Skip To Content
Show
Photo: Sarah Kobos Mobile payment apps like Venmo, Zelle, and Apple Pay promise one thing: to make exchanging money with friends as easy as using cash. But with that ease come security concerns. What happens if you accidentally send money to the wrong person—or even worse, you become a victim of fraud? And unlike cash, apps track your transactions and then potentially sell or share that data for marketing
purposes. We dove into the privacy and security policies of each tool to figure out how they secure data and protect payments, and how much information they share with third parties. You can find a lot of different mobile payment options out there, but we decided to stick with the most popular:
Apple Pay,
Facebook Pay,
Google Pay,
PayPal Mobile Cash,
Square Cash,
Venmo (which is owned by PayPal), and
Zelle. For each app, we looked at several key features: basic
details about data security, transaction and account security, and how the service shares data. We dug into the privacy policies of each app and monitored traffic during transactions using
Disconnect’s Privacy Pro iOS app, which displays a feed of any website the phone sends data to. (Keep in mind, though, that even if data isn’t shared
live it may still get shared later.) Here’s the short version: If privacy is your main concern, stick to the apps from Apple or Google whenever you can, even though doing that comes at the cost of those companies adding even more of your behavioral data to their already abundant collection. If your main concern is sending money to the wrong person, use payment apps that offer QR codes or link sharing, such as Facebook Pay, PayPal Mobile Cash, Square Cash, or Venmo; all of
those services, though, have some quirks when it comes to privacy concerns.
All payment apps share some personal data with third parties, such as banks or fraud-monitoring services, to complete a transaction. But we looked specifically for cases where services used this data for marketing, because sending data to those types of third parties may expose your data in ways you don’t expect. Apple and Google don't share data beyond what’s required to make transactions and don’t use what they collect internally for marketing, though it’s difficult to predict other ways they may use data internally. Facebook Pay also doesn’t share data with third parties, though it may use some data to target internal ads. Every other service we looked at shares or sells data for marketing purposes. PayPal Mobile Cash, Square Cash, Zelle, and Venmo share data with third parties to track internal marketing. Judging from our research, most of the third-party companies that PayPal Mobile Cash, Square Cash, and Venmo send data to seem to track internal marketing campaigns with services such as push notifications, email newsletters, or ad clicks. We certainly prefer that over the actual selling of data, but it doesn’t mean payments apps’ use of third parties is without risk. Jeremy Tillman, president of Ghostery, a software company that makes privacy extensions and apps, said privacy issues can arise from bringing more companies into the fold: “You’re susceptible to each of their vulnerabilities from a privacy perspective.” Casey Oppenheim, co-founder of Disconnect, noted, “People using these apps have no reason to expect that when they send money, there are tracking companies they’ve never heard of collecting super-personal data, like their home address (exact GPS location) and the names of their associates.” For example, you may trust PayPal to handle your data, but when it shares that data with a third party you’ve never heard of and have no direct relationship with, you don’t get much of a say in the matter—if you even realize that’s happening at all. To fully understand the scale of where and how your data is shared, you’d have to look through the third party’s terms of use and privacy policy. “And there is a daisy chain to this invisible tracking,” Oppenheim added. “Each tracking company that collects your info may be able to retain, use, and share that data according to their policies without your knowledge or consent.” When a payment-app company sends data to another company, “they’re putting a lot of faith in the third parties who they’re simply trusting to protect your data and with whom you don’t have a direct relationship with,” said Tillman. On its own, this data may not mean much, but as we’ve discussed before, the data may be collected to form a comprehensive profile of you. And that may be a lot more than most people want to reveal when they’re just trying to send money to a friend. Let’s go through the privacy specifics of each app. VenmoTo send money, you and the other person need to exchange usernames, but you don’t have to share a phone number or email address. You can share account details with a QR code, which is better than typing in a username since it eliminates the chance of making a typo that causes you to pay the wrong person. If you’ve never paid someone before, Venmo double-checks that you want to send the payment and shows a larger version of the recipient's profile picture. There’s no way to cancel payments, so if you pay the wrong person, you have to hope they send the money back. Venmo is the only service with a social network attached to it. Transactions on Venmo are public by default, meaning every time you send money, friends and strangers can see the comments in a public feed. Don’t hesitate to change your privacy settings. According to its privacy policy, Venmo collects a variety of data about transactions, including your location, which PayPal representatives told us the company may use to market its own products. During a transaction I monitored, Venmo sent information to a data firm called Braze, which specializes in delivering marketing through push notifications and email. This information exchange could include newsletter signups or the tracking of Venmo’s social features. Both Venmo and PayPal also participate in “joint marketing,” which allows for coordinated marketing campaigns with other financial companies, such as banks. PayPal Mobile CashPayPal Mobile Cash links to PayPal’s general privacy policy. Similar to how Venmo does things, the data that PayPal Mobile Cash collects is tracked for the purposes of internal marketing programs. During our test transaction, PayPal sent data to two marketing