When you open a new credit account or bank account, it’s practically a rite of passage in 2024 to add that card to your digital wallet before you stash it in your physical wallet.
Digital wallets like Apple Pay or Google Pay are designed to be more secure than a traditional plastic card, and they’re certainly more convenient -- but according to a study released by computer engineers at the University of Massachusetts Amherst, these payment methods can be vulnerable in ways that plastic cards are not.
The study found that digital wallets didn't have a sufficient way to determine whether the owner of the physical card was the one using the digital wallet. It also found that if a card is reported as stolen, banks only block transactions from the physical card and not purchases made from the digital wallet.
Both of these issues have since been resolved, but it may have you wondering about the safety of digital wallets. I talked to two experts to learn more.
Are digital wallets safe?
A digital wallet can make online and in-person transactions more secure and convenient.
When you make a purchase using a card in your digital wallet, the wallet sends an encrypted token to the merchant instead of sending the card number, CID or CVV number, and the expiration date.
Tokenization takes your card's information and replaces it with randomly generated credentials, creating a more secure payment process than had you used your physical card's actual information.
“Because it’s tokenized, that’s a big security feature,” noted Michael Bruemmer, the head of Global Data Breach Resolution at Experian.
But tokenization isn't the only line of defense included with using a digital wallet. Most phones or digital wallets include biometric protections like a face or fingerprint scan, plus your own unique password for two-factor authentication.
And while digital wallets are more secure than using your physical card, they aren't completely impenetrable.
Tips for protecting the cards in your digital wallet
Just like a physical wallet, there are steps you can take to ensure that your digital wallet remains as secure as possible.
Set up multifactor authentication
Multifactor authentication, or MFA, creates additional steps that must be completed to authorize a transaction.
For example, you can have a code sent to your phone via text message or on an authentication app that must be correctly entered to finish your digital purchase. Or you can allow biometric MFA on your phone, which means you must scan your fingerprint or complete the facial recognition step before the transaction can conclude.
“It can be annoying to go through all of the security features and fill out your profile and add MFA, which a lot of softwares will let you skip,” acknowledged Michael Seaman, founder and CEO of Swipesum.
“Don’t skip those features -- maybe it’s annoying for the five seconds you’re trying to get through a process, but if something does happen to your account and you don’t have those security features, it’s going to take a lot longer than five seconds to fix it.”
Practice good digital hygiene
This might seem obvious, but it bears repeating: Don’t leave your devices unlocked and unattended. If someone asks to borrow your phone to make a phone call, make sure that you have MFA set up so they can’t open up any other apps on your phone besides the call function. And if you lose your phone, remotely lock it or wipe it as soon as you can.
Be mindful of what’s in your wallet
A credit card’s zero-liability policy protects you if your card is stolen, but most debit cards do not have similar policies. That's why Bruemmer recommends never adding a debit card number to a digital wallet.
He suggested using only one card in a digital wallet and setting a transaction limit on that card. “When you have a unique card with a low limit of transactions, if you’re monitoring just that credit card, you’ll quickly know something is wrong,” he explained.
Adding a virtual card to your digital wallet can offer an additional layer of protection. These cards do not include a plastic counterpart, and instead of providing the same 16-digit number to every merchant, they can generate a different card number and expiration date for each transaction or recurring payment.
Turn on notifications and transaction alerts
Digital wallets let you set up notifications and transaction alerts to notify you when a new card is added to the wallet, when an account is logged in by an unrecognized device or from an unfamiliar location, or when any payment method in the wallet is used to complete a transaction. These can be device push notifications, email alerts or text message alerts.
Experts suggest setting these up, even if you find them inconvenient or redundant. Yes, it’s another message for you to check, but it’s also the fastest way to know if your digital wallet is being used by someone else.
Regularly check your card statements
Instead of waiting for the monthly credit card bills to arrive, make a habit of regularly reviewing your statements for any suspicious or potentially fraudulent activity. If you’re checking statements weekly instead of monthly, then you’ll notice any unusual charges that much more quickly.
Don’t use your wallet on public Wi-Fi
If you regularly use public Wi-Fi networks, you might want to reconsider your practices. The FCC recommends that you never use a digital wallet while connected to an unsecured public Wi-Fi network.
Either increase the data plan on your phone so you don’t need to rely on public Wi-Fi networks, or simply disconnect from Wi-Fi while you make your transaction, then reconnect once you’re finished.
Think carefully before scanning that QR code
You can tell if a website is secure by looking for the little lock symbol in the address bar, but a QR code is not easily identifiable as valid or invalid. Bruemmer said paying by scanning a QR code can be risky because you never know whether or not it'll steal your information.
What to do if card data is stolen from your digital wallet
If you have alerts set up for your wallet, then you should be immediately notified if someone else uses your digital wallet. If not, you’ll need to check your account statements for any transactions that you didn’t make, then alert the appropriate card company or companies.
First, check your issuer app to see if your card issuer has a "freeze card" function. That prevents any new transactions on your card. You can easily unfreeze the card if you find it, and any recurring payments you have scheduled should still go through.
Next, call the bank or institution that issued the card and report it stolen. Credit card brands typically have zero-liability policies for cardholders, which means that once you report the card stolen, they can clear the transactions from your account and issue you a new card number.
Once your card is reported stolen, look at the transactions for not only your missing card but also other accounts to see if anything else has been compromised. Change the password of any potentially vulnerable accounts.
If just one card has been compromised, you probably don’t need to file a police report, but if you notice more widespread activity, then it’s a good idea to contact law enforcement.
Accessing a free credit report will help you determine whether the theft ends with just your credit card, or whether your identity might have been compromised further. Consider signing up for an identity theft protection and monitoring service, which will continuously monitor your personal data online.
