You down with P2P? 10 tips to secure your mobile payment app

If you look at the figures, you cannot deny that the eCommerce industry is steadily growing. More and more people are doing their shopping online, not only for products and services geared toward the use of technologies and the Internet, but also for items previously only found in brick and mortar stores—groceries, clothing, and, of course, books.

But within the eCommerce market, a submarket is springing to life. Mobile payment, in particular, appears to be making its way to mainstream adoption in certain parts of the globe. So how does it work? And how can we make sure our mobile transactions, just as our other online payments, are secure?

Mobile payment methods

Mobile payment is a regulated digital transaction that uses mainly smartphone devices to pay for goods and/or services. This kind of undertaking is supported by apps that act as mobile wallets, which are tied to users’ bank accounts.

There are many forms of mobile payment in use today. In countries like South Korea, Japan, Poland, and Romania, the use of direct mobile billing (also called “direct to bill”) is the norm. SMS payments, which charities use to get people to donate, QR code payments, mobile web or Wireless Application Protocol (WAP) payments, and Near Field Communication (NFC) payments are other examples.

Perhaps the most notable form of mobile payment that has shown growth and popularity across generations, especially among younger Americans, is peer-to-peer or person-to-person (P2P) payment. This method, which can also be used on desktop and laptop devices, allows people to send and receive money to and from a friend or family member. (Splitting restaurant tabs and house bills among people in your circle has never been easier.) PayPal, Square Cash, and Venmo are just some of the apps that offer P2P services. Google, Facebook, and Snapchat have also jumped on the bandwagon.

You may wonder: Why is P2P being adapted so quickly and widely? According to Bank of America’s 2017 Trends in Mobility Consumer Report [PDF], convenience and time saving are the primary motivators for adoption, followed by peer influence.

Trust (and security) issues with P2P apps

Using a P2P payment app is like having a fast, always-on-call middleman. But, like any other app, it is not without its security and privacy issues.

In 2015, mobile app security and analytics company Bluebox Security (now part of Lookout) published a report revealing that security in mobile payment apps is surprisingly not as robust as one might expect. For example, the top two P2P payment apps they analyzed only use basic security protocols. They also found that these apps were vulnerable to tampering and exploitation of code libraries. Furthermore, user information in the app, along with authentication info and transaction history, are visible should threat actors successfully gain access either to the app or to the smartphone device.

While addressing security and privacy concerns surrounding P2P apps rests in the hands of the companies offering these services, users must for now play their part in securing their personal information and banking details.

Living life with P2P (yeah you know me)

Risks are always present in devices and online services we’ve grown to rely on. To a degree, their presence shouldn’t be our only basis for making informed decisions. If using a P2P payment service is unavoidable because your family or friends use it, we can help you navigate through the process of deciding which app may be a good fit for you—bearing privacy and security in mind—so you won’t have to worry much about it in the future:

1. Look into the P2P app your friends and/or family are using. It’s effortless and practical to just go with the same app they use. Now may be good as good a time as any to do your own research on whether their app has the security and privacy features you’re after (e.g., multi-factor authentication).

Remember that no two P2P apps are alike. If you’re not satisfied with their app (e.g., the fee for sending and receiving money isn’t sound, or user data isn’t encrypted), you can jot down those you’re happy to suggest to them instead. You might even convince them to use an alternative app. Start a conversation by sharing your thoughts and findings and hearing theirs.

2. Download only the legitimate P2P payment apps. Regardless of your app of choice, users should always download them from recognized and legitimate mobile app markets like Google Play and the Apple App Store. Banks and other private organizations (like Starbucks) who offer a P2P service also have links to their apps on their websites that users can access.

3. Carefully review the app’s terms of service (ToS) before signing up. In particular, look for the sections on how they settle dispute and complaints and how your information is used, stored, and processed. This should be stated clearly (especially now, as transparency is part of GDPR compliance). It takes time to review and digest the ToS, yes, but it’s always better to take a little extra time up front to save yourself the headache later.

Read: Make way for the GDPR: Is your business ready?

4. Don’t settle for the default. Some P2P payment apps have pre-set security privacy settings, and a majority of users don’t take the time to review them. Ideally, users should crank up these settings to the highest to achieve maximum security and privacy. Also, make sure you enable notifications for any transactions made under your account and any changes to your details or credentials to clue you into potential events of fraud.

5. Favor bank accounts over or non-bank ones. One can tie in their P2P payment app to banks, credit cards, and non-bank financial institution (NBFI) accounts. However, the Federal Deposit Insurance Corporation (FDIC) has advised that it’s best for P2P users to tie their checking accounts or credit cards with their app, so they are insured if something goes horribly wrong. User funds lost or stolen from non-bank institutions may not be legally protected at all.

6. Set up a password to access your P2P app. Not all P2P apps have this feature, but if yours does, lock it up with a PIN or password. This’ll give anyone a difficult time getting your money from the app should you misplace or lose your phone.

7. Set your account to private. Some P2P service providers included a social networking feature in the app where one can see transactions and activities from contacts in the app’s feed. Not the best idea to make those public. Setting your account to private will prevent anyone from following your activities in their feed.

8. Avoid sending money to and receiving from people outside your circle. This mainly applies to the buyer-seller dynamic. A buyer (or scammer) may likely cancel the P2P transaction after receiving the product bought and before their money is debited from their account. This is called a transaction reversal scam.

9. Avoid carrying a balance. Some P2P services allow you to keep a certain amount of money stashed away to a P2P account for an indefinite length of time, like having a digital wallet. Admittedly, this is super convenient; however, it is not as safe as having money in your bank. If money launderers are able to siphon out money from your stash, it’s highly unlikely you’ll get it all back, as a majority of P2P services aren’t FDIC insured.

So if and when you receive money from someone, cash it out immediately, if possible, or move it to a digital wallet like Google Wallet, which has fraud protection in place.

10. (Optional) Open a separate account you can exclusively tie to your P2P payment app. First-time investors are usually advised to not put all their eggs in one basket. In this case, one should consider setting aside a certain number of eggs they would need for P2P transactions.

And let’s not forget…

Keeping your smartphone secure adds a layer of protection to the data and apps it holds. Does your phone have a lock? The majority of smartphone users don’t typically lock their devices, making such devices easier to access if stolen. Set up a lock now. While you’re at it, make your PIN more challenging. (No, 1-2-3-4 is not a good PIN.) Also, be wary of shoulder surfers when opening your phone to use your P2P payment app.

Now that you’re using a P2P service, you should start proactively monitoring your account regularly for unusual activity, the same way you’d do with your actual bank account or credit card. And finally, install mobile security software and tracking software with remote wipe features if you haven’t already.

Adhering to these steps won’t necessarily keep all P2P payment app security and privacy issues at bay. However, in an age when digital threats are sophisticated and scammers are astute, a device can never be too secure, and their owners never too careful.

Stay safe!

*** This is a Security Bloggers Network syndicated blog from Malwarebytes Labs authored by Jovi Umawing. Read the original post at: