The mobile payments industry is projected to be worth about $11.95 trillion by 2025. That’s a lot of money. But there’s something sinister behind the buzz.
If you're one of the 60% of surveyed consumers who paid via digital wallet in 2023, you might be thinking, “if digital wallets are really the next big thing, they must be secure, right?”
Not so fast. As more and more data flows through mobile devices, digital wallets have become both a center of opportunity... and of fraud. In 2023, Google Pay fraud increased by 153%, Samsung Pay by 140%, and Apple Pay by 81%. And though these are relative increases from 2022, they show that fraud is increasing in lockstep with (or even outpacing) the adoption of digital wallets.
So, before you entrust your iPhone or Android device with your payment card data, you should understand how digital wallets work and the level of security they provide.
What are Digital Wallets?
First of all, what do we mean when we say mobile payments and digital wallets? While these terms are sometimes used interchangeably, there’s actually an important difference between the two.
Mobile payments are any transfer of funds made from a mobile device (like a phone, tablet, or smart watch). Mobile payments can include Apple Pay and other digital wallet payments, but they can also include peer-to-peer payment apps such as Zelle that connect directly to bank accounts and allow people to send and receive money through any device connected to the internet. Even entering your credit card information into your phone’s internet browser to buy something online is considered a mobile payment.
Digital or mobile wallets (sometimes called e-wallets) are just like the weathered leather wallet in your back pocket, except that they’re digital, of course. They replace the contents of your wallet and the wallet itself with a single digital tool, usually app. Mobile wallets are digital wallets that are primarily available on mobile devices like smartphones. Almost all digital wallets are mobile wallets.
Digital wallets store credit cards just like your physical wallet does, but the cards in your digital wallet are digital versions that appear on your device’s screen. You can use these digital cards by tapping or scanning your device like you would a card. Some of these digital credit cards are the digital version of a physical card you already own; Your physical card, or your “source” card, can be uploaded into a digital wallet in a process called enrollment. Some digital credit cards are digital-only and have no physical card “twin.”
Apple Wallet, Google Wallet, and Samsung Wallet are three popular digital wallets in the USA. They each have their related payment function: Apple Pay allows cards stored in the Apple Wallet to make payments, Google Pay does the same for Google Wallet, and also for Samsung Pay. AliPay and WeChat Pay are two of the biggest platforms in China, which is a world leader in digital wallets.
Digital wallets are obviously great when you forget your wallet at home, but less so when your phone decides to die. Traditional credit cards are physical tools that still work for our digital world: You can use them for online shopping, but you don’t need to worry about your battery charge percentage or the internet goblins that make your phone hackable.
The Origin of Digital Wallets
Since the first-ever true online purchase in 1994, the payments industry has been researching and experimenting with digital payment and banking tools. In 1999, online money transfer service PayPal launched and further inspired the industry to find digital and mobile ways of sending money. Big companies like eBay, Mastercard, and Visa tried but failed to capture the market.
Fast forward ten years. In 2003, Alibaba launched Alipay, a digital payment platform, in China. Alipay would become the world’s largest digital payment platform, change Chinese payments forever, and pave a path for digital wallets all over the world. Google Wallet launched in 2011 and Apple Passbook (which would become Apple Wallet) launched in 2012. In 2013 and 2014 respectively, WeChat Pay and Apple Pay were introduced; Android Pay and Samsung Pay followed in 2015. Since then, the use of digital wallets has continued to grow.
Are Digital Wallets Secure?
Digital wallets benefit from your phone’s protection: usually a password, PIN, or fingerprint. Digital wallets also use a function called card tokenization for extra security. Tokenization replaces your card’s 16-digit card number with a stand-in number that’s stored on the digital wallet. Your card’s real number isn’t shared with anyone when you use the digital wallet to make payments. Sounds secure, right? Unfortunately, it turns out that digital wallets and tokenization both have fundamental flaws that can lead to card fraud. Here’s what you need to know:
Authentication
Getting your digital wallet to talk to your bank isn’t as simple as tapping to pay. First, you need to verify your identity. This is called authentication.
Some digital wallets’ authentication systems aren’t great. There are many ways to prove your identity, from scanning your fingerprint to entering a code. But many digital wallets don’t want to make paying inconvenient for their customers, so they have minimal authentication. As Google explains in a support document, “if you’ve verified it’s you on your device in the past few minutes, you may not be required to verify for another transaction” with your Google Wallet. Good for convenience. Bad for security. Imagine you enter your password to unlock your phone to text a friend, but then you set it down. In that moment, someone could swoop in and access your digital wallet.
