Mobile Payments by Smartphone Still Dicey

typing message on the personal digital assistant

Like it or not, your smartphone is slowly morphing into a virtual wallet.

Granted, mobile payments are a small niche and their use is highly limited. But traction is growing as big companies push for this new technology. Mobile commerce is expected to surge to $110 billion by 2015, according to ABI Research in New York.

But there's a catch. Store scanners can read payment data on your smartphone, but the market is learning as it goes. So, early adopters need extra layers of safety when downloading mobile payment apps of stores.

Take the security flaw found in PayPal's iPhone application late last year by computer and mobile security firm viaForensics. It allowed hackers access to users' passwords, says Andrew Hoog, chief investigative officer at viaForensics in Oak Park, Ill. PayPal quickly fixed the flaw. But viaForensics also found issues with other companies' applications.

Use Apps From Trusted Sources

Meanwhile, other mobile apps issued by Best Buy, eBay and Overstock stored data that wasn't encrypted, according to a viaForensics analysis. Financial service sites like PayPal, Vanguard Group and Wells Fargo had the most secure apps, viaForensics says. With such varying security, use apps from trusted sources.

"Consider each payment app, what it does and what information it stores," says Suzanne Martindale, associate policy analyst at Consumers Union. "Find out everything you can."

Until the kinks are worked out, mobile payments require extra vigilance, vetting applications and making sure your smartphone data are secure.

But that's not all. Federal law for mobile payments hasn't yet been hammered out. So your level of security depends on what card you're using, Martindale says. In that regard, credit cards offer the most protection, followed by debit cards.

Tips for Making Mobile Payments

Hoog says fraudsters haven't targeted mobile payments for now because there isn't sufficient volume. But change is coming. Big companies such as Visa and Verizon Wireless are rushing to offer their own mobile payment applications that turn your smartphone into a wallet. It's called near-field communication technology, which exchanges data between devices. Google is also working on a service where you simply wave your smartphone payment data near a register for it to function.

Here are some tips for navigating mobile payments and staying safe.

  • Link mobile payments to credit cards, if you can. These payments offer the most protection. Advantages include the right to dispute charges, protection in case there are bank errors and limited liability for unauthorized transactions, according to a Consumers Union report on mobile payment systems.

"We've regulated credit cards so much longer," Martindale says. "You don't get the same protection with debit cards." But be careful. By not paying off your credit card debt monthly, you build up a higher debt balance.

Though debit cards do offer limited liability, you can't dispute charges or stop payments, according to Consumers Union. It recommends using a separate debit card account for just online purchases to limit potential losses.

And prepaid, debit card mobile payments can carry even more risk since you're subject to a card's terms and conditions. For example, there may not be protections for unauthorized use, according to Consumers Union.

"Where does a consumer go to complain?" Martindale asks.

  • Protect your data with passwords. Paul Roberts, an editor with Kaspersky Lab's security news service in Woburn, Mass., recommends using double passwords -- one for the application itself and one to protect your device.
  • Download apps from reputable companies and well-known merchants. "Many apps save more information than developers are even aware of," Hoog says. "They haven't tested their offerings."

Check out App Reviews

Of the two major smartphone apps available, Apple's app-vetting process isn't clear and Google has said that it's not doing app reviews. So it's hard to know what you're getting.

Hoog recommends checking out app reviews on appWatchdog, part of the viaForensics website where publicly available mobile apps are reviewed.

"We review about 40 apps on the site, focusing on the biggest ones," Hoog says. For example, deal-of-the-day website Groupon's Android mobile payment apps and personal-finance management website Mint's Android and iPhone apps failed security tests, since data were stored insecurely, according to viaForensics.

"People need to make mental adjustments," Roberts says. "With mobile payments, your smartphone is becoming more like a wallet than a phone."