Everything You Need to Know Before You Start Exclusively Paying for Meals Digitally
Swipe-and-dine is becoming a full-on movement. Several restaurant brands are rolling out dedicated payment apps to make getting food on the run as easy as tapping a button, rendering the ol’ wallet the Luddite’s way of buying a burger.
Dining payment apps offer a lot of convenience for hungry customers -- plus, many offer app-only deals or additional rewards for paying via mobile phone -- and they’re welcomed by merchants who want to sell more. But any time you link an app with your credit card, you’re trusting your financial information to the company.
“People are going to have to keep track of dozens of digital wallets now, and you have to trust ‘JoesDeliApp’ to be secure,” says Bob Sullivan, a security and privacy writer who broke news about hackers targeting Starbucks’ payment app.
Experts recommend treating dining apps with as much care as you would your bank account -- and taking these precautions to keep your money as secure as possible.
Check carefully that you’re downloading a legitimate app
Start with the basics: Make sure you’re downloading the right app. It sounds like a no-brainer, but nefarious fake apps that look like the real ones could be lurking in mobile stores like Google Play. These aim to trick users and instead could deliver malware, lock users out of their phones, or steal the information entered into the app.
While malicious spoofs are a potential issue with any app, they’re of particular concern for payment apps because of the financial component, says Archie Agarwal, founder and CEO of ThreatModeler, which provides security and risk management solutions to companies.
To help avoid scammers, only download apps from official app stores. Read other users’ reviews of the app, and double check for yourself that the details sound right. If you’re downloading the Starbucks app, for example, the developer shouldn’t be listed as CoffeeGuy123.
Look for apps that require a second authentication
Make sure the app includes a level of proof beyond your password, like a thumbprint. Otherwise, don't store your credit card details. “I’m always concerned about storing sensitive information [like credit cards] if the app doesn’t require two-factor authentication,” says Agarwal. Two-factor authentication is a login system that requires a second component; most often, you must not only know the username and password, but also have to enter a code texted to your phone.
Agarwal looks for apps that use Apple Pay, which requires a thumbprint scan as the second piece of authentication. But Apple charges merchants transaction fees to use the service, so this isn’t common.
If the app doesn’t require a second factor, don't store your credit card, Agarwal advises. While it’s possible for restaurants to store and encrypt financial information safely, it’s impossible for the average diner to tell from looking at the app whether it built in appropriate precautions.
So, yes, it’s annoying to type in your credit card manually every time you get takeout -- but you’ll greatly reduce the risk of your financial information being stolen. “It takes an extra two minutes to enter that information, which is well worth it,” Agarwal says.
Don’t create or log into your account using public Wi-Fi
Experts loathe public Wi-Fi networks because they’re potential security traps -- it’s theoretically possible for hackers to see every piece of information you send across the network. So don’t enter your username and password, or your credit card information, while on a public network, Agarwal says. Stick to cell service or your password-protected home Wi-Fi.
Don’t let the app auto-reload funds
Linking bank accounts to auto-reload funds ensures you’ll never hit $0 on the app -- but it’s the biggest concern for Bob Sullivan, the privacy reporter, who covered what he called an “ingenious” scam involving several Starbucks apps users.
Thieves who apparently obtained users’ Starbucks.com login credentials were able to siphon money from them in minutes, by loading their stored funds onto a new gift card and repeating the process every time the auto-reload feature added more money. It was as if the scammers had stolen from users’ credit and debit cards -- but they didn’t need to have access to the card, or even know the account numbers. (In response to the scam, Starbucks encouraged its customers to protect their accounts with unique passwords.)
“Directly linking your bank account gives hackers an easy back door,” Sullivan says. “So even if you’ve taken other security precautions, when you give an app access to your account you’ve circumvented all that. And with auto-reload, criminals can steal again and again and again, as happened with Starbucks.”
Instead, reload funds onto dining apps manually. As with the advice to re-enter your credit card number every time you make a transaction, it’s a tip that adds a step. But the momentary annoyance is much better than getting stuck trying to reimburse stolen funds.
“Coffee chains aren't banks,” Sullivan says. “They have almost no experience dealing with the issues that come up in bank fraud and the clever ways bank hackers steal money.”
Ordering takeout with a single tap is satisfyingly simple, and just plain fun. But keep in mind restaurants won’t -- and can’t -- match your bank’s experience protecting your valuable financial data. Take a few precautions and you’ll be able to chow down with less risk.