In 2016, 148 million people around the world will reach for their handsets to make payments at in-store point-of-sales terminals, according to a report from Juniper Research. Many millions more will use payment apps such as Dwolla or Venmo to send money to friends and businesses.
The boom is creating opportunities for hackers and thieves, and security gaps in some of the apps are leaving buyers as well as sellers exposed. According to a September report by researcher LexisNexis, merchants reported that “alternative payment methods,“ a category that includes PayPal and other nonbank financial companies, accounted for 21% of all fraud in 2015, up from 13% the previous year.
Along with a handful of well-known companies such as Apple, Google and Samsung, the mobile payments field has attracted thousands of thinly capitalized startups. “There’s a lot of two engineers and a goat,“ says Richard Crone, chief executive officer of Crone Consulting, which advises the industry .
Crone predicts the number of digital wallets that can be used in stores will double within the next 12 to 18 months and the number of mobile web or in-app payment services will triple over the same period. We have a lot of people competing to deliver the same service. He says that in the rush to get their product out, many developers are cutting corners.
Mobile app security provider Bluebox found vulnerabilities in all the roughly 10 unnamed US mobile payment apps it examined last year. Most of the time, the apps themselves aren’t using any kind of encryption to protect the data on the phone or to protect the data in transit.
On March 2 the Consumer Financial Protection Bureau levied a $100,000 fine on Dwolla, a service that allows people and businesses to make and receive payments via a website or mobile app. The agency said misled users by claiming that its data security practices exceed industry standards, while in a number of instances it stored and transmitted social security numbers and other sensitive information without encrypting the data. Current laws may need to be updated to determine who’s liable in in stances of fraud.
The Electronic Fund Transfer Act does not cov er services not offered through traditional financial entities, such as banks and credit unions.
The bottom line: Mobile payments technology is evolving faster than regulation , leaving some users exposed to fraud.