Protecting Your Privacy and Security When You Make Mobile Payments
Did you know that now you can use a smartphone, tablet, or other mobile devices to pay for some purchases? Mobile payments can be convenient – no need to write a check or to pull out your wallet for cash or plastic. No need to type in your payment information to buy something online. But are mobile payments safe? What about your privacy? Those are good questions to ask when you consider using any new technology. Because you usually carry your phone or other mobile device with you, it’s on most of the time, and it may contain very sensitive personal information, it’s especially important to keep it, and its contents, safe and secure, especially if you want to use it to make mobile payments or conduct other financial business.
Press Release: Advice for Consumers About Making Mobile Payments
Ready-to-Use News Articles
- How to Preserve Your Privacy When Making Mobile Payments
- Facts and Tips on Keeping Mobile Payments Safe
A Guide to Protecting Your Privacy and Security When Making Mobile Payments
- Payment Apps
- What Information Can An App Get?
- Know Your Privacy Rights
- Tips for Protecting Your Mobile Payment Privacy
- Lock Your Device
- Beware of Malware
- Use Public Wi-Fi Carefully
- Security Features Built Into the Payment Process
- Tips for Keeping Your Mobile Payment Secure
It’s using your mobile phone or other mobile device, online or in person, to provide information electronically to make a payment. There are many different technologies and processes used to make mobile payments and new ones are always around the corner.
- Near Field Communication (NFC) mobile wallet payment. NFC enables you to tap or wave your mobile device close to a “reader” next to a cash register or on a vending machine, turnstile, parking meter, etc. Your mobile device sends the account information that you are going to use for the payment through a radio signal with a short range of about four inches. The mobile wallet app stores your account number in a secure chip in the phone or in a secure file server linked to the mobile wallet app. Examples include Apple Pay and Google Android Pay.
- Mobile web payments (WAP). Use the web browser on your mobile device or a mobile app to make a purchase on the Internet and charge it to your credit, debit, prepaid or bank account.
- QR code (quick response) scans. Your mobile device produces a QR code on the screen to be scanned at the register. The QR code provides the link to the payment information. Usually you download a mobile app for the merchant (such as Starbucks) or a mobile wallet (such as LevelUp) that allows you to create the QR code on your mobile device.
- Mobile text payments (SMS). Send a code by text message to the seller using your mobile device to approve the payment. The purchase is charged to your wireless service bill or a pre-paid account held by the mobile operator. Personal information, such as payment account number, should not be sent via SMS.
- Direct mobile billing. Provide your mobile phone number as your account number to the merchant. The purchase is charged to your wireless service bill. These are normally low-dollar digital payments for items such as ring tones, screen savers, or apps, with most mobile operators establishing a transaction and consolidated dollar limit.
How you can make mobile payments depends on what your device is equipped to do and the service in which you have enrolled. For example, billing to your phone number may not require Internet access on your device, but most other types of mobile payments do. Your ability to make mobile payments also depends on whether the merchants are equipped to take them.
In most cases, the accounts that you use now to make payments will be same ones that you use to make mobile payments (for instance, your bank account or debit card, a credit card or a prepaid account). Some mobile payment systems even enable you to use gift cards and loyalty points to pay. And many of the same precautions that you take now to protect your privacy and security when you make payments apply to mobile payments.
Making any kind of payment electronically usually requires revealing a certain amount of your personal information. What information that is, who gets it, and what’s done with it depends on many things, including the type of account you use and how you provide the account information to the seller. Using coupons and loyalty cards to get discounts or points when you’re making a payment can also disclose information about you.
Mobile payments often involve using an app (a software program that you download to your mobile device). Your bank or credit union may offer an app to make mobile payments from your account. There are “mobile wallet” apps offered by nonbanks in which you can store information for your payment accounts and sometimes for gift cards, coupons, loyalty cards, rewards points, credits and other things that you may want to use in making a purchase.
