Recently, Venmo was under heavy scrutiny from California regulators due to lack of controls. They have since added multi-factor authentication and email alerts for the security of their customers. When looking at Mobile Payment options: Does the app follow strict security guidelines? Does the app conform to PCI DSS standards? Does the app use device based tokenization to secure your payment card information? Is that payment card information safely stored in a secure vault? Does the app use multi-factor authentication to gain access as it relates to banking apps? Mobile Apps Need Security Guidelines, but until those are mandatory, then there are some best practices to live by.
Who Can I Trust?
Applications developed by well-known sources like Target, Walmart, Best Buy, or other big box named retailers are going to be safe to use. The reason why these applications will be safe to use is because of the security controls that are in place at those companies. For example, application development specifications and frameworks like OWASP (Open Web Application Security Project) are most commonly used when developing applications securely. Unfortunately, there is no readily available checklist for individuals to use to evaluate mobile applications today. As a good rule of thumb, if you have to download a mobile app directly from a website to use it instead of going through some sort of verified storefront or trusted company/brand, the trust factor focusing this mobile application will go down considerably. 75% of the top used Android apps are designed to collect personal information, some for malware and some for targeted marketing.
Be Selective on Where You Use Mobile Payments
There are a few considerations about using mobile applications with sensitive information. First and foremost, let's bring this down to a personal level. Would you consider reading your passport information or social security card aloud in a public place? If you’re using free Wi-Fi in a library or in a Starbucks, you are essentially broadcasting your sensitive information in a place where it is at risk. Regardless of the security controls present with a mobile application, using that mobile application through a publicly available Internet source leaves that communication between the mobile app and the intended destination at risk for a man-in-the-middle attack. If you were going to access your sensitive assets, like banking, investing, or even on-line shopping, it is best recommended to do this in the privacy of your own home or on trusted resources.
Best Practices for Mobile Payment Security
As it relates to apps that store sensitive information, a good best practice for mobile application developers is to use tokenization (tokens are a non-sensitive representation of a credit card) to store sensitive data within the mobile application. For example, mobile applications developed by Relevant Mobile do not store your payment card information within their Mobile app. Instead, they hold only a token, so your data is not at risk. At the end of the day, storing sensitive information on your mobile device is not recommended. Even if an application has robust security components like encryption for storing data locally, if that device is stolen at any point down the road, all data on that device can be considered breached. This is the primary reason and use case for tokenization in order to remove sensitive data from mobile devices and mobile applications.
Storing your password is one thing, but storing your credit card is another. The only way I would store my credit card on a device for a mobile payment app is if I know that device based tokenization is being deployed for my payment card information. Otherwise, you are putting yourself in harm’s way to have your payment card information compromised.
Risk Avoidance Is The Best Policy
At the end of the day, using any technology is all about assessing risk and avoiding it as much as possible. Technology aside, use your instincts to guide how you engage technology with your sensitive information. If it does not feel good when you start interacting and engaging with a mobile application provider, then do not use them. Or, simply do more digging to find out if their resources and applications meet your standards as a technology user.