firms, mParticle and Adjust. Both companies provide tools to assess mobile ad campaigns and track app use. Adjust also offers some fraud monitoring that identifies bots, which would make sense for an app like PayPal Mobile Cash. ZelleYou can use Zelle through most major banks, including Bank of America, Chase, and Citi, though if your bank doesn’t support Zelle, you can use a standalone app. This means Zelle’s security measures, including basic practices such as two-factor authentication, are usually dependent on the bank. This arrangement has led to security issues in the past, in which scammers have found ways to get money from people who don’t use Zelle. It’s also important to note that just because Zelle is often provided through your bank, that doesn’t mean it offers any additional scam or fraud protections over its competitors. To confuse matters, Zelle confirmed with us that its privacy practices also depend on whether you use Zelle through your bank or through the Zelle app. According to Zelle’s privacy policy, the app collects a lot of data, including your name, email address, location, and other online identifiers, Zelle’s privacy policy covers both its mobile app and website, which can be confusing since it first appears like Zelle can sell data to advertisers. But Zelle assured us in an email after our initial publication that the sale of data only applies to visitors to its website, not users of the mobile app. Your bank likely has a different privacy policy that may or may not collect as much data. We did not see any data transferred to marketing third parties during a transaction using Zelle through a banking app. However, the Zelle app did send data to Mixpanel, another analytics company that can analyze behavioral data in apps and track usage. Square Cash (Cash App)Square Cash has usernames, so you can exchange money without ever sharing an email address or phone number. If you’ve never paid someone before, Square Cash pops up a warning asking you to confirm the payment details. You can also share a link directly or through a QR code. According to its privacy policy, Square Cash collects plenty of data, including your location, name, and device information. Square may use that to track internal marketing. When we sent a payment through the app, it sent data to AppsFlyer, another marketing analytics company that appears similar to the firms PayPal and Venmo use, though AppsFlyer bills itself as a privacy-focused company. Apple PayPaying with Apple Cash through Apple Pay works only with Apple’s Messages app, so you need to exchange a phone number or email address. There’s nothing to protect you from sending money to the wrong person beyond a confirmation screen, but Apple Pay defaults to the “Manually Accept Payments” setting, which means a recipient can decline a payment. You can also cancel a payment if the recipient hasn’t accepted it yet. Apple Cash’s privacy policy falls under that of Apple’s partner bank, Green Dot Bank. Under this policy, personal information is not used for marketing internally or shared with third parties. During a test transaction, we didn’t see any data sent to marketing firms. Google PayGoogle Pay works with a Google account, so you need to exchange email addresses for payment. Google Pay displays a confirmation screen to remind you to double-check the details before you send money and allows you to cancel if the recipient hasn’t accepted the payment. Google Pay’s privacy policy gets a little confusing, as it doesn’t differentiate between payments to merchants and cash payments between friends. But when we reached out to Google for comment, representatives confirmed that Google doesn’t sell user data to third parties and does not allow advertisers to target based on Google Pay data. When we monitored a transaction, no data went to third parties. Facebook PayYou send payments through the Facebook app or Facebook Messenger, so you and the other person need to be friends or to reveal your account info. Facebook Pay doesn’t have wrong-payment protection, though Facebook profiles are typically easier to distinguish than the profiles of its competitors. Facebook Pay has a privacy policy separate from Facebook, but it notes that it will share data with its parent company, Facebook, Inc. Facebook doesn’t share transaction data with third parties but may use it internally. A blog post notes how data may show up in internal marketing: “For example, if you buy a baseball glove on Facebook Marketplace, you might see an ad for a baseball bat.” In our test transaction, Facebook Pay sent nothing outside Facebook. Steps to secure a mobile payment appRegardless of which mobile payment option you use, it’s important to take a few steps to improve the security of the app:
Mobile payment apps are targets for scams partially because people don’t fully understand how they work. Once you have that knowledge, spotting fraud is much easier. And if your account has the security protections listed above, it’s less likely someone will ever break into your account. Sources
About your guideThorin Klosowski is the editor of privacy and security topics at Wirecutter. He has been writing about technology for over a decade, with an emphasis on learning by doing—which is to say, breaking things as often as possible to see how they work. For better or worse, he applies that same DIY approach to his reporting. Further reading
What is the safest way to electronically transfer money?The safest way to transfer money is to use a reputable, regulated money transfer provider or your bank account. Companies specialising in international payments, with robust security measures will help protect both parties involved in an international transaction.
What is the safest app to send money internationally?The 5 Best Apps to Transfer Money Internationally This Year. 5 Best Money Transfer Apps. ... . Wise (formerly TransferWise) ... . Revolut. ... . Remitly money transfer smartphone app. ... . OFX money transfer smartphone app. ... . Western Union money transfer smartphone app.. Which is safer venmo or cash app?Is Cash App safer than Venmo? Not necessarily. Cash App and Venmo are money transfer apps, which are inherently risky since their services involve sending money to other people. But if you stick to sending money to friends and family, you likely won't run into any issues involving scams.
|