Samsung Pay is now on U.S. shores, joining the list of big players out to make virtual wallets replace the one you carry in your purse or back pocket.
Americans have their pick of mobile payment tools — there’s also Apple Pay and Android Pay, and don’t forget PayPal — but security fears keep many from using their smartphones to send money and make purchases.
In fact, the Federal Reserve reports that nearly 60% of people not using mobile payments cite security concerns among the primary reasons for sticking with traditional forms.
“Compared to what’s out there, it’s pretty good,” says Giles Sutherland of Carta Worldwide, a payment technologies firm. “Your magstripe classic isn’t very secure in the first place.”
What makes mobile payments secure?
Apple Pay, Android Pay and Samsung Pay are often referred to as virtual wallets because users store existing credit card and debit card information in the app.
Each card in the wallet is assigned a token, usually a string of numbers, that represents your 16-digit credit or debit card number. When you use the app to pay at a point-of-sale terminal, like the register at Macy’s or McDonald’s, your token is used to process the payment.
“If the fraudsters got the number and tried to use it, the transaction would fail,” says Michelle Thornton, director of product development for Co-Op Financial Services, a network of some 3,500 credit unions across the country. “Behind the scenes, the cryptography used in tokenization would know that this transaction was not initiated from the correct device.”
Mobile wallets deploy an added level of security by verifying the purchaser’s identity at the point of sale. This varies by app and mobile device, but might call for a personal identification number, signature or fingerprint scan. In some cases, the token generated is also tied to your phone and cannot be used except from that device.
PayPal works a bit differently, but the security concept is similar.
“PayPal you can think of almost like a relay,” Sutherland says. “You load money in from your credit card into this generic account that’s specifically designed for a mobile or digital payment, and your underlying credit card or bank account is shielded. That describes both the token model on Apple Pay and also the PayPal model.”
Customers also need to log in to their PayPal account using a password to complete the transaction, similar to using a PIN.
How are they still vulnerable?
While virtual wallets and mobile payment systems are more secure, they aren’t infallible.
One potential security issue arises when a user adds a credit or debit card to an app like Apple Pay. Banks must give the green light before a card can be used via the app. But some banks don’t have good procedures in place to verify that the person adding the card is the account holder. This makes it possible for scammers to use stolen account information to populate their mobile payment app.
Another well-publicized vulnerability: receiving payments. This primarily applies to mobile payments via apps such as Venmo.
Unlike its parent company, PayPal, Venmo is primarily a peer-to-peer payment service designed to make it easy to, say, send your roommate money for your share of the utilities or have a friend pay you for the concert tickets you bought. Trust is built into the system.
But what about people you don’t know so well? If you make a deal and they recall the funds or use a fraudulent account, you are out the money. So for transactions with strangers or even acquaintances, it’s best to use a service like PayPal that has protections for buyers and sellers.
Modifying your phone’s operating system or downloading a malicious program can also affect the security of any mobile payments made from your device, notes John Gunn, vice president of communications for VASCO Data Security.
“If I am using a mobile phone that is jail-broken or that I inadvertently downloaded malware onto, then I am far less secure than I would be using the same mobile payment app on the same device without these vulnerabilities,” he says.
Which one is the most secure?
In terms of processing payments, there is little difference between the major players, according to most experts.
“Apple Pay, Android and Samsung — they’re truly identical. They’re using tokenization services from the payment networks themselves,” Sutherland says, adding that PayPal’s security features are on par with the big virtual-wallet providers.
Where the security difference lies may be in the device itself. Newer devices, such as the iPhone 6 and the Samsung Galaxy S6, have fingerprint readers. Apple Pay and Samsung Pay depend on these readers to verify a user’s identity at the point of sale, and so are available only on phones that have fingerprint-reading capabilities.
Android Pay, on the other hand, will be available on all Android phones. If you have a new phone, or one with a recent software upgrades, you may be able to lock your phone with a fingerprint. But, unlike with Apple Pay and Samsung Pay, you aren’t required to scan your finger or enter a PIN within the app to verify each transaction. To use the app, you only need to unlock your phone.
The bottom line
The mobile payment apps on the market are more secure than what most people currently use: a physical credit or debit card. But take care to protect your phone from outside threats, such as malware or theft.
Kelsey Sheehy is a staff writer at NerdWallet, a personal finance website. Email:firstname.lastname@example.org. Twitter: @KelseyLSheehy.
Image via iStock.