Mobile payment services may offer payment apps that work on different mobile operating systems on your device (for example, iOS or Android). There are apps for payment services such as PayPal and Western Union. Some apps will work on certain operating systems and not others, and some let you use any account you wish, while others may limit your payment options. Most applications require you to assign a default or primary card that will be automatically selected as the payment card unless you change to another card. This scenario is often referred to as the card that is “top of wallet”.
Apps may require you to provide personal information in order to download them and, once installed, they can access information from your mobile device. In some cases you may be asked for permission for the app to obtain specific information, such as your location or your address book.
- Your contact information such as your name, mailing address, email address, and mobile phone number.
- Records of your calls and texts.
- Your contacts.
- Your calendar.
- The unique ID number of your mobile device.
- Account information.
- Websites you go to using your mobile device.
- Your location and where you go or shop with your mobile device.
- In the case of mobile payments, an app may also be able to collect information about where you shop, what you buy, how much you spend, and what coupons or loyalty programs you use.
Some mobile payment apps will only collect and share the information that is required to make the payment; others may collect more information about you. Apps may use your personal information for purposes unrelated to making a payment, such as to sell you in-app features or advertise to you on behalf of other companies. They might also share your personal information with other companies.
Who else could collect information from your use of a payment app? It could be the app store, an advertising network, a data broker that collects information about people from a variety of sources and packages it for sale, the manufacturer of your mobile device, the payment provider (such as your credit card issuer), a payment processor, your wireless carrier and broadband service provider, and the businesses that you are paying.
- What information does the app collect?
- Who gets that information?
- How is the information used?
- What choices do you have about the collection or use of the information?
Under federal law, your bank, credit union and other financial institutions that you used must notify you about their privacy policies at the time that you open your account and then annually and give you the ability to “opt out” – to say no – to their sharing the non-public personal information that they collect about you with companies that aren’t affiliated with them unless that information is necessary for a transaction that you are making.
There is no general federal privacy law, however, so the merchant and others who may be involved when you make a mobile payment can collect information about you from the transaction and from other sources and do what they want with it.
Some states have privacy laws. Ask your state or local consumer protection agency what privacy rights you have under state law.
- Read the privacy policies of the companies whose services you are using to make mobile payments and the companies that you are paying.
- Don’t voluntarily provide information that is not necessary to use a product or service or make a payment.
- Take advantage of the controls that you may be given over the collection and use of your personal information.
- Since mobile payments, like all electronic payments, leave a trail, if there are transactions that you would prefer to make anonymously, pay with cash.
Smartphones and other mobile devices that can access the Internet are basically personal computers that you carry around with you. You can store your contacts, passwords and other personal information on these devices. In the case of mobile payments, you may be storing financial account information on them – information that someone else could use to make purchases or use for other fraudulent purposes. Even with a mobile phone that doesn’t have Internet access, if it has texting capability it could be used without your permission to charge purchases to your wireless account.
Guard your mobile device as you would your checkbook or wallet. There are many things that you can do, and that industry is doing, to keep your personal information secure when you make mobile payments.
The first line of defense is to lock your device, requiring a password or other security mechanism, such as a fingerprint scan, to unlock it, and to keep it locked when you’re not using it. It’s as simple, and as important, as locking the door to your house or your car. Many smartphone and tablet manufacturers are also installing “kill switches” that send signals to deactivate the devices if they’re lost or stolen, and there are apps that can help locate your device, disable it and/or “wipe” the contents off of it.
When you download a payment app —or any app – to your mobile device, take care. It could contain “malware,” which is short for “malicious software.” Malware can steal personal information from your device such as passwords and account numbers. It can also be used to send spam emails or text messages that look like they’re coming from you. And it can damage your device.
In addition to apps, malware can be planted in other types of software. One thing to watch out for is the “tech support scam.” A common problem for computer owners, people who have mobile devices are now being targeted by this scam. Here’s how it works: you get a call or message from someone claiming to be from a well-known software company or another tech support firm, informing you that your device has a virus or some other problem and asking you to download software to give them remote access so that they can fix it. Some of these scammers even place ads online for tech support that will appear if you search for help for problems with your device. Usually the goal is to install malware to steal the personal information that’s on your device and/or to infect it and then demand payment for the “repair.” New variations of this scam are constantly emerging, but the bottom line is that no legitimate tech service is going to contact you out of the blue and tell you that there is a virus on your device.
