With much of the payments industry and Silicon Valley tech press in a speculative frenzy about what Google Inc., Apple Inc., and Facebook Inc. might or might not do regarding mobile payments, a new study has come along indicating that consumers are complacent, arguably extremely complacent, about protecting personal and financial data on their smart phones.
According to the results, telecommunications companies, card issuers, and other payments players have a big education task ahead of them if they expect consumers to do their part in keeping payment fraud under control and if smart phones are to become the credit and debit cards of the 21st Century.
“In general our findings suggest that people are not aware of or sensitive to the risk their smart phones create for them,” says Larry Ponemon, chairman of the Ponemon Institute, a Traverse City, Mich.-based research firm. For the study, Ponemon Institute surveyed 734 randomly selected Americans over age 18 with smart phones, including the iPhone, BlackBerry, devices running Google Inc.’s Android and Microsoft Corp.’s Windows Mobile, as well as other operating systems.
Among other key findings, according to a recent release from study sponsor AVG Technologies N.V.: 89% of respondents were unaware that smart-phone applications can transmit confidential payment information such as credit card details without the user’s knowledge or consent. Some 91% of respondents were unaware that financial applications for smart phones could be infected with special software, called malware, designed to steal card numbers and online-banking credentials, yet 29% reported already storing credit and debit card data on their devices.
Some 51% of respondents said they had neither keypad locks nor passwords on their smart phones. Twenty percent reported having keypad locks; 19% had passwords, and 10% used both security methods. Only 29% had considered installing antivirus software on their phones, and 42% said they allowed the smart-phone versions of social-network applications such as Facebook to access their key chains, passwords, and log-in credentials that they use on their desktop or tablet computers.
Regarding their actual experiences, 58% of respondents reported receiving unwanted marketing messages on their smart phones and 5% said their phones had been infected with malware.
Overall, 57% of respondents rated security as not important, with just 43% saying it was important. That indifference comes at a time when many in the tech and payments communities expect smart-phone fraud and marketing abuses to increase because of the phones’ increasing market share and the personal data they hold, including card data and online-banking credentials. “It’s likely the bad guys are going to turn their attention to smart phones,” says Ponemon.
The card industry so far has failed to reach a consensus about security measures involving mobile payments. The PCI Security Standards Council, which administers the Payment Card Industry data-security standard and related standards, in January stated that until it completes a “comprehensive examination,” it would not approve mobile-payment applications for use by merchants unless an app meets requirements set by the Payment Application data-security standard “and the underlying mobile-communications device supports the merchant’s PCI DSS compliance.”
In addition to payment-related questions, researchers asked respondents about other data they may store or transmit with smart phones. Eighty-four percent of respondents said they use the same smart phone for business and person reasons, but 28% were unaware that using a smart phone for personal and business purposes could put business information at risk.
Study sponsor AVG Technologies, an Amsterdam-based provider of antivirus and other security software, had no influence on the study results, Ponemon says. The survey’s margin of error was approximately 3.5 to 5 percentage points.