Originally posted on Consumer Reports.
Given the threat of COVID-19, many people are wary about handling coins these days, much less those keypads in the checkout lines at the grocery store.
If that’s a concern for you, you’ll be happy to know that there are plenty of smart alternatives. No-contact payment systems have been around for years. They’re relatively simple and safe to use, too.
With a mobile app such as Apple Pay or Google Pay, you simply wave your smartphone above the card reader and move on. Credit cards outfitted with radio-frequency identification (RFID) technology require a simple, fingerless tap on the payment screen.
Either way, you get to keep your hands to yourself.
I jumped on the Apple Pay bandwagon when it first launched in 2014. I was on maternity leave with my second child. Trips to the grocery store usually involved an infant snuggled in a baby carrier while my kindergartener clung to one of my hands.
Digging out my wallet involved an act of contortion or a mining expedition, depending on what bag I was carrying. But I always seemed to have easy access to the smartphone wedged in the front pocket of the baby carrier.
Being able to just click and pay made shopping a lot easier—for me and the people in line behind me. As someone who has written about digital security for many years, I also found the extra protections built into the service comforting.
Fast forward a little. My baby is headed to first grade and I’m using Apple Pay and Google Pay (depending on the phone) more than ever. I’m also using a handful of apps released by retailers to make no-contact payments. And I’m hoping to receive an RFID credit card very soon.
For many people, though, options like those are still a novel idea. According to recent figures from Javelin, which tracks payment card usage, only 15 percent of consumers made a purchase using a mobile wallet app in the past 30 days.
Interested in giving no-contact payments a try? Here’s what you need to know.
How Do Apple and Google Pay Work?
While you can use these services to send money to a friend, they function more like credit cards than the peer-to-peer payment services Venmo and Zelle. They’re widely accepted by walk-in stores and e-commerce platforms.
To start, you simply add your credit and debit card information to the digital wallet app on your phone. Moments later, the card is approved and you’re good to go.
IPhones default to Apple Pay and Android devices use Google Pay or Samsung Pay. The option to pay with the service generally pops up on your phone’s screen when you wave the device over a credit card terminal at a store, but you can access the feature through the digital wallet app as well.
After that, you just verify your identity using FaceID, the phone’s fingerprint scanner, or—if you’re wearing a mask and facial recognition fails—by entering your passcode. Once the transaction is approved, you get a notification on your phone.
In theory, that makes the whole process no-contact. But retailers sometimes ask you to okay the transaction by signing your name to a receipt or pressing buttons on the credit card machine. You may also receive prompts asking you if you want cash back or loyalty card discounts. Those require keypad interactions, too.
Are They Secure?
Instead of using an account number to verify transactions, the apps use a secure token—essentially a one-time passcode. On the off chance it’s intercepted by a cybercriminal, it’s useless.
“It’s the most secure method out there,” says Stephanie Martz, a spokeswoman for the Secure Payments Partnership, a trade group that represents retail groups and payment networks.
As Martz notes, your debit card number is sort of a token, too. It’s a unique set of digits that identifies you and your bank, not your actual account number.
“Adding tokenization on top of that makes it very difficult to reverse engineer,” she says.
And because you’re not handing over your actual credit card number during the transaction, it can’t be stolen. Many popular e-commerce apps (think Starbucks) also work this way.
This approach makes contactless payments significantly more secure than traditional credit card transactions, says Roey Eliyahu, co-founder and CEO of the cybersecurity firm Salt Security.
When you swipe a credit card, the retailer’s point-of-sale (POS) system generally encrypts the account number and sends it to the company processing the payment.
If the POS system has been compromised by a cybercriminal, any credit card numbers collected by it also could be compromised, Eliyahu says, pointing to the 2013 breach of Target, which exposed up to 40 million credit card accounts to potential theft.
The fact that Apple and Google Pay require you to have your phone and, usually, the ability to unlock it, plus a passcode or biometric authentication, also beats the security of a typical in-store credit card transaction, he adds.
What About RFID Cards?
These days, new credit and debit cards often come with a built-in RFID chip. Much like the Apple or Google Pay app on a phone, the chip sends out a radio signal that gets picked up by the store’s POS system when you tap the card on the screen.
The transaction is as simple as that—just a tap—but here again you may be asked by the retailer to provide a signature or use the keypad for some other reason.
Many grocery stores, pharmacies, and retail outlets now accept RFID payments, and the technology is making its way into public transit, too. Visa recently announced a partnership with the San Diego-based tech company Cubic to bring contactless payments to 500 public transportation systems around the world.
In New York City, officials are in the process of rolling out a system that will let subway and bus riders pay for rides with the tap of an RFID card, smartphone, or smartwatch.
Security experts used to be wary of the technology, but they’ve changed their outlook.
“People flipped out years ago because of the potential for an attacker with a skimmer to collect data for hundreds or thousands of credit cards in a short period of time,” Eliyahu says.
But those reservations were based on the fact that RFID signals have a broadcast range of more than 300 feet. The ones used in today’s cards are significantly shorter, sometimes as little as just an inch or two. And any obstacle between the card and the receiver, from items of clothing to a wallet, cuts that range even more.
Credit card makers also have reduced the amount of personal information transmitted by the cards. For example, Bank of America and Chase make a point of saying that their RFID cards don’t include a customer’s name, billing address, or the three-digit code on the back of the card. And along with the account number, each transaction is paired with a one-time security code.
“Basically, you have to be under near-perfect conditions at close range to be able to virtually pickpocket someone,” Eliyahu says. “In reality, there have been no documented cases of RFID-based credit card fraud.”
And for that reason, he says, RFID-blocking wallets and other products that claim to stop the signals are generally unnecessary. While there’s nothing wrong with buying one if it makes you feel better, a regular wallet or a layer of clothing should suffice.
What Else Can You Try?
Even before COVID-19, retailers such as Home Depot, Macy’s, and Walmart were adding e-commerce features to their mobile apps for people on the go.
Like GrubHub, they let you place orders for delivery or pickup.
That can make shopping convenient. Many of the apps rely on Apple and Google Pay to complete transactions, reducing security worries. With others, though, it can be tough to tell exactly how secure they are.
While you can easily tell if a website is encrypted by looking for the little lock icon before the URL address, the same can’t be said for mobile apps.
So it’s best to think twice before you hand over personal information. Yes, a food delivery app needs to know your credit card number and where you live to get you your order. But you need to be careful, especially when you’re dealing with a proprietor that may not have the time or money to invest in adopting up-to-the-minute security practices.
Where do we go next?
Amazon, the king of e-commerce, has opened checkout-free convenience stores in cities like Chicago, New York, and San Francisco. You just sign in with the company’s app and collect what you need. Sensors track what you take and provide you with an itemized receipt after you leave the store.
The company is also expanding into larger stores in Seattle and Redmond, Wash., that focus on groceries. But don’t expect to find one of those shops in your neighborhood soon.
“It takes lots of cameras and real-time analysis of tons of data to make it seamless and relatively error-free,” Eliyahu says.
All of that surveillance raises significant data privacy concerns, too, he adds.