Young people are gravitating toward digital wallets, believing them to be more secure than other forms of payment such as credit or debit cards. But those in the cybersecurity field say the reality is a little more complicated.
In a survey conducted late last year, Michigan-based research firm J.D. Power found that 48% of consumers say they use digital wallets, a 12-percentage-point rise from the previous year.
The increase is driven by people under 40 who list security as one of the major reasons to use a digital wallet over other payment methods, J.D. Power said.
In theory, digital wallets should be safer, because the information is encrypted. But the relative safety depends on how the wallet is used and who has control over it, cybersecurity researchers said.
Young people have a largely favorable opinion of digital wallets, said Sean Gelles, senior director of payments intelligence for J.D. Power, and that sentiment is mainly driven by the perceived security.
A digital wallet is typically an app on a consumer’s smartphone, which means that no one can see the numbers on a card or watch the user enter their PIN.
For this reason, shoppers tend to think a digital wallet is more secure, Gelles said.
“At a high level, they’re right,” said Lee McKnight, who teaches information security policy at Syracuse University. “In principle, digital wallets should be more secure.”
But the extra layers of security come with caveats, he said.
Anyone can use your debit card if they know the card number, the expiration date and the three-digit security code on the back.
Digital wallets, on the other hand, have an encryption key known only to the user.
“If someone steals your phone, it doesn't matter, because they wouldn't be able to get into it,” said Dr. Jimmie Lenz, a lecturer at Duke University who studies fintech and cybersecurity.
Unlike debit and credit cards, which use the 16-digit number printed on the front of the card for every transaction, digital wallets use a different randomly assigned number for each transaction, said Dan Schiappa, chief product and services officer at the Eden Prairie, Minnesota-based cybersecurity firm Arctic Wolf.
“If someone got ahold of that number somehow, they wouldn’t be able to use it again,” he said.
Digital wallet transactions also generally require an extra layer of authentication. A customer may have to use the fingerprint reader on their smartphone, for example, Schiappa said.
Contactless forms of payment such as digital wallets are always more secure than swiping a card, he added, noting that scammers are still known to put card skimmers on credit card readers to steal the customer’s information.
If you use a digital wallet, “you are always going to be in control,” McKnight said. “The owner of the digital wallet is the party that says ‘I want to release money to this other party.’ In the case of a debit card, you don't have that same kind of control. Anyone with your number or pin can do whatever with it.”
Just how secure your digital wallet is, however, depends on the parent company, McKnight said.
“You don't have the bank, you don't have the credit card company, you don't have those insurances to help you,” he said.
The extra security comes with a flip side, McKnight added. Digital wallets used to trade cryptocurrency, for example, are often not linked to large tech companies or financial institutions, which means if you lose the smartphone or laptop containing your digital wallet, there’s no helpline you can call.
While a plethora of rules govern credit and debit card transactions, no such regulation currently exists for digital wallets, he noted.
The Consumer Financial Protection Bureau in November proposed rules subjecting digital wallets to the same regulations governing banks that offer similar services. The rules have not been finalized.
Regardless of the digital wallet used, steps can be taken to enhance security.
McKnight, for example, cautioned against using a “dumb” password, which is usually a common term followed by a set of numbers. Those passwords make a digital wallet easier to hack.