Only download apps and other software from sources you trust. Reading reviews about software programs can alert you to any problems that other people have discovered in using them.
Malware can also be hidden in pop-up ads and in attachments and links in emails that look like they are from someone you know. Anti-virus and anti-malware programs can help to protect your device and the information that you store on it, but understand they often don’t detect new and sophisticated malware. It’s also important to have a “firewall” to prevent hackers from getting into your mobile device. These security features may come pre-installed; look for information about security in the description of the operating system when you shop for mobile devices.
Learn more: www.onguardonline.gov/articles/0011-malware
Be careful when you use free public WI-FI. It’s convenient but it’s usually not secure. Crooks can use technology to “eavesdrop” on your email or communications on social networks and read what you’re typing on your device. If you are making mobile payments through the web, it’s possible that your sign-on credentials (user ID and password) and account numbers could be exposed, despite the security features in use. It’s more secure to use public WI-FI if you disable file sharing, only go to websites that are encrypted (you’ll see https in the address bar) and use a virtual private network (VPN). There are many websites where you can learn about these protections. If you’re unsure that it’s safe to use public WI-FI when you’re making a mobile payment, wait until you’re home or somewhere with a secure connection.
There are many kinds of security features that may be built into the mobile payment process. Look for the answers to some basic questions when you consider using mobile payment applications or wallets.
- What authentication credentials (i.e. password, PIN number, biometric, etc.) does the payment service require to make payments?
- Are your financial account numbers and other sensitive information stored on your device, or remotely, and how are they secured? Are the payment account numbers tokenized?
- What account information is transmitted to make the payment?
- Is encryption used to protect your personal information in transmission and storage?
Most mobile payment services require a password or, PIN number to open the application. Don’t share this information with anyone who doesn’t have your permission to make payments using your accounts. Some mobile applications have added the option of using a biometric such as a fingerprint or facial scan to increase the level of protection against an unauthorized person making transactions. Others may email or text message confirmation of payments to double-check and ensure that they were legitimately made.
Your payment account information might be stored in a secure chip on your mobile device or on the server of the payment service itself. In some cases what’s stored on your device is not your actual account number but a substitute for it, either another account number or a “token” that represents your account. This adds another level of security, not only against intruders trying to get your account numbers but from data breaches at points along the payment chain, such as payment processors and retailers, because they only get the substitute numbers. As mobile payments evolve, so will these security features.
When account information is transmitted to make the payment, it is usually encrypted – turned into a code that can only be read by parties along the payment chain that need it and who have the “key” to unlock the code. Retailers and others are also using encryption and security tokens to make account numbers, passwords and other sensitive information that they store unusable if someone illegally accesses it.
There may be additional security features provided by the mobile device operating system, the mobile payment service, the payment provider (such as your payment card issuer) or the merchant.
- Have your mobile device automatically lock when not used within a designated period of time.
- Keep your passwords and PIN numbers to yourself.
- Only download payment apps and other software from sources that you trust, such as your financial institution, a retailer that you do business with, or a trusted app store.
- Protect mobile devices that can access the Internet from hackers and malware by using security software and keeping it updated.
- Be extremely careful when you use free public WI-FI.
- NEVER jailbreak or disable the security features of your phone.
- Beware of messages from criminals pretending to be from your financial institution or someone else you trust asking for your account number or other personal information.
- If you receive an email unexpectedly asking you to click on a link or open an attachment, beware. If it’s from an unknown source, delete it; if it looks like it’s from someone you know, check with the person directly before you do anything.
- Never give access to your device to anyone who contacts you unexpectedly and only deal with tech support companies that you know or whose reputations you have checked out.
- Look for mobile devices and payment services that offer good security features.
If there is a problem with a mobile payment, your rights are basically the same as they would be if you made the payment without the use of your mobile device. But because there may be several different companies involved in the mobile payment process, it may be confusing to figure out who to contact.
