Cold hard cash is becoming scarce these days. People just don’t carry it around any more. So how do you split a bill at a restaurant or buy from a street vendor? Many people today use mobile payment apps like Venmo, Apple Pay, PayPal, the Cash App, or a service promoted by many US banks called Zelle. Are these payment systems safe? And what protections do I have against fraud? It’s sort of a mixed bag.
Mobile Payments: Security vs Privacy
The good news is that most of these newfangled mobile payment systems are pretty secure. The services require adequate authentication and use strong encryption for the transactions themselves. In many ways, mobile payments are more secure than cash transactions. Google Pay, Apply Pay, Venmo, PayPal, Cash App and Zelle are all secure enough.
Where these apps and services often fail is with privacy. I wrote about this a while back, picking on Venmo in particular. I don’t want to repeat all of that here, but the bottom line is that Venmo is a social media service. All your payments are public by default. I’m sorry, but that’s just dumb. As I mentioned in the previous article, millennials have admitted to using Venmo to buy drugs. Someone else used the public payments to find Joe Biden’s Venmo account. It’s a privacy nightmare. If you insist on using Venmo, at least make your transactions private. But even credit cards are bad for privacy, honestly.
Treat Mobile Payments Like Cash
Many of us use credit cards for online payments, of course. This is actually what I recommend you do whenever possible. Credit cards come with a lot of security and financial protections. It’s really that last part that I want to talk about here. When you charge something to a credit card, you haven’t transferred any money. Your credit card company fronted that money on your behalf – that’s why it’s called credit. This is not true for debit cards, which work more like cash.
When you pay for something with a debit card, that money immediately leaves your bank account. If someone manages to fraudulently charge something to your credit card, you simply need to report the bad charge to your credit card company and you won’t be liable for it. Because they are ultimately on the hook for these charges, credit card companies are pretty darn good at automatically detecting fraud – they will likely notice it even before you do. The same is not true for fraudulent debit card charges. You have to try to claw that money back after the fact, which is harder to do – and leaves you without that money until and if you can convince your bank to refund it to you.
It’s actually worse for mobile payments – even Zelle, which is backed by many US banks. Much of the fraud with mobile payment systems involves scams or social engineering. Bad guys trick you into sending them money. It turns out, that’s a crucial distinction when it comes to trying to get reimbursed. While banks have a fairly clear mandate to cover funds that are stolen from your account, they’re not really obligated to refund money that you purposely sent to someone else. It doesn’t matter whether it was an honest mistake on your part or you were tricked into doing it. Some banks will reimburse the funds out of goodwill, but not many (you can read the official PDF report here).
What to Do?
It’s going to be hard to avoid mobile payment apps. They’re popular and convenient. When splitting a bill with friends or paying a vendor, cash will always be the most private option, followed by Apple Pay or Apple Cash. Venmo, PayPal, Google Pay, Cash App and Zelle are secure, but not really private. Expect that your transactions will be tracked and potentially shared with “partners”. But more importantly, treat these transactions as final and irreversible, as if you had handed someone cash.
There are some interesting alternatives. Virtual credit card numbers are offered by some banks, which allow you to generate one-time credit card numbers for online purchases. If bad guys manage to steal this info, it will have very limited use. You can also try Privacy.com, which allows you to create dedicated card numbers for one-time transactions or for specific merchants. They also make a point of not tracking or sharing your transactions data. This is great for privacy, but under the covers it acts like a debit card, which has the risks I’ve already discussed.
When using mobile payment systems for large or recurring payments, send a small test payment first to make sure you have the correct recipient – like literally $1 or the smallest amount possible. And never, ever make a payment using a link someone sent you via email or text message unless you’re absolutely sure who sent it. Finally, be wary of any situation where someone claims that you first need to send them money before they can send you money.
You can read more about these scams here and here.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!