The concept is attractive: Get rid of the bulky wallet in your pocket. No more fumbling to find the card you want to pay with. No more empty gift cards. No more old, illegible receipts. Everything you need would be stored digitally, directly on the smartphone you already keep in your pocket.
However, behind this picture lurks a looming doubt. To reap these benefits, will you be forced to sacrifice security? According to an annual survey by consumer research firm GfK, you’re not alone in your hesitation. Last year, while nearly a quarter of Canadians agreed mobile payments were easier than cash or cards, more than twice that amount said they worried about the security of their personal information when using a mobile payment app.
It’s a natural worry to have. After being urged not to share your financial information unless absolutely necessary, now even banks are encouraging their members to add their cards to their mobile wallets, where transactions are made via the cloud. It’s an awful lot of control to give up, especially for a reward that centers primarily around convenience. Of course, mobile providers are conscious of the possibility of credit fraud, and have built security measures into their systems designed to keep your personal information private.
The most important security protocol mobile providers use is tokenization. Tokenization replaces your 16-digit card number with a different 16-digit code, or token, that acts as a substitute card number. Your real card number is never actually stored on your device, or transmitted to the retailer, just the token is used to transmit this data back and forth. That way, even if someone were to steal your phone, hack the retailer or manage to intercept the transaction, all they would be left with is the token, which expires after each transaction just to be replaced by a new, unique code.
Retailers have used tokenization to secure card data from traditional credit and debit card purchases for some time, making it a standard across the payment industry. Now, leading mobile payment services, such as Apple Pay, Android Pay and Interac Flash, use tokenization to secure mobile wallets as well.
Just because card data is transmitted and stored securely, however, doesn’t mean fraudsters haven’t found other ways to leverage mobile wallets for their gain. According to a report from the Canadian Bankers Association, many mobile wallets leave the door open to “account takeover fraud,” which gives identity thieves an easier way to make purchases with stolen cards. In these situations, ID thieves who steal a credit card, or even credit card data, can use mobile wallets to make purchases under that account. By not requiring a PIN, signature, or even verification of zip code or address to verify that the user is in fact the owner of the account, mobile wallets give fraudsters an easy route to making payments with stolen cards.
“If this occurs, the fraudster will be able to transact at POS or remotely with impunity until the legitimate cardholder or issuer detects the fraud,” the CBA wrote. “Even the most secure mobile payment solution will not be able to compensate for poor [identification and validation].”
With that in mind, it is especially important for consumers to keep an eye on their credit reports for signs that could indicate fraud. Or, to keep an eye trained on their accounts even when they cannot, consumers could benefit from credit monitoring companies, which can send them alerts when they detect certain activity that may indicate fraud. That way, they’ll have a chance to cancel their card and place a credit alert on their account, locking the ID thief out of their funds.