Janine Starks has recently highlighted issues with the way banks are operating mobile payment services, and it's a bit scary.

Back in Feb 2023, Janine published this article outlining the problem; overseas and not here, most won't have taken any notice

However, more recently, there have been cases where New Zealand account holders have been ripped off using the same approach.

This new article written by Janine details the case here at home

As Janine commented on her LinkedIn post 

“If you shop online using a card issued by a NZ bank you can’t use a numberless card. 

The retailer takes your mobile number and address for delivery. All that info is sold by hackers to criminals to exploit the set up code.  

The criminal triggers the timing of the code and chooses their interception method. 

We can’t be sure how it was done in this case, maybe a sim jack, maybe zero click malware that was able to delete the text. 

Apple have constant plugs for this and the customer runs Apple. 

In my view it’s not for us to figure out, in order to hold a bank responsible. 

Banks cannot use insecure security methods (text in this case) and demand a customers phone is free from bugs or that they understand a port lock. 

How does a consumer guarantee that 24/7. The bank doesn’t own the phone and T&Cs don’t give them the right to assume all texts are delivered without interference. 

Banks don’t appear to allow GooglePay and ApplePay to be blocked. Most of the population are exposed to this fraud.”

As Janine says it's hard to avoid these things being activated by default.

So how do you protect yourself from these things?

Ironically, use Apple Pay or Google Pay. 

Using Apple Pay and Google Pay, put your details behind a security fence. The problem is getting your details behind the security fence has a flaw.

While the security issue remains and banks haven't allowed you to turn them off, the technology in question may be the more secure approach.

The way Apple Pay & Google Pay works is more secure than your physical card with your details being pinched by a scamming retailer.

As Janine outlined, the dodgy retailer with your credit card and mobile details selling you off is part of the problem.

• The Apple Pay and Google Pay systems don't provide your card details to the retailer, instead, they tell the terminal or the payment gateway the requested transaction has been approved.
• The transaction happens back with your bank and not with the retailer. They just get told the money is there "Transaction approved".

Which removes one of the primary avenues this security issue works with.

However, this doesn't help where you need to provide a card because Apple Pay or Google Pay are unavailable.

So then what?

A better question, how do you protect your physical card transactions?

Manage your available cash:

This is about the amount of money a compromised card has access to.

The simple answer here; keep your money in accounts that don't have Apple Pay or Google Pay access. 

Most banks have an online saver account, low fees and only accessible with online banking. 

Keep the bulk of your available cash in these accounts.

These accounts require you to log in to your online banking to move money around, and are vastly more secure than leaving your life savings available in a debit card accessible account.

Minimise your credit exposure:

It might be nice to know you can access $20k in a hurry with your credit card; at the same time, if you have $20k in a savings account, you really don't need this facility.

Reduce your credit limits to what you actually need on your day-to-day cards. 

Google Pay and Apple Pay are convenient, and once setup for you, as I mentioned earlier, they are more secure than your physical card in terms of the scammers grabbing your details.

Minimise the cash available for scammers and minimise your physical card transactions with Apple Pay and Google Pay.

Travel and Credit Cards:

If you need a credit card with a significant balance for travel, get a card with a provider that doesn't have Apple Pay or Google Pay. 

Sure, Apple Pay and Google Pay are convenient. However, for travel this opens up a whole new can of worms for your financial security you should probably avoid, and disable paywave too.

This card can have a higher limit for the purpose you need and keep it solely for that purpose.

Minimise your online exposure:

As Janine said earlier, part of the issue is with retailers having your card details and your mobile number.

Minimise what gets exposed to online retailers. Often, the ones where dodgy things added to websites can skim details without your awareness.

I have two approaches here that I have personally used for some time. 

Use PayPal:

if the retailer offers this alongside the credit card option, use this. 

• If you don't know, PayPal is a large well established company that handles retailer transactions. They can provide a buffer between the retailer and your card details. 
• • It is also useful for managing pesky international subscriptions that won't let you cancel them later on.

You can set up a secure account, similar to your online banking with multi-factor authentication and load the cards you use for this there.

• PayPal doesn't charge fees to the buyer/purchaser.
• For international transactions, if you leave the transaction in the currency of the retailer, you will normally have your bank's international transfer rates applied which are usually better than PayPal's.

Physical Cards:

For transactions that need a physical card or card number, have an additional transaction account with a debit card. 

• This is different from an EFTPOS card in that it uses the credit card network but does not have access to credit.

The debit card only has access to the funds in the account it is linked to, meaning if it is compromised, the scammers get nothing to very little because you keep that account empty most of the time.

The way you work this is:

• • You use the debit card for your online transactions
  • And you only move money into the account when you are buying something.

Yes, it is extra steps and hassles; at the same time, it can be a useful technique to minimise your impulse buying, too.

With mobile banking apps able to move money around while you're in a store, you can move just the amount for that transaction. 

• • You need to be mindful of any dishonour fees that your bank charges, as you don't want these accumulating becuase the account is empty.
  • You also need to be aware of the tin shed issue, where you're in a big box retailer that is in a tin shed, and you have no mobile signal. Step outside to get signal if you need to, and no, don't use free Wi-Fii; that opens up other security issues.

This debit card approach can also be used as your PayPal card too.

What about card rewards?

To be honest, the rewards given out by most providers have been diminishing in recent years; the reality is you have to spend a lot to get any significant advantages with reward programs.

Also, are you prepared to compromise your financial well-being for a few reward points?

For your day-to-day card, sure, have it part of a rewards program. Just make sure the credit limit is managed as low as possible. 

Considerations before getting carried away!

This article covers several things that you need to seek assistance with.

• Finding and selecting the appropriate accounts and cards. Talk to your bank about your options.
• Be mindful of fees and charges; not all accounts come with free transactions.
• I have mentioned earlier, avoid transaction accounts with dishonour fees. The bank shouldn't be charging you fees for this nowadays, but some may still do.
• Foreign exchange is a specific area of financial regulation if you need assistance or advice here you need to talk to an appropriately qualified and licensed adviser. 
• Age: if you're older and all of this is foreign jargon, then you need to seek help. Usually, a younger family member can assist in unpacking what I have discussed here.
• Vulnerable people are especially vulnerable to these payment security issues. If you need help, reach out and ask. 

What's your experience?

Over the years, I have had cards and accounts compromised, mostly the obvious things like card details copied while on holiday or product supplied has been fake or damaged.

• One recent situation was insidious as it involved a site setting up regular small payments from the card, easily missed in the bustle of daily life. 
• Fortunately, it was spotted and my bank sorted me out.

I have used the above techniques to minimise my exposures, and an empty account can't be drained. 

• In the space of 12 months in the last few years, I've had 4 cards replaced due to compromises.
• All but one got nothing. And the ones that got nothing were spotted by bouncing transactions on the empty account.
• Easy fix: cancel the card and have it reissued. Cost me a new card fee, though it probably shouldn't have.

Writing this, I have picked up a few things I wasn't aware of, which Janine has helped explain. 

We can all do with a financial security audit once in a while; put one on your to-do list now!

The information provided in this article is for information and awareness.

• This is not personal financial advice; you acting on this does not constitute an advice relationship.
• The details provided in this article are for education purposes and were correct at the time of publishing.
• Terms and conditions of products and services may change without notice.
• We may not be aware of changes, and this article may not be updated to reflect any changes.
• Before embarking using any of the information provided here, please seek advice from a relevant qualified financial adviser.
• Willowgrove Consulting provides advice on financial risks and utilises life and medical insurance products to mitigate those risks.