Authorization
When you try to buy something with your digital wallet, there’s some back-and-forth between the wallet, your bank, your credit card company, the merchant, the merchant’s bank, and the transaction processor. They all need to get on the same page before the purchase can go through. This process is called authorization.
A lot can go wrong during authorization, and fraudsters know how to exploit it. Researchers from the University of Massachusetts Amherst and Penn State found that kinks in the authorization process can allow scammers to link stolen credit cards to their digital wallets, even when the card is canceled. You read that right: canceling your card won’t save you from fraud if it’s already gone digital. In some scams, hackers trick victims into downloading fake apps that steal card info. The fraudster then adds that stolen info to their digital wallet and voila: they’re spending your money while you’re stuck on hold with your bank. This is called fraudulent enrollment. The solution: make sure your source card is well-protected so that no hacker can steal the card info, and make sure your digital wallet has airtight authorization.
Hacker Heaven
Digital wallets are prime targets for fraud attacks and hacking, and because they use card tokenization, they may make it more difficult to fight this fraud. When card tokenization replaces a credit card’s number with a temporary stand-in number, it removes one of the card’s major identifiers. That makes spotting, reporting, and tracing stolen digital cards and fraudulent activity much more difficult when the hackers do come calling. Right now, the only cure for this problem is prevention: rely on a protected source card and secure enrollment to make sure that your digital wallet isn’t increasing your overall fraud vulnerability.
Lacking Liability
Digital wallet providers don’t have to follow the same strict regulations as traditional credit card issuers. That’s because the technology is so new; legally speaking, digital wallets are still kind of like the Wild West. This creates potential pitfalls that consumers can fall right into.
Fraud liability rules decide who will pay for the damage caused by fraud. After all, if someone steals your card and racks up $500 worth of charges, someone has to foot the bill. Digital wallets’ fraud liability usually mirrors that of credit cards. Thanks to laws like the Fair Credit Billing Act, credit card companies are required to limit cardholders’ fraud liability and often refund fraudulent charges. In fact, most card companies offer zero-liability policies, which means that cardholders aren’t on the hook for any fraud charges at all.
For example, Google Wallet doesn’t hold US cardholders liable for “verified unauthorized transactions.” But what about non-US cardholders? And what exactly is an “unverified” unauthorized transaction? Because different countries follow different laws about digital payments, questions of liability can become tricky.
Additionally, some digital wallets blur the line between mobile payments and digital wallets. Sometimes, this means that credit card liability no longer applies to these services. For example, Venmo is a peer-to-peer payment app that also offers a physical debit card that you can link with your app. Since the Venmo app can store a digital card, it could be described as a digital wallet.
The main difference between this type of mobile payment service-slash-digital wallet and a traditional digital wallet like Apple Wallet is the source of the funds. If the digital wallet’s transactions are funded by a credit card, it is protected by the Truth in Lending Act of 1968 and something called Regulation Z, which limits a cardholder’s liability to a maximum of $50.
However, if the digital wallet’s transactions are funded by a debit card or any sort of bank account, it doesn’t qualify for this kind of protection. This kind of digital wallet is covered by the Electronic Fund Transfer Act and Regulation E, which follows a complex set of rules that sets different levels of liability depending on how quickly the customer reports the fraud.
What does this mean? In short: if you get defrauded on your digital wallet, your liability can get pretty complicated pretty quickly. This can be a headache to sort out.
What’s More Secure: Credit Cards or Digital Wallets?
Physical cards have effective anti-fraud measures: EMV chip technology has drastically reduced in-person card fraud, and cards with dynamic, or changing, security codes like EVC (Ellipse Verification Code) make it even harder for fraudsters to steal your card’s full information.
Physical cards have “phygital” security measures that typically trump the security of mobile wallets. Due to the simple fact that a physical card exists outside of your smartphone, it is harder to hack. If your card gets stolen, less of your personal and financial data is compromised than if your smartphone being stolen.
So, while digital wallets may seem like the new, secure way to pay, they come with a lot of potential security risks, especially when compared to old-school credit cards. From phone vulnerabilities to authentication holes, digital wallets aren’t as foolproof as they seem.
Consumers should enjoy the convenience of digital wallets, but they should also keep their guard up. Don’t ditch your physical cards just yet, because when it comes to security, they’re still your best bet. And if you want to use a digital wallet, make sure that you link it to only the most fraud-proof cards. Ask your bank or card company about card protections like EVC to really go the extra mile.
Comments