How to Protect Yourself From Mobile App Fraud

I love burritos, but I had to delete an app developed by a chain restaurant that allowed me a convenient way to get my burrito fix. I’ve been putting it off for months, but I finally decided that the convenience wasn’t worth the risk. Let me explain.

This app, like so many others, allows you to save your payment info and favorite orders so you can “skip the line” and can order from the comfort of wherever you happen to be planted at the moment. Fantastic! I don’t have to waste precious lunch time standing in line with no food. Well, it was pretty fantastic until I got this email one day while I was working:

an example of mobile app fraud

screenshot of mobile app fraud

I didn’t place an order, my name isn’t Eric, and I’m definitely not in San Francisco!

I immediately logged in to the app, changed my password, and deleted my card information. Out of anger, a sense of righteousness, and a little bit of panic, I called that store in San Francisco to make sure this order wouldn’t be ready when “Eric b” came in to get it. The person who answered my call said that they “have a process for this” and walked me through some steps to dispute the charge on their end, telling me they’d email me next steps. Several days later I got their “next steps," which were 1. they wouldn’t be doing anything and 2. I should contact my financial institution. Gee, thanks.

Everything was sorted out quickly after I went into my local Hanscom FCU branch and the MSR I spoke with filled out a fraud form for me (this can be done online, but I like going into the branches). I also had to get a new card as an extra safety measure. I got my money back shortly and got a confirmation letter from the credit union confirming all of the actions taken, but this whole incident could have been avoided in the first place had I been a little more cautious.

How to protect yourself from Mobile App Fraud

Unique passwords are your friends. Be forewarned: this is not an isolated incident. Chipotle, for example, has had a number of complaints about this exact type of unauthorized activity, and it’s possible with any app that has your card information stored on it, especially if you’re reusing passwords that you thought weren’t compromised. Learn from me – be unique every time.
Don’t save payment info. I’m not suggesting you delete these super- convenient apps. I DO suggest that you make them just a touch less convenient by not saving your payment information in them. Even if your password becomes compromised and someone else gains access to your account, they can’t make fraudulent purchases if there’s nothing for them to pay with.
Use a mobile wallet. Mobile wallets like Apple Pay, Samsung Pay, and Android Pay don’t share your actual card info, but rather share a tokenized account number. It’s a one-time-use code that can only be interpreted by the merchant and Hanscom FCU for that transaction.
Or at least use a credit card. If you’re going to save payment information (guilty as charged with the Starbucks app), credit cards come with better protection against fraud than do debit cards, and what you can be on the hook for is limited to $50.
Use backup safety measures. Check each app’s security settings carefully. Some, like the Dunkin’ Donuts app, require you to input your card’s three-digit CVV (or 4-digit with Amex) every time you add money to your account, preventing people from using it without having the card in hand.
Ask yourself if you really need the app. Even when doing all of the above, a good way to avoid being the victim of a data breach is to not share your data. At the end of the day, I decided I didn’t need a few of the apps that I was sharing my banking info with, and so I purged them from my phone.

Bottom Line: Be vigilant

Minimizing your risk means keeping a watchful eye on your private information. Stay up-to-date on security news and maintain good security practices, like updating your passwords frequently and not reusing them.