The dos and don’ts of instant payment apps

'Tis the season for mobile payments, but are they safe?

Andrew Harrer | Bloomberg | Getty Images

Even if it's just splitting the tab among co-workers at your annual holiday get-together, it's clear that this is the season for instant payment apps.

Venmo and Zelle have exploded in popularity, particularly among 18- to-34-year-olds. In fact, millennials are six times more likely than boomers and Gen Xers to use payment service Venmo in lieu of cash, checks and credit cards to settle up for everything from dinner and drinks with friends to paying the month's rent, according to new research by Qualtrics and Accel.

"Peer-to-peer apps are crucial to modern personal finance," said Sean McQuay, a credit card analyst at NerdWallet.

Venmo alone processed about $4.9 billion in person-to-person payments in the third quarter of 2016, up 131 percent from a year earlier, according to PayPal's most recent report.

Venmo's peer-to-peer transaction volume is expected to grow to about $84 billion in 2019, according to Josh Olson, an analyst at Edward Jones.

But although 21 percent of consumers have used a mobile app on their phone to make a payment — a number that likely will continue to grow — only 11 percent of consumers trust alternative payment providers to protect their payments, according to a recent survey from the American Bankers Association.

In reality, the top mobile payment apps have very financially secure roots. Venmo is owned by PayPal, which is licensed as a money transmitter in every state, and Zelle is backed by the country's biggest banks, including Chase, Citi and Bank of America. (There are also a slew of competitors on the scene, including Dwolla, Square Cash and Popmoney.)

The theory behind them is the same. Instead of using an instrument, like a check or credit card, to make a payment, mobile broadband technology makes it possible to move money directly between two people (called peer-to-peer, person-to-person or P2P). They either draw from a pool of funds you establish as your balance or the money flows directly to and from your bank account.

In fact, banking on mobile devices is considered more secure than online banking, because of mobile operating systems' "sandboxing architecture" which isolates individual apps from malicious malware, according to Jason Soroko, manager of security technologies at Entrust Datacard, a financial transaction security firm. If one app is infected, it won't spread to another, like it could on your PC, Soroko said.

"Consumers should feel confident about using their mobile devices to make payments," he said.

It gets problematic if someone has access to your phone and sends a payment you didn't authorize or if you send it to the wrong person. Because the payment is analogous to cash, it is more difficult to reverse a transaction. "That is the largest security risk," said NerdWallet's McQuay.

However, if you have lost your phone and you are worried that someone else might be able to access your instant payment account, you do have the ability to freeze or terminate your account remotely, said Jason Oxman, CEO of the Electronic Transactions Association, the group representing payments and technology companies.

But there are still additional steps consumers can take to shore up their financial data ahead of the holiday spending season.

For starters, when choosing one instant payment app over another, "read the terms and conditions and weigh the costs, if any," Oxman said.

All should guarantee your transaction and encrypt your data, but the fees may vary. Square Cash, for example, charges a 1 percent fee for instant deposits.

Then, "the basic rules apply, just like banking online," said Julie Conroy, a research director covering fraud, data security and compliance issues at Aite Group, a global research and advisory firm.

"Don't use the same password across all of your online relationships," Conroy said, "make sure it is different from other online passwords."

Also, do some due diligence, she said. "Look to see who the manufacturer of the app is, read the reviews, see how many downloads there are. There are rogue apps, which mimic a real app, that can slip through the cracks," Conroy cautioned.

And opt into multi- or two-factor authentication, Oxman advised, which can mean you'll receive a security code via text that you must enter to log in — this prevents someone from logging into your account from another computer. Also, always use fingerprint authentication if available and a code to lock your phone, he said.

"You have a lot of options available."