How Secure Are Payment Apps?

Cash is King, for now. The use of electronic payment applications has been steadily growing, according to a recent survey by the US Federal Reserve, cash payments accounted for only 26% of all payments in 2020. Payment cards (credit/debit) and electronic payment applications were used for 65% of all payments, leaving 9% to wire transfers directly from a bank. The wave of cashless payments and e-commerce has led to the creation of many different payment applications. Apple Pay, Google Pay, PayPal, Venmo, and Trello Pay are some of the most common mobile payment apps. Yet, these applications often come with risks, with cybercriminals dreaming up new scams to trick us out of our cash – whether virtual or cold and hard. 

Mobile Payment Application Risks

Smartphones, like any other device, can be exploited by malware. One way cybercriminals can get your sensitive information is through keyloggers. This malware records and sends each action (tap) on your smartphone (or computer) to the hackers, enabling them to view account credentials you type into any application or website you visit. Hackers can also use fake apps that pretend to be legitimate and exploit your payment apps. An example can be found at the end of this article, where ESET researchers discovered a trojan disguised as a battery optimization tool, targeting users of the official PayPal app, attempting to transfer €1,000 ($1,200) to the hacker’s account. 

Most hackers exploit devices and deploy malware through phishing emails. Ransomware especially can be deployed through these emails, crippling your business by locking up your sensitive data and threatening to release it to the public unless you pay the ransom. Cyberattacks can be devastating not only to your business but your personal life as well. 

What To Do?

When using smartphones, there are a few things you can do to help you stay secure, especially when doing mobile payments. Follow CyberHoot’s best practices for smartphone security: 

  • Don’t use weak passwords or worse, no password, on your smartphone. Enable any combination of a biometric lock (face scan or fingerprint scan) or a geometric unlock sequence combined with a complex passcode of at least 8 characters in length. This is two-factor authentication.
  • Don’t lose your phone. Keep close tabs on it. Physical access allows hackers to break into just about any device. 
  • Enable ‘Find My Phone’ features available on both Android and iPhones, giving you the ability to lock or wipe your device in seconds if it’s lost or stolen.
  • Always keep your mobile device up-to-date by installing the latest operating system software from your mobile vendor quickly after release.
  • Enable Two-Factor Authentication on all critical accounts including email, banking, and online payment applications.
  • Some payment apps allow you to “share your payments” with others publicly. While this may seem cool, it puts you at risk of being socially engineered by hackers. Do not share payments publicly.
  • Turn on notifications for payment apps whenever transactions take place. You will be alerted in real-time, allowing you to take action immediately if fraudulent activity is occurring. 
  • Avoid downloading any malicious applications. Check up on what you’re installing. See where the developers are located. Read this CyberHoot article on how to review browser plugins for privacy, for details on researching software security and apply this to your smartphone.
  • Only install apps from Google’s Play Store and Apple’s App Store. 
  • Never jailbreak or root your smartphone if you have sensitive data on it.

It’s important to understand the applications you’re using and how they are authenticated and disable public sharing of transactions. The graphic below shows the most common payment apps and the various ways in which they attempt to keep you secure:

Payment Security Definitions: Bug Bounty | Two-Factor Authentication | Transaction Lock 


Additional Security Recommendations from CyberHoot

While these are all vital when using smartphones, you should also follow these additional practices when using computers, especially at work. CyberHoot recommends the following best practices to prepare for, limit damages, and sometimes avoid cyber attacks:

Start building your robust, defense-in-depth cybersecurity plan today with CyberHoot.

Android Trojan Stealing From PayPal Accounts, even with Two-Factor Authentication enabled:

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.