How to pay with Android
USING AND SECURING CONTACTLESS PAYMENTS ON ANDROID
BACK IN TECHLIFE issue 87 we published an article on Android smartphone and device security. Recently we have seen an increased uptake of smartphone payment apps that let your phone double as your contactless credit or debit card. So, how secure are they?
Firstly, no transaction is 100% secure, and there is usually a trade-off between security and convenience. Most of us are prepared to accept that compromise, and Australia has adopted contactless payments so completely that St George Bank recently reported around 95% of point-of-sale payments are now contactless.
You can use your card to tap and pay up to $100 – and that’s one of the highest such limits in the world. For this level of payment possession of the card is the only security feature. If you lose your card someone else can use it repeatedly for contactless transactions of up to $100 until the card is cancelled or the money runs out. Yet it’s not a major problem and most of us certainly would not lose sleep over it.
Even without losing anything, we have all heard stories of money being extracted from people’s cards without their knowledge. We recently saw a pocket -sized reader demonstrated that can do that from up to a metre away, plus we had a credit card invisibly skimmed at Sydney Airport.
Fortunately, credit card companies acknowledge fraud and normally refund fraudulent transactions without fuss. Unfortunately, they also cancel your card and send you a new one, which can be a hassle. Debit card fraud can be more difficult to get refunded: guard them well!
While the great majority of contactless transactions use credit or debit cards, smartphones are gaining ground with Google Pay, Apple Pay, and Samsung Pay the leaders in the field. Google Pay replaces Android Pay and Google Wallet, and claims to be the most widely accepted smartphone payment app.
HOW DO SMARTPHONE PAYMENT APPS WORK?
The apps work with all contactless EFTPOS terminal – just hold your phone against the EFTPOS terminal the same way you use a contactless card. Samsung Pay has an extra feature for compatibility with the old magnetic stripe EFTPOS terminals where they are still in use – it can emulate a magnetic swipe signal and use these old terminals too.
CAN GOOGLE PAY REPLACE ALL MYCARDS?
Most of them. You can load multiple credit and debit cards into Google Pay and leave the plastic at home. You will need to set a default payment card on the device, but can change that for individual purchases if there is a need to.
You can also load any loyalty cards into Google Pay, mainly the ones with a barcode, as well as gift cards (add them under “Passes”). Some online stores may also have
offers that you can “Save to Google Pay” and have available for later use.
Google Pay is also fully integrated with Melbourne’s Myki transport passes, and can also be used with NSW Opal card readers for standard fares.
To get it, search for “Google Pay” at the Google Play Store, download and install. Your phone needs to support NFC (Near Field Communication), but almost all do, although you may be prompted to turn it on. Set up is very easy, and with the app reading your card with the camera you don’t even have to type in the numbers.
Note that full credit card details are not stored on your phone, or provided to the selling merchant. A unique code is used to verify the transaction instead.
ONLINE PURCHASES
An increasing number of online stores and services accept payment through Google Pay, usually via their store apps. This means you can be browsing online stores and make an instant purchase using Google Pay. Be warned though, unlike Apple and Samsung Pay, you don’t have to re-enter your PIN or any other authorisation. It can be too easy to buy online with Google Pay!
LET’S TALK SECURITY
So far so good, but what happens when we replace a cheap plastic card with a complex electronic device? After all, smartphones can be hacked, hijacked or stolen. The good news is that contactless payments made with a smartphone are generally more secure than with a card, but they are not infallible. Here is a quick summary of how you minimise the risk: * Don’t carry an unlocked smartphone – keep it securely locked. * Be aware of anyone “shoulder surfing” to watch you entering your pin, password or pattern, or using a portable reader to access your phone or cards. * Lock or wipe your phone if it’s lost or stolen. * Never load cards or private information through public Wi-Fi. * Use credit cards as your default payment options so you are not liable for fraudulent transactions. * Be careful of the apps you download. Much of this applies to securing your smartphone in general, as described in our
TechLife 87 article:
USE THE LOCK SCREEN
For convenience, Google Pay only requires that you wake up your phone before making a limited number of purchases of up to $100, and it only needs to be unlocked to pay larger amounts. So it is similar to using a contactless card – just tap and go for up to $100, but you need to enter your PIN to unlock the phone for larger payments. However, that means no PIN is required for, say, a $500 payment if your phone is already unlocked. Google suggests setting your phone to lock reasonably quickly.
If your phone runs Android Pie or later, you can activate Lockdown mode for extra security if there’s a chance someone might steal or have access to it. If you are very security conscious, use Two Factor Identification, such as PIN and fingerprint, to unlock your phone.
Remember that if you are using a pattern to unlock make sure you keep your screen very clean – so no one can see where the finger swipes have been.
FIND YOUR LOST ANDROID
If you do lose your phone, as long as Location is enabled (in Settings/Google/ Location) and the device is switched on, you should be able to locate it through Google’s Find My Device: www.google.com/android/ find
Samsung provides a similar Find My Mobile function, plus there are many apps available to help secure your phone or tablet.
Both the above services also give you options to lock or erase your phone remotely, and Find My Mobile also has an option to send the last known location just before the device shuts down due to a low battery.
BEWARE THE MALWARE
Apps can contain malware which steals information from your phone, including credit card details, The surest way to avoid that is to only download and install apps from the Google Play Store, and to keep them updated.
Also, Google Play Protect is built in to your Android device, and includes a feature called “Scan device for security threats” that checks your installed apps and watches for suspicious activity. This feature is On by default, so should be doing its stuff automatically.
ANTI-MALWARE APPS
If you avoid black market apps, the chances of getting malware on your Android device are minimal. But some extra protection never hurts – go to the Google Play store and search for ”Android” security, and you will have plenty of choices available.