Mobile Payments vulnerable to hackers?

The excitement has been building in the community of mobile banking, payment technologies and near-field communication (NFC) after major announcements a couple weeks ago supporting mobile payments.

However, that excitement must be tempered by warnings about hackers attempting to get at personal information in smartphones… phones that don’t yet support mobile payments! What will happen when they try to attack phones that are also linked directly to your bank account, credit card or – God forbid – your Starbucks card?

Well, you’ll probably lose some money. But there’s one important thing that will prevent those losses, and this remedy has nothing to do with technology or smartphones or NFC.   Get a pencil and write this down, because it’s important: “Don’t be stupid.” 

Here’s what the hackers are doing to get your banking information, according to the FBI’s Internet Crime Complaint Center (also called “IC3,” which sounds so much better than “complaint center”)

“[C]riminals set up an automated dialing system to text or call people in a particular region or area code (or sometimes they use stolen customer phone numbers from banks or credit unions). The victims receive messages like: “There’s a problem with your account,” or “Your ATM card needs to be reactivated,” and are directed to a phone number or website asking for personal information. Armed with that information, criminals can steal from victims’ bank accounts, charge purchases on their charge cards, create a phony ATM card, etc. 

Sometimes, if a victim logs onto one of the phony websites with a smartphone, they could also end up downloading malicious software that could give criminals access to anything on the phone. With the growth of mobile banking and the ability to conduct financial transactions online… attacks may become even more attractive and lucrative for cyber criminals.

IC3 gives a couple examples of how these scams have been working recently: 

Account holders at one particular credit union, after receiving a text about an account problem, called the phone number in the text, gave out their personal information, and had money withdrawn from their bank accounts within 10 minutes of their calls.

Customers at a bank received a text saying they needed to reactivate their ATM card. Some called the phone number in the text and were prompted to provide their ATM card number, PIN, and expiration date. Thousands of fraudulent withdrawals followed.

So if you get a message requesting personal information, the smartest thing would be to not give away your personal information. See? No technology involved other than the Human Brain.  YOUR human brain.

And thank goodness that the FBI is looking out for us and sounding a warning. However, could they find agents that are a little better at naming these scams? The FBI is calling them “Smishing” and “Vishing” for SMS phishing and Voicemail phishing. “Smishing?” Really, FBI? Surely you can do better than that.

Should this keep us from using mobile payments? Personally, I don't think so. We can't protect everybody from themselves. If you're the kind of person who gives your ATM personal identification number to strangers, well, everybody needs to learn that lesson. Some people will just have to pay more for tuition than others. 

But even if you never give out banking information and don't follow unknown web links, you could still misplace your phone in a taxi, restaurant, or anywhere else, just the same as you could lose your leather wallet full of cash and credit cards.  In that case, you might, indeed be able to rely on technology: Make a phone call to your bank and you can shut down all financial functions automatically. 

By the way, here are some other tips from IC3

• Don’t respond to text messages or automated voice messages from unknown or blocked numbers on your mobile phone. 
• Treat your mobile phone like you would your computer…don’t download anything unless you trust the source.
• When buying online, use a legitimate payment service and always use a credit card because charges can be disputed if you don’t receive what you ordered or find unauthorized charges on your card. 
• Check each seller’s rating and feedback along with the dates the feedback was posted. Be wary of a seller with a 100 percent positive feedback score, with a low number of feedback postings, or with all feedback posted around the same date. 
• Don’t respond to unsolicited e-mails (or texts or phone calls, for that matter) requesting personal information, and never click on links or attachments contained within unsolicited e-mails. If you want to go to a merchant’s website, type their URL directly into your browser’s address bar.