It’s been possible to pay with a swipe of your card for 13 years, and with your phone since 2015. Yet, despite their convenience, contactless payments have been dogged by concerns over security.
For years, it was rumoured that criminals could ‘skim’ your card and steal your money, simply by standing next to you with a card reader.
There has, however, never been a verified report of this actually happening – while some apps can reveal card numbers and expiry dates, the crucial security code (CVV) remains hidden.
In February, a single mention of mobile wallets in a report by the Financial Conduct Authority, referring to ‘uncertainties around our regulatory parameter’ led to newspapers reporting that mobile payments would not be covered by consumer protections, despite mobile payments receiving the same protection as the cards connected to them.
In fact, mobile payments could be even safer than card payments – here’s why:
Mobile payments: a brief history
Apple Pay was launched in 2015, and Google Pay in 2016 for Android smartphones.
Samsung Pay followed in 2017, although as Samsung owners can also use Google Pay, it’s not covered by this article (you can read more about it here). Barclays also has its own app for Android users, which customers have to use instead of Google Pay.
Initially, confusion reigned over exactly where you could use the new services, with shops advertising their willingness to take the payments.
Yet these services can be used anywhere a contactless card can, because both services use similar near-field technology to ‘talk’ to the card reader (although there are some technical differences).
Another point of confusion was whether you earn cashback or rewards for a card used on Apple or Google Pay, or benefit from credit card protections. The answer to all questions is yes – for more on Section 75 protection, see below.
And, contrary to popular belief, and unlike contactless cards, you can spend more than £30 at a time using mobile payments. In fact, Apple and Google don’t impose any limits, although some retailers and banks apply a £30 cap.
- Find out more: everything you wanted to know about contactless cards
The true risks of contactless payments
It’s difficult to know how many people use contactless payments, let alone how many are scammed, because little data is publicly available. But the figures we do have suggest that rates are very low.
The latest figures from banking association UK Finance say that 8.5 million people, 16% of the adult population, were registered for mobile payments in 2018. Nearly half (46%) of those who had signed up made payments weekly or more often.
At present, specific statistics for mobile payment fraud aren’t available; instead they are classed as contactless payments.
In the first six months of 2019, contactless fraud losses – which includes mobile payments – represented just 2.7p in every £100 spent in this way, or 3% of all card fraud losses.
And that’s despite the use of contactless payments increasing. As of July last year, half of debit card payments were made this way.
Why mobile security has the edge
Mobile payments have an advantage over contactless cards: most transactions need to be authenticated.
Typically, you do this in the same way you unlock your phone, whether that’s with a Pin, key pattern, fingerprint or face scan.
There are some exceptions. Both Google and Apple Pay allow an undisclosed number of unauthenticated transactions for certain situations. For example, Apple Pay’s new ‘Express’ mode allows you to use it on London’s public transport without you being asked for a fingerprint.
Google Pay allows unauthenticated transactions with a value of less than £30. However, after a couple of transactions, Google Pay would require you to unlock the phone. Unlocking is also required if the phone is restarted, to continue using the feature.
In most cases, mobile payments won’t work if your phone is out of battery. The exception is Apple Pay’s ‘Express’ mode, where iPhone models from the XR onwards can make payments for over five hours after it has run out.
Behind the scenes
Although card details are needed to set up Apple Pay or Google Pay, they’re not shared with the companies themselves, or the retailers you pay. Instead, a virtual account number is created, encrypted and securely stored, hidden even to you.
To safely store your card information, Apple Pay uses the ‘Secure Element’, which is a specialised computer chip on your iPhone. It stores your virtual account information and, when you pay, sends a ‘token’ – a code authorising the payment – to the card readers.
Google Pay uses an equivalent called ‘Host Card Emulation’, where tokens are generated online, rather than on your phone. If you’re concerned about privacy, you can change these in your settings without losing the ability to use Google Pay.
With Google Pay, a limited number of tokens are kept on your device, so you can still pay if you are unable to connect to the internet. As Apple Pay is based on your iPhone, it doesn’t require internet access to make payments. Each token’s code is unique and encrypted, meaning that a payment can’t be maliciously redirected.
What happens if I lose my phone?
Losing your phone is expensive enough, without it also doubling as your credit card. Luckily, it’s relatively simple to freeze payments.
Also consider contacting your bank to report the incident and get your card frozen and, if necessary, replaced.
If any fraudulent payments are made via your mobile, you’ll be protected as you would be for unauthorised transactions made with your card. Your provider must refund the loss unless it can prove that you authorised the payments.
- Find out more: what to do if your card is lost or stolen
How to get started
To use mobile payments, your smartphone must be NFC-enabled, which is the case for the majority sold in the last five years. You can easily check your mobile’s settings to confirm this.
Many devices will have Apple or Google Pay pre-installed but, if not, these apps can be downloaded free of charge from the Apple App Store and Google Play store.
When you connect your card you’ll be required to go through your bank or credit card provider’s verification process.
- Based on an article that first appeared in the March issue of Which? Money Magazine. You can try Which? Money today for just £1 to have our impartial, jargon-free insight delivered to your door every month.