When a Wallet Is No Better Than a Ziploc

Many startups aren’t properly securing their users’ data.

Mobile Payment
Photographer: Artur Debat/Getty Images

“I am hoping my kids don’t do it,” says Sarah Jane Hughes. The Indiana University at Bloomington professor of commercial law isn’t alluding to sex or drugs. She’s talking about the dangers of mobile payments services, a subject that brought her to Capitol Hill in December for a congressional hearing. She’s not the only one sounding an alarm: In September almost half of about 900 members of Isaca, an association of IT professionals and risk managers, said mobile payments aren’t secure.

In 2016, 148 million people around the world will reach for their handsets to make payments at in-store point-of-sales terminals, according to a report from Juniper Research. Many millions more will use payment apps such as Dwolla or Venmo to send money to friends and businesses.

The boom is creating opportunities for hackers and thieves, and security gaps in some of the apps are leaving buyers as well as sellers exposed. According to a September report by researcher LexisNexis, merchants reported that “alternative payment methods,” a category that includes PayPal and other nonbank financial companies, accounted for 21 percent of all fraud in 2015, up from 13 percent the previous year.

Along with a handful of well-known companies such as Apple, Google, and Samsung, the mobile payments field has attracted thousands of thinly capitalized startups. “There’s a lot of two engineers and a goat,” says Richard Crone, chief executive officer of Crone Consulting, which advises the industry. Crone predicts the number of digital wallets that can be used in stores will double within the next 12 to 18 months and the number of mobile Web or in-app payment services will triple over the same period. “We have a lot of people competing to deliver the same service,” says Michael Belton, vice president for applied research at Optiv Security. He says that in the rush to get their product out, many developers are cutting corners.

Mobile app security provider Bluebox found vulnerabilities in all the roughly 10 unnamed U.S. mobile payment apps it examined last year. “Most of the time, the apps themselves aren’t using any kind of encryption to protect the data on the phone or to protect the data in transit,” says Andrew Blaich, Bluebox’s lead security analyst.

On March 2 the Consumer Financial Protection Bureau levied a $100,000 fine on Dwolla, a service that allows people and businesses to make and receive payments via a website or mobile app. The agency said Dwolla misled users by claiming that its data security practices “exceed industry standards,” while in a number of instances it stored and transmitted Social Security numbers and other sensitive information without encrypting the data. In a statement, the Des Moines-based company said “the CFPB has not found that Dwolla caused any consumer harm.”

The Federal Trade Commission, which regulates nonbank financial-services companies, won’t disclose whether it’s investigating any mobile-payments-related cases, but “it’s something that we are looking closely at,” says Duane Pozza, an acting assistant director at the commission’s division of financial practices.

Current laws may need to be updated to determine who’s liable in instances of fraud. The Electronic Fund Transfer Act doesn’t cover services not offered through traditional financial entities, such as banks and credit unions. Hughes, the professor, advises app users to read the fine print and consider whether they’re “satisfied with the level of privacy and security that provider is offering.”

The bottom line: Mobile payments technology is evolving faster than regulation, leaving some users exposed to fraud.

Before it's here, it's on the Bloomberg Terminal. LEARN MORE