Identity and Privacy Risks of Mobile Banking and Payment Apps

Of all the things we do online, you would think mobile banking and payment apps would be among the most private, right? Apparently, not so much. In October 2020, TD Bank Group filed a lawsuit against Plaid, Inc., accusing the software company of illegally using the bank’s logo to trick consumers into handing over their personal data which Plaid then proceeded to “monetize” (translation: use to sell advertising). Consumers have also brought a lawsuit over the company’s privacy practices. You might think this does not affect you, but Plaid handles about 200 million U.S. financial accounts through its software that links consumers’ bank accounts with third-party financial and payment apps, including Coinbase, Venmo, Betterment, and others.

The lesson here is to be careful about mobile banking and payment. While Plaid may have overstepped in gathering consumer information, criminals can also insert themselves into online banking and payment systems to steal your personal information and accounts. Here’s what you need to know about today’s “fintech” (financial technology) and how to protect your identity and privacy while enjoying the convenience it provides.

The Many Hands in Mobile Banking

Banks and financial institutions do work hard to make their systems secure. The problem is that mobile banking and payment systems involve a lot of other organizations besides the bank itself, and those organizations may not have the same security or commitment to privacy as your bank. There are businesses that make the banking and payment apps, plus “integrators” such as Plaid, that connect the apps to the banks. There can be other software layers between, and most of this software runs on computers in data centers that may belong to entirely different companies. There can also be security gaps when all these businesses hand off information to each other. So, there’s plenty of opportunity for your personal information to be hacked, misused, misdirected, or intercepted.

Bad guys could also listen in on networks or install spyware on your device to capture your information. According to Forbes, the FBI is even warning consumers about fake mobile banking apps that mimic the real thing, or “Trojan horse” software hidden in other apps such as free games. (There are tens of thousands of malicious apps lurking in the various app stores, and Fraud Watch International found that 60% of them are leisure and entertainment offerings such as games, news, and video streaming apps.) These fake apps can invisibly capture your personal and account information as you log in, before connecting you to the real bank site, or they can pop up fake error messages and then direct you to another site or their call center, which will collect your information under the guise of fixing your problem.

With so many hands in the virtual money pot, your bank can’t fully protect you, so you have to know how to protect yourself.

How to Protect Your Mobile Transactions, From Apps to Authentication and Beyond

Safer mobile payments and banking start with the application. You should only download banking applications directly from your bank’s website. For mobile payments, choose well-known, well-rated apps from an app store, and always install updates right away, to keep up with security fixes.

Also, be wary when downloading other apps to any device you use for financial transactions. Avoid apps that are free, have very few ratings or are from unknown vendors.

Once you have your app, here are other ways to protect yourself:

• Put password protection on your device.
• Review the app privacy settings and opt-out of any data gathering or data sharing that you don’t want.
• If possible, tie payment apps to a credit card rather than directly to your bank account. (It’s easier to challenge a fraudulent credit card charge than to get money back that’s been taken from your account.)
• Set up two-factor authentication. The best option is a single-use code sent to your mobile phone or email that you then enter to verify your login or transaction.
• Don’t store passwords or PINs on your device.
• Set up activity alerts for your bank account, credit cards, and payment apps so that you know right away if someone else is using your account.

Finally, never conduct mobile transactions over a public Wi-Fi network. It’s more secure to connect using your phone’s cellular connection, and even better to use a VPN such as IDX’s Safe WiFi, which is included with the IDX Privacy protection plan, to ensure that no one can intercept your information. Lastly, make sure to disable the automatic connection feature in your mobile device so you don’t connect to a public network accidentally.

Follow the Money

The popularity of mobile banking and payment apps has been growing for years—there’s no denying the ease of use and benefit of being able to send money easily with your mobile devices—but they have surged since the beginning of the COVID-19 pandemic. But remember that where the money goes, fraud and privacy risks will follow, so you need to make sure you’re protecting yourself. Your financial institutions know the risks, and they’ll do their best to keep you safe, but don’t bank on it.