We are essentially a cashless society. With the rise of debit cards in the late 1980s early ’90s, fewer and fewer of us use paper money to pay for things. Throw in online shopping and single-retailer payment apps like the one from Starbucks, and ATMs seem almost quaint.
Yet, with great convenience typically comes great security issues. The magnetic strip on the back of credit debit cards opened up an exciting opportunity for criminals. Using devices known as “skimmers,” tech thieves could steal data from a card (the number and expiration date) while it is being used at a point-of-sale (POS) machine, including at gas stations Gas pumps see a ton of traffic and are not continually monitored by an employee.
Fortunately, the skimmer situation has improved. But to help you navigate the ever-increasing sea of payment options, I spoke with Weston Hecker, a security researcher who has studied, hacked and worked on payment systems. Nothing is unhackable, but protecting your financial data makes it harder for you to be a target.
Chip and PIN
First off, the magnetic strip has largely been replaced by the chip-and-PIN system. Instead of using the static information on the card (your account number), each transaction uses a single-use key that’s valid for a few seconds. Typically you insert your card into the POS machine, which, after a few moments, prompts you for your PIN. It takes a little longer than the magnetic strip system, but it’s far more secure.
“(Data) was always static on the mag strips. It was a heyday for the last 20-plus years of people fraudulently buying things,” Hecker said. What pushed retailers to adopt the new machines was the shift in liability. If there were a fraudulent charge from a mag-strip transaction, the retailer had to shoulder the financial responsibility instead of the bank or credit card company.
But like all systems, it’s ripe for exploitation. Back in 2016, Hecker demonstrated a proof-of-concept attack on the system that would hijack the one-time-use secure key. Fortunately, most banking institutions have reduced the transaction time to reduce the chance of this type of attack, so you’re pretty safe using it.
If you do have to use a mag strip, use a credit card instead of debit. There’s typically better fraud protection coming from credit card companies as opposed to banks.
Apple Pay, Google Pay, Samsung Pay (and so on)
While the idea of paying with your smartphone is relatively new for folks in the United States, the security benefits are impressive. Apple, Google and most of Samsung’s payment systems use secure one-time tokens during a transaction. Samsung transactions with Bixby do not, so maybe don’t use that feature.
What gives these systems a leg up over chip-and-pin is that you never have to show your actual card and you typically have to use a biometric log-in procedure (your fingerprint or face) to initiate a transaction. That means if your card and phone are stolen, your phone is less likely to be the source of fraudulent transactions. In January, Apple said that 65 percent of retailers were Apple Pay ready. Since POS systems would require the wireless system for Apple Pay, chances are Google and Samsung pay are available at the same retailers. That huge number is based on major stores like Target and 7-11 supporting the payment. But that’s still a lot of places you can use to pay with your phone.
“They are very, very, very hard to hack without having the local device compromised and the actual terminal compromised,” Hecker said. “It is a lot of investment from an attacker’s perspective.”
To sweeten its Apple Pay system, the company is also launching its own credit card (backed by Goldman Sachs) this month. It’ll integrate with the company’s phone-based transaction process like any other card, but you get cash back rewards for Apple products. Oh also, Apple will send you a physical titanium credit card for when you don’t have access to Apple Pay.
Apple has a history of doing right by customers, privacy wise, but this is its first credit card. This may sound paranoid, but waiting a little while to see if any issues crop up is the best course of action here.
Paying for things online continues to get safer, but there’s always room for improvement. If you can avoid it, don’t send your credit card information to a site for a single purchase. Smaller online retailers don’t have the resources of Amazon to stop hackers. “As far as entering cards on pages, that’s never a good idea,” Hecker said. “That that just gives me a bad feeling in general. I would recommend using some kind of third-party service.”
Fortunately, there’s PayPal, Visa Checkout and Apple Pay. Plus, some banks will generate one-time use card numbers for payments. If you have the option to use any of these services instead of your actual credit card number, do it: The retailer never has to deal with your actual static credentials, and your purchases are a bit safer.
Hecker also mentioned that if you buy from Amazon on a regular basis, using that company’s credit card typically means you’ll get better service if something goes wrong. So if you drop a lot of money on a new TV from Amazon and it breaks after a week, you’ll more than likely have the situation taken care of quicker because you used that payment method.
Venmo and Square Cash
While Venmo made a lot of headlines a few years back about people being scammed out of thousands of dollars, the service (which is currently owned by PayPal) has since bolstered its security. Still, it’s far from perfect and adjusting its protection features relies on you. The social aspect — where everyone knows your transaction history — is just bad. You should set all your transactions to private. Telling the world you bought a bagel on Twitter is fine; telling the world you sent a friend money for a massage is not.
Apple Pay, Google Pay and Square Cash work along similar lines: You can quickly send friends money without paying a fee. While the majority of people are using Venmo, Apple’s dedication to user privacy makes it the better option. The company has been very vocal that it doesn’t sell user data and that its customers are not its product. (Typically this is a dig at Google, which uses personal information to sell data to third parties for ads, although you can usually opt out of that.)
Credit cards versus debit cards
This is a tough one. Most banking institutions have a more robust protection plan for credit cards than they do debit cards. Hecker says he would stay clear of using a debit card from a smaller bank or credit union. He notes that if a card is skimmed and the perpetrator buys a big-ticket item like a TV it could take up to a week to get refunded because these institutions have smaller fraud departments. “There are very few things I use my debit for,” he said.
Of course, not everyone has the option of using a credit card. In that case, the additional security of a service like Google Pay or Apple Pay could come in handy. By linking your debit card to Apple Pay or Google Pay, you have an extra layer of protection by not sharing your account number with a retailer and the biometric lock on your device that blocks unauthorized users.
When things go sideways, it’s important to have someone listen to your tale of woe. There’s nothing worse than realizing that your hard-earned cash has been pilfered and there’s no one available at the company to help you. This is where large banks and credit card companies shine. Well, mostly. You still have to deal with myriad transfers, and you’ll probably get hung up on a few times. I’ve never been able to resolve a financial issue with a bank with just a single phone call.
Still, it’s good to know that someone is only a phone call away.
Some of the peripheral companies don’t have that. For example, PayPal only has folks manning the phones from 6am to 6pm Pacific time. So if you realize at midnight that someone has accessed your account and purchased a waterbed, you have to wait until the morning to call someone.
Venmo, which is owned by PayPal, is only open Monday through Friday from 10am to 6pm Eastern time, which is unfortunate considering how often I use its service while hanging out with friends on the weekend.
Square’s Cash App doesn’t have anyone to talk on the phone. Instead it has an automated service, but it really wants you to resolve issues through the app.
Fortunately, Google Pay and Samsung Pay operators are available 24/7. Meanwhile, Apple Pay seems to fall under the umbrella of the rest of Apple’s products, with a 7am to 11pm Central time availability.
If you’re lucky, you’ll never have to call any of these companies. But if the need does arise, it would be nice if all of them offered 24/7 availability for financial emergencies.
So about those gas stations. Some have pumps with tap-to-pay, which reduces the chance of skimming. Also, they’ve worked hard to make it tougher to add skimming hardware to a pump. But, there are some stations (usually the ones with the cheapest gas) that are ripe for thieves to use as a source of income. In those cases — and if you live in a state like California where you pay before you pump — I’d recommend going inside. Yes, it’s a huge pain, but sometimes security is like that.
Sometimes it’s the safest way to pay especially in restaurants that still use the swipe method for cards. Plus, for small local merchants that are already struggling to stay in business, it saves them money on transaction fees. But maybe don’t go around with large wads in your pocket.