The first step is to contact the merchant. At the same time, it’s a good idea to alert your payment provider about the problem. This would be your credit card issuer if your credit card was used, your bank or credit union if the charge was debited from your account, the company with which you have a prepaid account if that was used, or your wireless service if the charge was billed to that account. If the merchant does not take care of the problem, your legal rights depend on the kind of account that was used for the payment. If you used cash to make a mobile payment (some mobile payment apps let people pay bills by going to convenience stores or other locations near them; the mobile device displays a bar code which is scanned, the clerk takes the cash, and the payment is sent electronically to the creditor), be sure to keep the receipt and notify the payment service promptly if there is any problem.
Generally, you have the right to “dispute,” which means to challenge, a credit card charge if it is for the wrong amount, you didn’t agree to make the purchase, you never received the product or service, or you were misled about what you were buying. Once you have notified the seller and your credit card issuer about the problem, you don’t have to pay the charge that you are disputing while it’s being investigated (be sure to pay the rest of your bill on time).
Your dispute rights when the payment is debited directly from your account at a bank or credit union (by using a debit card or providing your account information) are a bit more complicated. You can dispute a debit that you didn’t agree to or that is for the wrong amount, but you don’t have dispute rights if you never got the goods or services or they were misrepresented. Your financial institution may, however, voluntarily allow you to dispute a debit in those situations. In some cases, a network and its card issuing members may provide for liability protection in addition to that provided by regulations.
Notify your credit card or debit card issuer as soon as you realize that there is a problem, since you could lose money and your ability to dispute the charge or debit if you wait too long. Additionally they have robust fraud departments that can quickly prevent further fraudulent activity.
If you make payments using a prepaid card store in your mobile wallet or a prepaid mobile or online account that you have set up with a payment service, there is generally no federal regulatory protection, with some exceptions (for instance, if you are using a prepaid card that your employer has provided to put your pay on, called a payroll card, you can dispute a debit for the wrong amount or for a payment you never agreed to). But the card issuer or payment service may offer you protection if something goes wrong based on the card’s/account’s terms and conditions so be sure to read and understand them. If you have any questions, contact them immediately to ask. Be aware that if you’re using a general-purpose reloadable prepaid card (the kind that can be used a variety of merchants) you must register it with the card issuer to qualify for the protections that it offers, be able to load additional funds to the card, and use it for remote payment transactions.
There are advantages to using your mobile device to bill purchases to your wireless account – you don’t need to have a credit card or a bank account, and the only account number that is exposed is your phone number. But it can also be risky and there are limited merchants that support this option. PIN numbers, which provide some security, are not always required, and with some mobile payment systems you don’t have to provide your phone number; it is captured automatically and touching the screen is all that’s needed to confirm the purchase. If there are charges on your wireless bill for transactions you never agreed to with companies other than your wireless service provider (these are called “third parties”), your ability to challenge them depends on your service provider’s policies (unless you live in California, where consumers have a right by law to dispute unauthorized third party charges on telephone bills). Contact your wireless service provider as soon as you discover the problem. Sometimes wireless providers will even go beyond their stated policies to resolve problems, but there may be limits to how far they’ll go or how many times they will remove these kinds of charges. If you don’t want to bill purchases to your wireless account or let anyone else who might have access to your device be able to do so, ask your wireless carrier if it can put a block on your device to prevent third party charges.
Third-party mobile payment services such as PayPal and Amazon may also provide some type of assistance if there is a problem. The laws concerning consumers’ payment dispute rights may change over time, and even when you don’t have dispute rights or there aren’t voluntary protections with the payment provider or service, it doesn’t mean that there is nothing you can do if there is a problem with the transaction. You may have rights under other consumer protection laws. Ask your state or local consumer agency about your rights and if it can help you resolve the problem or refer you to another agency for assistance.
- Contact the merchant and the payment provider (your credit card or debit card issuer, your bank or credit union, phone company if the charge is billed to your wireless service, etc.) as soon as you discover the problem.
- Know your payment dispute rights and what voluntary protections your payment provider may offer.
- If you are using a third-party mobile payment service check to see if it provides any assistance with problems.