What is the safest money transfer app

Mobile payment apps like Venmo, Zelle, and Apple Pay promise one thing: to make exchanging money with friends as easy as using cash. But with that ease come security concerns.

What happens if you accidentally send money to the wrong person—or even worse, you become a victim of fraud? And unlike cash, apps track your transactions and then potentially sell or share that data for marketing purposes.

We dove into the privacy and security policies of each tool to figure out how they secure data and protect payments, and how much information they share with third parties.

You can find a lot of different mobile payment options out there, but we decided to stick with the most popular: Apple Pay, Facebook Pay, Google Pay, PayPal Mobile Cash, Square Cash, Venmo (which is owned by PayPal), and Zelle. For each app, we looked at several key features: basic details about data security, transaction and account security, and how the service shares data. We dug into the privacy policies of each app and monitored traffic during transactions using Disconnect’s Privacy Pro iOS app, which displays a feed of any website the phone sends data to. (Keep in mind, though, that even if data isn’t shared live it may still get shared later.)

Here’s the short version: If privacy is your main concern, stick to the apps from Apple or Google whenever you can, even though doing that comes at the cost of those companies adding even more of your behavioral data to their already abundant collection. If your main concern is sending money to the wrong person, use payment apps that offer QR codes or link sharing, such as Facebook Pay, PayPal Mobile Cash, Square Cash, or Venmo; all of those services, though, have some quirks when it comes to privacy concerns.

Mobile payment apps’ security and privacy

• Every service we tested has reasonable security protections for accounts and some form of two-factor authentication. Some have more detailed security pages than others. Venmo and Zelle barely explain their security protocols, while Apple Pay, Facebook Pay, Google Pay, PayPal Mobile Cash, and Square Cash offer more detail.
• Every company takes part in a bug bounty program, which invites people to report exploits or vulnerabilities in exchange for cash.
• Every app has notifications for payments, as well as a passcode-lock option to prevent someone who has your phone from initiating a payment without you. Many also include a warning or other protections to prevent your sending money to the wrong person. Our favorite method is to use dedicated links or a QR code, so you can share your account details instantly without worrying about a typo. Only PayPal Mobile Cash, Square Cash, and Venmo offer this option.
• No app provides fraud protection beyond tools to protect your account. If you authorize a payment and the transaction turns out to be a scam or fraud, there’s not much you can do. If your account is hacked, you can reach out to customer support for help. In any case, treat your electronic payments with the same care you apply to cash payments. NBC has details on how some of these scams work.
• When it comes to account privacy, some apps ask you to create a username while others are tied to a phone number or email address. If you’re exchanging money only with friends, this doesn’t matter. But if the payment is for something like a Craigslist purchase through a stranger, you may ask if they can do the transaction over PayPal.me, Square Cash, or Venmo so that the least amount of personal information gets passed along.

All payment apps share some personal data with third parties, such as banks or fraud-monitoring services, to complete a transaction. But we looked specifically for cases where services used this data for marketing, because sending data to those types of third parties may expose your data in ways you don’t expect. Apple and Google don't share data beyond what’s required to make transactions and don’t use what they collect internally for marketing, though it’s difficult to predict other ways they may use data internally. Facebook Pay also doesn’t share data with third parties, though it may use some data to target internal ads.

Every other service we looked at shares or sells data for marketing purposes. PayPal Mobile Cash, Square Cash, Zelle, and Venmo share data with third parties to track internal marketing.

Judging from our research, most of the third-party companies that PayPal Mobile Cash, Square Cash, and Venmo send data to seem to track internal marketing campaigns with services such as push notifications, email newsletters, or ad clicks. We certainly prefer that over the actual selling of data, but it doesn’t mean payments apps’ use of third parties is without risk.

Jeremy Tillman, president of Ghostery, a software company that makes privacy extensions and apps, said privacy issues can arise from bringing more companies into the fold: “You’re susceptible to each of their vulnerabilities from a privacy perspective.”

