, Eric Morley, owner of Big Frog Custom T-Shirts in Woodbury, MN, asked me that question via LinkedIn, and I thought it was a great idea for an article.  Since we were on a roll last week, with three articles about credit card fraud and security, it seemed like this topic would be a great fourth article in the series.  And yes, you too can get a mention and a link to your business website just by suggesting an topic that you would like to see us write an article about.

The major players in this space are the usual suspects:  Apple Pay, Google Pay, Samsung Pay, PayPal, Chase Pay, and Walmart Pay.  These smartphone apps that use NFC, the wireless communication protocol called near-field communications.  NFC is a very short range radio signal, usually around one and a half inches.  Consequently, the danger from wireless data leakage and sniffing by a nearby cyber-attacker are remote.  The app stores your credit card information in an encrypted form called a “token.”  When you are using your phone at checkout, the app passes your encrypted token and another small encrypted data element that is unique to this particular transaction to the point of sales system, and the transaction is charged to your credit card account.

Because of the use of encryption and tokenization, and the minimal danger from wireless sniffing, mobile payment systems are somewhat more secure than physical credit cards, checks, or cash.  So I am willing to recommend these payment services.  But no system is totally fool-proof or secure.  Some of the risks you may run include:

  • Losing your phone.  Just like when you lose your credit card or wallet, losing your smartphone can put your mobile payment account in the hands of a stranger.  Using mobile phone security such as a screen lock, and even two-factor or biometric authentication like facial recognition can keep your thief from getting into your phone.  Make sure you are familiar with how to wipe your phone remotely, too.
  • Open Wi-Fi.  We have addressed the risk of open, unencrypted public wireless networks before.  Using your mobile pay account on unencrypted public Wi-Fi networks can allow a thief to collect your payment information off the wireless network and spoof your mobile payment system.  Using a VPN when on public Wi-Fi can protect you from this sort of exploit.
  • Smartphone malware.  Malware writers are targeting smartphone platforms with keyloggers and remote access Trojans.  If your phone becomes infected, and attacker may be able to use your mobile payment system remotely, or exfiltrate user and password information.  Using a good smartphone anti-malware product is a must if you decide to used mobile payment apps.
  • Weak passwords.  If there was ever a foolish practice to prove no security is fool-proof, using weak passwords is the worst.  Make user your mobile payment password is longer than 12 characters, and unique to the account.  Use two-factor authentication whenever possible.

A couple weeks ago I was at the grocery store checkout line, and discovered to my dismay that I had forgotten my wallet.  But I did have my smartphone, and if I had set up a mobile payment system previously, I could have easily checked out with just the phone.  But I had not, and had to call my spouse to come and rescue me.  Not good.  As a result of that experience, I did set up Google Pay on my smartphone.  The process was a little complicated, and required that I confirmed the app with my bank.  But the additional convenience of mobile payment apps seems worth the hassle of signing up.  Go ahead and give it a try yourself.

More information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.