How Secure Are Payment Apps?

29th June 2021 | Blog How Secure Are Payment Apps?


payment app security

Cash is King, for now. The use of electronic payment applications has been steadily growing, according to a recent survey by the US Federal Reserve, cash payments accounted for only 26% of all payments in 2020. Payment cards (credit/debit) and electronic payment applications were used for 65% of all payments, leaving 9% to wire transfers directly from a bank. The wave of cashless payments and e-commerce has led to the creation of many different payment applications. Apple Pay, Google Pay, PayPal, Venmo, and Trello Pay are some of the most common mobile payment apps. Yet, these applications often come with risks, with cybercriminals dreaming up new scams to trick us out of our cash – whether virtual or cold and hard. 

Mobile Payment Application Risks

Smartphones, like any other device, can be exploited by malware. One way cybercriminals can get your sensitive information is through keyloggers. This malware records and sends each action (tap) on your smartphone (or computer) to the hackers, enabling them to view account credentials you type into any application or website you visit. Hackers can also use fake apps that pretend to be legitimate and exploit your payment apps. An example can be found at the end of this article, where ESET researchers discovered a trojan disguised as a battery optimization tool, targeting users of the official PayPal app, attempting to transfer €1,000 ($1,200) to the hacker’s account. 

Most hackers exploit devices and deploy malware through phishing emails. Ransomware especially can be deployed through these emails, crippling your business by locking up your sensitive data and threatening to release it to the public unless you pay the ransom. Cyberattacks can be devastating not only to your business but your personal life as well. 

What To Do?

When using smartphones, there are a few things you can do to help you stay secure, especially when doing mobile payments. Follow CyberHoot’s best practices for smartphone security: 

  • Don’t use weak passwords or worse, no password, on your smartphone. Enable any combination of a biometric lock (face scan or fingerprint scan) or a geometric unlock sequence combined with a complex passcode of at least 8 characters in length. This is two-factor authentication.
  • Don’t lose your phone. Keep close tabs on it. Physical access allows hackers to break into just about any device. 
  • Enable ‘Find My Phone’ features available on both Android and iPhones, giving you the ability to lock or wipe your device in seconds if it’s lost or stolen.
  • Always keep your mobile device up-to-date by installing the latest operating system software from your mobile vendor quickly after release.
  • Enable Two-Factor Authentication on all critical accounts including email, banking, and online payment applications.
  • Some payment apps allow you to “share your payments” with others publicly. While this may seem cool, it puts you at risk of being socially engineered by hackers. Do not share payments publicly.
  • Turn on notifications for payment apps whenever transactions take place. You will be alerted in real-time, allowing you to take action immediately if fraudulent activity is occurring. 
  • Avoid downloading any malicious applications. Check up on what you’re installing. See where the developers are located. Read this CyberHoot article on how to review browser plugins for privacy, for details on researching software security and apply this to your smartphone.
  • Only install apps from Google’s Play Store and Apple’s App Store. 
  • Never jailbreak or root your smartphone if you have sensitive data on it.

It’s important to understand the applications you’re using and how they are authenticated and disable public sharing of transactions. The graphic below shows the most common payment apps and the various ways in which they attempt to keep you secure:


payment app security

Payment Security Definitions: Bug Bounty | Two-Factor Authentication | Transaction Lock 

Additional Security Recommendations from CyberHoot

While these are all vital when using smartphones, you should also follow these additional practices when using computers, especially at work. CyberHoot recommends the following best practices to prepare for, limit damages, and sometimes avoid cyber attacks:

Start building your robust, defense-in-depth cybersecurity plan today with CyberHoot.

Android Trojan Stealing From PayPal Accounts, even with Two-Factor Authentication enabled:

Sources: 

WeLiveSecurity

TechCrunch

Nayax

NY Times – Mobile Payment Research

Additional Readings: 

Hackers Releasing Fake Contact Tracing Applications

Smartphones Targeted by Drive-by Malware

Jeff Bezos and the WhatsApp Security Flaw

Latest Blogs

Stay sharp with the latest security insights

Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.

Apple Alert: Critical AirPlay Vulnerabilities Expose Millions to Cyber Threats

Apple Alert: Critical AirPlay Vulnerabilities Expose Millions to Cyber Threats

A recent discovery by cybersecurity firm Oligo Security has unveiled a series of critical vulnerabilities in...

Read more
CyberHoot Newsletter – May 2025

CyberHoot Newsletter – May 2025

Welcome to CyberHoot's May Newsletter! This month, we're spotlighting key developments in the cyber threat...

Read more
Cybersecurity Advisory: Hackers Exploit Zoom’s Remote Control Feature

Cybersecurity Advisory: Hackers Exploit Zoom’s Remote Control Feature

A newly uncovered cyberattack campaign is exploiting Zoom’s Remote Control feature to infiltrate the systems...

Read more