Casey Oppenheim, co-founder of Disconnect, noted, “People using these apps have no reason to expect that when they send money, there are tracking companies they’ve never heard of collecting super-personal data, like their home address (exact GPS location) and the names of their associates.” For example, you may trust PayPal to handle your data, but when it shares that data with a third party you’ve never heard of and have no direct relationship with, you don’t get much of a say in the matter—if you even realize that’s happening at all. To fully understand the scale of where and how your data is shared, you’d have to look through the third party’s terms of use and privacy policy. “And there is a daisy chain to this invisible tracking,” Oppenheim added. “Each tracking company that collects your info may be able to retain, use, and share that data according to their policies without your knowledge or consent.”

When a payment-app company sends data to another company, “they’re putting a lot of faith in the third parties who they’re simply trusting to protect your data and with whom you don’t have a direct relationship with,” said Tillman.

On its own, this data may not mean much, but as we’ve discussed before, the data may be collected to form a comprehensive profile of you. And that may be a lot more than most people want to reveal when they’re just trying to send money to a friend.

Let’s go through the privacy specifics of each app.

Venmo

To send money, you and the other person need to exchange usernames, but you don’t have to share a phone number or email address. You can share account details with a QR code, which is better than typing in a username since it eliminates the chance of making a typo that causes you to pay the wrong person.

If you’ve never paid someone before, Venmo double-checks that you want to send the payment and shows a larger version of the recipient's profile picture. There’s no way to cancel payments, so if you pay the wrong person, you have to hope they send the money back.

Venmo is the only service with a social network attached to it. Transactions on Venmo are public by default, meaning every time you send money, friends and strangers can see the comments in a public feed. Don’t hesitate to change your privacy settings. According to its privacy policy, Venmo collects a variety of data about transactions, including your location, which PayPal representatives told us the company may use to market its own products.

During a transaction I monitored, Venmo sent information to a data firm called Braze, which specializes in delivering marketing through push notifications and email. This information exchange could include newsletter signups or the tracking of Venmo’s social features. Both Venmo and PayPal also participate in “joint marketing,” which allows for coordinated marketing campaigns with other financial companies, such as banks.

PayPal Mobile Cash

PayPal Mobile Cash links to PayPal’s general privacy policy. Similar to how Venmo does things, the data that PayPal Mobile Cash collects is tracked for the purposes of internal marketing programs. During our test transaction, PayPal sent data to two marketing firms, mParticle and Adjust. Both companies provide tools to assess mobile ad campaigns and track app use. Adjust also offers some fraud monitoring that identifies bots, which would make sense for an app like PayPal Mobile Cash.

Zelle

You can use Zelle through most major banks, including Bank of America, Chase, and Citi, though if your bank doesn’t support Zelle, you can use a standalone app. This means Zelle’s security measures, including basic practices such as two-factor authentication, are usually dependent on the bank. This arrangement has led to security issues in the past, in which scammers have found ways to get money from people who don’t use Zelle.

It’s also important to note that just because Zelle is often provided through your bank, that doesn’t mean it offers any additional scam or fraud protections over its competitors.

To confuse matters, Zelle confirmed with us that its privacy practices also depend on whether you use Zelle through your bank or through the Zelle app. According to Zelle’s privacy policy, the app collects a lot of data, including your name, email address, location, and other online identifiers, Zelle’s privacy policy covers both its mobile app and website, which can be confusing since it first appears like Zelle can sell data to advertisers. But Zelle assured us in an email after our initial publication that the sale of data only applies to visitors to its website, not users of the mobile app. Your bank likely has a different privacy policy that may or may not collect as much data.

We did not see any data transferred to marketing third parties during a transaction using Zelle through a banking app. However, the Zelle app did send data to Mixpanel, another analytics company that can analyze behavioral data in apps and track usage.

Square Cash (Cash App)

Square Cash has usernames, so you can exchange money without ever sharing an email address or phone number. If you’ve never paid someone before, Square Cash pops up a warning asking you to confirm the payment details. You can also share a link directly or through a QR code.

According to its privacy policy, Square Cash collects plenty of data, including your location, name, and device information. Square may use that to track internal marketing. When we sent a payment through the app, it sent data to AppsFlyer, another marketing analytics company that appears similar to the firms PayPal and Venmo use, though AppsFlyer bills itself as a privacy-focused company.

