What going cashless means for your privacy

Quick—when was the last time you used cash to pay for something? If you’re like many Americans today, you pay with cash a lot less frequently than you used to.

And you may end up using cash even less in the future, thanks to the influx of cashless options: Square, Google Wallet, and Apple Passbook are just a few of the convenient mobile payments systems making waves today. But even as these systems make headway into the supposedly cashless future, a couple of serious questions remain: Does a cashless future mean the end transaction-related privacy? And are cashless options fraught with security issues?

Privacy issues

In a cashless society, “privacy” in connection with payments is practically nonexistent. However, that doesn’t mean that your information—specifically, your transaction information—will be bundled up and sold to the highest bidder.

“Protecting the consumer’s identity is important to protecting their financial information and preventing spam,” says Con Mallon, senior director of mobile product management at Norton by Symantec. “With a cashless transaction, the provider and retailer have the ability to track the user’s purchasing behaviors and even some financial information—but not all providers and retailers use it.”

“If history is any indication, I believe companies and institutions that are sensitive to needs and concerns of consumers will prevail,” Mallon continues. “Entities that try to leverage the technology to capture more information about consumers—and without the consumer’s knowledge, consent, or involvement—will be called out.”

To illustrate Mallon’s point about companies that exploit customer’s transaction data, I direct your attention to a February 2012 New York Times article in which Andrew Pole, a Target statistician, describes how his job entails data-mining people’s shopping habits and analyzing what the data means. Target assigns a Guest ID to every customer who completes a cashless transaction (or who fills out a survey or email form, enters a sweepstakes, or makes a purchase online), and then tracks what that customer buys. Using this data, Target builds a profile of a customer, including (for example) whether they’re pregnant and, if so, how far along they are.

Obviously, Target isn't the only large corporation that employs data-mining techniques, so you can be fairly certain that a lot of businesses know a lot about you. However, Pole says that Target is extremely conservative about revealing to individual customers how much information it has accumulated on them. “If we send someone a catalog and say, ‘Congratulations on your first child!’ and they’ve never told us they’re pregnant, that’s going to make some people uncomfortable,” Pole says. Instead, Target takes a subtler approach, bundling ads for baby-friendly products in with regular items, so a customer will think it’s just a lucky flyer.

Apple hasn't adopted mobile payments, but Passbook in iOS 6 lets you use coupons, boarding passes, gift cards, and such from your phone.

Retailers aren’t the only ones who track consumers' purchases; banks, credit card companies, and government agencies (at various levels) look into the data, too. Banks and credit card companies are interested in tracking your transactions and building a profile so they can keep you more secure, according to David Mahdi, senior product marketing manager for digital certificate company Entrust.

“Over time, banks and credit card organizations build up a profile of you. If your card is stolen and someone buys something that is in another location (if you just purchased something in NYC, then another transaction happens in San Francisco), the system can automatically block the transaction,” Mahdi says.

So privacy invasion can be its beneficial, it seems. “I don’t think consumers should be paranoid, because in many cases the banks and credit card companies use this information to protect you,” Mahdi says. “However, I think users should question whether or not they want another loyalty card, and should know what they are giving up in order to get that coupon.”

Security issues

Security, not privacy, is the real concern when it comes to a cashless society, at least according to Robert Siciliano, an identity theft expert at McAfee.

“It’s not that the data is out there,” Siciliano says. “It’s what harm can be done with it beyond annoyances. This is why you should be selective about what you post, where you go online, and who you give your information to.”

In some ways, going cashless can offer you more security than using cash. After all, if you lose your physical wallet and a less-than-virtuous passerby picks it up, any cash it contained is gone—and untraceable. But if you lose your phone or your credit card, you can remotely wipe your device or call your credit card company before an unscrupulous finder has the chance to spend your money. Phones, online bank accounts, and credit and debit cards come with security measures in place—passwords, PIN codes, and signatures, for example—while cash does not.

Mobile payment systems like Google Wallet can be convenient if you need your afternoon candy fix.

Of course, malefactors may succeed in bypassing or tampering with those security measures. And if a hacker who happens to have additional information about you—such as your birth date, your hometown, or your mother’s maiden name—can do a lot of damage. If you lose $500 in cash, you’re out $500. But if you lose your identity, a hacker can erase data, open credit lines in your name, and spend all of your life savings.

Because mobile payment systems are still relatively new, their creators are still working out the kinks. In February, security firm Zvelo discovered that a brute-force attack could crack PINs in Google Wallet, Google’s NFC-based payments system. In September, mobile security firm MWR Labs demonstrated at the Mobile Pwn2Own contest a way to hack a Samsung Galaxy S III via its NFC technology. And in February at the Shmoocon hacker conference, security firm Recursion Ventures showed how a knowledgeable person equipped with about $350 worth of hardware  with about $350 worth of equipment could wirelessly read RFID-equipped credit cards.

“Ones and zeros are what make up most of our cashless society today,” Siciliano says. “There are acts of God that could wipe it out, and acts of terror that may try. As with a cash society, there will never be a fully safe cashless society as long as greed, theft, addiction, poverty, and any other human ailments exist.”

Cash is here to stay

In Sweden, cash is already banned on public buses, in a small number of businesses, and in some bank offices. In 2010, Diane Campbell made news when she saved up $600 for an iPad only to be refused service at the Apple store in Palo Alto, California, because the store “would not accept cash” (the company later reversed this policy). And Starbucks has partnered with Square to make paying for coffee without dollar bills and coins as convenient as possible.

To many observers, the cashless future may seem to be approaching at a gallop.

But that’s probably not the case. After all, cash is easy to use and fairly anonymous, and it can go through a couple of wash cycles without getting too beat up to use (unlike your NFC-equipped smartphone). It also involves less overhead, since credit card companies, banks, and mobile payments services don’t take a cut from cash transactions (aside from ATM or teller fees to get the cash out of your account). And finally, the nation as a whole isn’t ready for a cashless society: 30 million Americans do not have bank accounts.

“I think that we will likely continue to have a mixed model of cashless and traditional cash transactions,” Mallon says. “Significant change like this cannot be forced—cultural and societal habits and norms are inhibitors and need to be respected.”

This story, "What going cashless means for your privacy" was originally published by TechHive.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon