A look inside consumers’ security concerns about emerging payments

Facebook has an image problem with some consumers, and that’s become more obvious as the social media company continues to roll out its new person-to-person payments feature within Messenger.

Facebook announced Messenger payments in March, and is in the midst of a staggered nationwide rollout. The new feature hit Facebook users in New York City and the surrounding metropolitan area on Wednesday May 27, and its availability on both the desktop and mobile versions of Messenger has consumers talking — and not always in a good way.

I sometimes conduct informal Facebook polls with my friends on certain hot-button payments issues to get an idea about how something such as a mobile wallet will connect with consumers. When Facebook announced Messenger payments, I asked my friends if they would be comfortable giving Facebook their debit card information to use the service. What follows is just a small sample of the responses:

  • Not my debit card. I don’t use my debit card unless I can enter a PIN because, if something happens with a transaction, it’s a much bigger pain to deal with. I would do a credit card.
  • Not a chance in hell. Facebook hardly has the best track record with what they do with our [personal information].
  • No, I don’t trust Facebook to keep any information.
  • Not a shot in hell. Facebook doesn’t protect personal information as it is. Why would I trust them with banking and credit cards and debit cards?

When some people began to notice the feature was active on Wednesday, confusion ensued.

One person in a Facebook group I belong to posted a snapshot of the Q&A section on how to use the service and asked if Facebook is the new PayPal. Another person responded and said they would never give their financial details to Facebook and wondered if PayPal and Facebook worked together on the new feature. “I hope PayPal didn’t sell out to Facebook,” she said.

All these responses shouldn’t come as surprise to executives who work in the payments industry. They’re similar to the results of countless consumer surveys about emerging payments technology. Consumers for the most part don’t trust payment methods that involve a third party other than their bank. And this is a huge problem that prevents widespread adoption of mobile wallets, and mobile payments in general.

Easing doubts

To Facebook’s credit, it got out in front of any perceived security issues with Messenger payments from the beginning.

“We use secure systems that encrypt the connection between you and Facebook as well as your card information when you ask us to store it for you,” Facebook wrote in a company blog post after Messenger payments was announced. “We use layers of software and hardware protection that meet the highest industry standards. These payment systems are kept in a secured environment that is separate from other parts of the Facebook network that receive additional monitoring and control.”

Facebook introduced Messenger payments a week after P2P mobile app Venmo updated its account notification system after a Slate article highlighted problems some users reportedly faced with unverified account access.

After my informal Facebook poll, I reached out to the company for comment about consumers’ security concerns.

“Facebook values the trust you place in us and we take numerous precautions to prevent unauthorized access to financial information saved in Facebook,” a company spokeswoman told me in an email. “We have many layers of security, and, as with all money transactions, we monitor for suspicious activity, looking at variables such as length and closeness of friendship to help verify the legitimacy of transaction and investigate suspicious transactions. As with all other content on Facebook, people can report any illegal content via our normal channels.”

Facebook still needs to do some more work to gain trust from consumers, but its track record handling payments is flawless as far as we know.

Facebook uses proprietary technology for the new payments feature, and its subsidiary, Facebook Payments Inc., processes Messenger transactions. The company has processed payments for game players and advertisers since 2007. While Facebook’s privacy settings continue to be an ongoing issue for some users, we’ve never heard anything about a payments data breach involving the company.

Companies’ responsibilities

As for what companies such as Facebook, Venmo, and even Starbucks can do to put consumers’ minds at ease when it comes to the security of their payments products, one expert said a combination of things can be done.

“There is a balance in that better education [from providers] and better Internet hygiene [from consumers] helps everyone,” Alisdair Faulkner, chief products officer at digital security company ThreatMetrix, told me in an interview. “On the other hand, you have to help consumers help themselves.”

Faulkner’s response was to a question I asked him about Starbucks’ flippant response when users of the company’s mobile app experienced unauthorized access to their accounts, which resulted in fraudulent charges.

Starbucks said consumers should do a better job of constantly changing their account password, which is true to an extent but probably not the best answer the coffee giant could have provided.

As far as consumers’ trust issues with Facebook handling financial information, Faulkner said it’s not the debit card consumers have to worry about. Cybercriminals these days are more interested in stealing digital identities.

“What people don’t understand is that my username is effectively my credit card now,” he said. “Digital identity is the new currency that’s fueling cybercrimanals, and what people don’t understand is that usernames and passwords are often shared across sites that have already been compromised.

“If I can effectively take over your account, I’m not going to just post spam to your users. I now can transact with it. It’s not the payment that is unsafe. The payment might be secure, but your identity isn’t. Your ID is sitting on countless servers across the dark Web waiting to be exploited almost at the convenience of cybercriminals that are lurking in the shadows.”

Such threats will continue to grow along with the use of mobile devices, according to a recent cybercrime report from ThreatMetrix.

“Mobile attacks continue to grow, driven by the prevalence of stolen identities and tools to enable cloaking/spoo­fing, but remain below the desktop volumes, as mobile devices are not yet conducive to massive fraud attacks,” the company concluded in the report.

Faulkner believes companies’ current approach to protecting digital identity doesn’t match the consistent threat from cybercriminals. Companies need to put more emphasis on protecting the username and password, he said.

“There is insufficient emphasis and awareness at the board level in many companies that the easiest, the most advanced consistent threat is the username and password, however it’s entered,” Faulkner said. “That’s the piece most people don’t see. People are protecting themselves against data breaches, but if you ask them how often their user accounts are being breached, they would have zero idea.”

I’m sure that’s not the type of information my Facebook friends want to read.

Recommended Posts