Mobile payments apps: are they safe?

Read time 4min 00sec
Users need to know how to protect their information and money when making payments if they are going to add the app dimension.
Users need to know how to protect their information and money when making payments if they are going to add the app dimension.

Fast, convenient and safe. These are the words local start-ups and banks are using to describe the mobile payment apps they hope will soon trump cash and plastic, but - as with any process involving users' money - it is security that will win or lose consumer trust and buy-in.

So, how safe are mobile payment apps and should consumers take the plunge and add another dimension that entails sharing personal information in one form or another? Industry observers say yes - but consumers need to be aware of exactly what happens to that information.

"Cash was once safe, until it was forged. Cheques were safe, until they were stolen by postal workers. Cards were supposed to be safe, until the criminals learned how to acquire the essential numbers by various means. Each advance in security measures has been rapidly addressed by the criminal fraternity," says ICT veteran Adrian Schofield.

With new technology comes new types of risks, but even still, Philip Pieterse, senior security consultant at Trustwave, says he would recommend using a mobile app as opposed to cash or card. "As long as long as you are aware of exactly how your payment card information gets stored, and how it is transferred to the company's network."

Cash and card have overt downsides, says Pieterse. "In SA for obvious reasons, it is common practise for people not to carry large amounts of cash. Card swipe transactions are vulnerable to card skimming and credit card fraud.

In some cases, he says, mobile apps could be more secure than cash and card. "[They] add another layer of security [and] also the mobile application is normally protected with passwords when operating it on the mobile device."

App awareness

With on-device storage the risk comes in when the mobile device gets infected by malware or the encryption gets broken somehow, says Pieterse.

"Secondly, when the credit card information is stored remotely, the communication still needs to be encrypted and again if the mobile device gets infected with malware it might be possible to intercept the credit card information, either in transit or while it is in memory."

He says Trustwave has seen poor security surrounding apps in general, specifically during the development phases. Trustwave's 2014 Global Security Report revealed that 96% of apps scanned in 2013 harboured one or more serious security vulnerability. "If more individuals are going to be using mobile payment applications, it's critical that the developers of these applications incorporate vulnerability scanning and penetration testing into the process."

Gregory Anderson, country manager at Trend Micro, says users of Google's open source Android platform in particular need to be aware when installing payment apps. "Any person that owns an Android device should take extra caution to make sure that their device is secure and purchase mobile security for the device from a reputable vendor. You need to be sure the app you download is the original one. [If not] you are opening yourself up to financial loss."

Android users can ensure their device can only download from its official Play Store by going to Settings > Security >Unknown Sources.

User protection

When it comes to protecting users from falling prey to info and money theft, Pieterse says the onus is really on the app developers. "[They need to] incorporate vulnerability scanning and penetration testing during the development, production and active phases so that they are consistently identifying and patching vulnerabilities within the apps."

From the users' side, he says, a good understanding of how these mobile apps actually work - including what happens to your credit card data - is key. "User awareness needs to increase, because all types of data (like payment card data, personal information, health information and even corporate information) are stored on one device."

Mobile app users also need to keep their mobile device up to date with the latest security updates for whichever operating system they use, says Pieterse. "The mobile payment app you use also needs to be kept up to date to ensure you can take advantage of all the bugs fixes, increased security practises and enhancements for that particular app."

See also