Mobile payments: How safe are they?
Source: Brent Hunsberger
Ready or not, virtual payments are beaming our way, at warp speed.
Some highly touted food carts swipe debit cards on iPhones, while highly chided parking kiosks will soon take payments from smartphone apps.
Oregon's largest bank, U.S. Bank, is testing its fourth mobile payment method, this one embedded in a medical ID wristband.
Next thing you know, you'll be able to make a wish by waving a credit card over the waters of Skidmore Fountain.
Yet with a spate of card fraud in Oregon this year, some readers wonder how safe this $64 billion global market is from thieves.
The answer: It depends.
For now, the best thing to know is from where your money beams. Your best defense relies less on the payment method than it does on the source of the payment itself.
New ways every day
Mobile payment technology is evolving quickly -- too quickly for many retailers and safety police.
There are smartphone apps, payment by phone numbers and chip-embedded credit cards. They use different technologies with forgettable acronyms and confusing weaknesses. NFS? RFID? I've enough problems remembering my PIN.
It's a confusing array of players (Google, Visa, VeriFone Systems, Isis and Portland-based Tyfone Inc. among them), yet only a handful of merchants currently accept them.
The PCI Security Standards Council, which sets retail credit card protections, recently said merchants shouldn't process transactions using mobile phones. That would include Visa and MasterCard transactions processed by Square Inc., which makes the device that food cart and other local business owners plug into the top of iPhones to swipe cards.
Yet didn't Visa invest in Square earlier this year? That doesn't square up at all.
Given all these methods, there are multiple ways your payment information could be breached. The transmission itself could be intercepted. You could forget your phone somewhere. Your phone could get a virus that records your payment information.
But criminals aren't doing any of that yet, said Avivah Litan, a fraud and security analyst with Gartner, a technology consultant. They're after masses of numbers by skimming card readers and PIN pads or hacking online databases. Mobile still makes up only a sliver of all payments.
"It's safer today than using the regular Internet, and it's safer than pumping gas and putting credit cards in at the gas pump," Litan said. "The criminals just aren't targeting it yet."
Banks are being careful, too. U.S. Bank has been testing a variety of mobile payments for several years but has yet to settle on a preferred method. In one pilot involving a Nokia payment-enabled phone, testers wanted the option of disabling a protection measure -- a passcode -- when making small purchases, said Dominic Venturo, U.S. Bank's chief innovation officer for payment services.
On Monday, the bank's employees will begin testing VITAband. It's a waterproof wristband made by Vita Products Inc. that carries emergency medical information along with a small chip to -- you guessed it -- transmit payments by radio waves. Venturo said he couldn't say when VITAband might be available to customers, but added, "It's nearly ready to go." Though the band might currently work at McDonald's and 7-Eleven stores, most stores still aren't equipped for it.
GS.11MONY117.jpgView full size
Where you keep your cash
For now, the safety of a virtual payment depends less on its method and more on where the money originates. Mobile payments linked to credit card accounts are as safe as can be. Mobile payments linked to debit cards less so. Those linked to gift cards or something else -- you're on your own.
Here's why:
Credit cards: Federal law limits your liability on any fraudulent credit-card transaction to $50, but issuers won't hold you liable for anything.
Debit cards: If you lose your debit card and report its loss in two days, under federal law, your card provider can hold you liable for no more than $50 in unauthorized charges. Wait longer to report and you can be on the hook for as much as $500.
If your card is simply used without permission, you have 60 days to point out the error to the bank. If you wait longer than that, you could be liable for much of the loss.
"Zero-liability" loopholes: Visa and MasterCard hold you harmless for losses in debit card transactions -- as long as you sign a receipt at the end of the exchange. That "zero-liability policy" can evaporate if you punch in your PIN instead at a merchant or ATM. MasterCard's protection also disappears if you've reported more than one unauthorized event over 12 months.
U.S. Bank's VITAband will be linked to a prepaid account with MasterCard's liability policy, bank officials said, though bank officials say all transactions would be covered.
Prepaid/gift cards: Mobile payments linked to these methods have no federal protections. You're left to rely on the card issuer's policy, according to a report last month by the nonprofit Consumers Union.
Starbucks, which allows customers to pay by swiping a barcode displayed on a smartphone app, offers full balance protection if the prepaid Starbucks Card is registered online.
Prepaid account or phone bill: Payments debited or charged to a mobile phone account probably only have protections voluntarily provided by the carrier. Paymo, which allows you to pay by entering your phone number, offers no protections against unauthorized charges, just lots of promises about its "crack team of security specialists."
California recently issued a rule allowing consumers to reverse unauthorized charges made to prepaid or mobile phone accounts. Oregon has no such law, but state Department of Justice spokesman Tony Green said the department would pursue complaints from customers charged for something they didn't order.
Bottom line
In theory, mobile payments promise more security than your magnetic-stripped payment card, which a gas pump skimmer or restaurant server can easily compromise.
"The cellphone has so much more computing power and can do significantly more computations and perform more security functions than a credit card ever could," said Peter Hawrylak, an assistant engineering professor at the University of Tulsa's Institute for Information Security.
Still, the innovators are surging ahead of the safety experts and regulators.
"Consumers need consistent and guaranteed protections, regardless of the payment method or product used," said Consumers Union in its report.
Just remember, if safety is your top concern, don't worry so much about how you pay. Know where your money's coming from.
And may the right source be with you.
--Brent Hunsberger welcomes questions about his column or blog. Reach him at 503-221-8359. Follow him on Twitter or Facebook.
| }
|