How Secure Are Mobile Payment Apps Anyway?

The latest trend in the card payment universe are the mobile payment apps that let you use a smart watch or smartphone in place of a credit card.  Just how secure are these payment systems?  One of my regular readers, Eric Morley, owner of Big Frog Custom T-Shirts in Woodbury, MN, asked me that question via LinkedIn, and I thought it was a great idea for an article.  Since we were on a roll last week, with three articles about credit card fraud and security, it seemed like this topic would be a great fourth article in the series.  And yes, you too can get a mention and a link to your business website just by suggesting an topic that you would like to see us write an article about.

The major players in this space are the usual suspects:  Apple Pay, Google Pay, Samsung Pay, PayPal, Chase Pay, and Walmart Pay.  These smartphone apps that use NFC, the wireless communication protocol called near-field communications.  NFC is a very short range radio signal, usually around one and a half inches.  Consequently, the danger from wireless data leakage and sniffing by a nearby cyber-attacker are remote.  The app stores your credit card information in an encrypted form called a “token.”  When you are using your phone at checkout, the app passes your encrypted token and another small encrypted data element that is unique to this particular transaction to the point of sales system, and the transaction is charged to your credit card account.

Because of the use of encryption and tokenization, and the minimal danger from wireless sniffing, mobile payment systems are somewhat more secure than physical credit cards, checks, or cash.  So I am willing to recommend these payment services.  But no system is totally fool-proof or secure.  Some of the risks you may run include:

  • Losing your phone.  Just like when you lose your credit card or wallet, losing your smartphone can put your mobile payment account in the hands of a stranger.  Using mobile phone security such as a screen lock, and even two-factor or biometric authentication like facial recognition can keep your thief from getting into your phone.  Make sure you are familiar with how to wipe your phone remotely, too.
  • Open Wi-Fi.  We have addressed the risk of open, unencrypted public wireless networks before.  Using your mobile pay account on unencrypted public Wi-Fi networks can allow a thief to collect your payment information off the wireless network and spoof your mobile payment system.  Using a VPN when on public Wi-Fi can protect you from this sort of exploit.
  • Smartphone malware.  Malware writers are targeting smartphone platforms with keyloggers and remote access Trojans.  If your phone becomes infected, and attacker may be able to use your mobile payment system remotely, or exfiltrate user and password information.  Using a good smartphone anti-malware product is a must if you decide to used mobile payment apps.
  • Weak passwords.  If there was ever a foolish practice to prove no security is fool-proof, using weak passwords is the worst.  Make user your mobile payment password is longer than 12 characters, and unique to the account.  Use two-factor authentication whenever possible.

A couple weeks ago I was at the grocery store checkout line, and discovered to my dismay that I had forgotten my wallet.  But I did have my smartphone, and if I had set up a mobile payment system previously, I could have easily checked out with just the phone.  But I had not, and had to call my spouse to come and rescue me.  Not good.  As a result of that experience, I did set up Google Pay on my smartphone.  The process was a little complicated, and required that I confirmed the app with my bank.  But the additional convenience of mobile payment apps seems worth the hassle of signing up.  Go ahead and give it a try yourself.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.