Apple Pay

Paying with Apple Cash through Apple Pay works only with Apple’s Messages app, so you need to exchange a phone number or email address. There’s nothing to protect you from sending money to the wrong person beyond a confirmation screen, but Apple Pay defaults to the “Manually Accept Payments” setting, which means a recipient can decline a payment. You can also cancel a payment if the recipient hasn’t accepted it yet.

Apple Cash’s privacy policy falls under that of Apple’s partner bank, Green Dot Bank. Under this policy, personal information is not used for marketing internally or shared with third parties. During a test transaction, we didn’t see any data sent to marketing firms.

Google Pay

Google Pay works with a Google account, so you need to exchange email addresses for payment. Google Pay displays a confirmation screen to remind you to double-check the details before you send money and allows you to cancel if the recipient hasn’t accepted the payment.

Google Pay’s privacy policy gets a little confusing, as it doesn’t differentiate between payments to merchants and cash payments between friends. But when we reached out to Google for comment, representatives confirmed that Google doesn’t sell user data to third parties and does not allow advertisers to target based on Google Pay data. When we monitored a transaction, no data went to third parties.

Facebook Pay

You send payments through the Facebook app or Facebook Messenger, so you and the other person need to be friends or to reveal your account info. Facebook Pay doesn’t have wrong-payment protection, though Facebook profiles are typically easier to distinguish than the profiles of its competitors.

Facebook Pay has a privacy policy separate from Facebook, but it notes that it will share data with its parent company, Facebook, Inc. Facebook doesn’t share transaction data with third parties but may use it internally. A blog post notes how data may show up in internal marketing: “For example, if you buy a baseball glove on Facebook Marketplace, you might see an ad for a baseball bat.” In our test transaction, Facebook Pay sent nothing outside Facebook.

Steps to secure a mobile payment app

Regardless of which mobile payment option you use, it’s important to take a few steps to improve the security of the app:

• Enable two-factor authentication: Two-factor authentication helps prevent someone from gaining unwanted access to your account by requiring two pieces of information to log in. Once you’ve enabled 2FA, after the app asks for your username or password it then asks you for a second factor, usually a code that’s sent to an app, as a text message, or in an email.
• Set up payment notifications: This way, if someone does get into your account and sends money, you’ll know immediately.
• Protect the app with a passcode, your face, or a fingerprint: Enable whatever secondary protections an app offers, whether that’s a PIN or a biometric lock (logging in with your face or fingerprint) to open the app or to send a payment.
• Enable automatic app updates: Mobile payment apps get updated with security enhancements and bug fixes. If you don’t already have automatic updates enabled, you should turn them on. On Android, open the Google Play Store app and tap the menu icon > Settings > Auto-update apps. On iPhone, open Settings > iTunes & App Store and enable App Updates.
• Confirm recipient details before sending money: If an app has a built-in account-sharing tool that works via a link or a QR code, use that instead of typing out a username. This approach eliminates the chance of making a typo and paying the wrong person. If that isn’t an option, verbally confirm the details with the recipient before tapping the send button.
• Treat mobile payments like cash: Scams are very common with payment apps, partially because it’s so difficult to get money back after you’ve sent it. Never pay strangers or send money online without confirming you’re sending it to the intended recipient.

Mobile payment apps are targets for scams partially because people don’t fully understand how they work. Once you have that knowledge, spotting fraud is much easier. And if your account has the security protections listed above, it’s less likely someone will ever break into your account.

Sources

1. Jefferson Graham, Apps like Venmo, Cash and PayPal are free, but here’s who they are telling your business, USA Today, March 25, 2020

2. Tobie Stanger, Why Apple Pay Is the Highest-Rated Mobile P2P Payment Service, Consumer Reports, November 21, 2018

3. Third-Party Services, US Federal Trade Commission, November 1, 2019

4. EFF and Mozilla to Venmo: Clean Up Your Privacy Settings, Electronic Frontier Foundation, August 28, 2019

5. Herb Weisbaum, Use payment apps like Venmo, Zelle and CashApp? Here’s how to protect yourself from scammers, NBC News, June 11, 2019