From smart speakers that wait on your every command to fitness bands that track your steps, devices that connect to the internet are sure to be a hot item this holiday season.
One of the benefits of the so-called Internet of Things (IoT) is the ease of payments. For instance, there are smart toothbrushes that can track usage and prompt you when it’s time to buy a new brush head. With a click of a button, a replacement is on its way.
About half of consumers say they are comfortable with connected devices ordering items on their behalf, although 78 percent said they want a heads-up first. That’s according to a recent survey by payments firm Worldpay of more than 20,000 people across the globe, including 2,025 in the U.S.
Before you set up accounts with companies offering IoT devices and share your payment information with them, here are a few things to consider.
Is this a fair trade?
Connected devices can make things easier, but letting a company keep your credit card number on file carries risks.
In a world stuffed with too many usernames and too many passwords, IoT connected devices further multiply the sites where you personal information is stored, expanding your exposure to fraudsters.
Security experts suggest you should limit your digital footprint. Adding accounts for connected devices will not help limit the chances of having your information end up on the dark web.
“We are learning that many connected device makers have a spotty record on security,” says Ashley Boyd, vice president of advocacy at software developer Mozilla. “When linking a credit card to apps and internet-connected devices, consumers should ask themselves: Does the value outweigh the risk? Does this company have a record of and reputation for protecting consumer data?”
If you find that the trade-off might be worth it, consider taking these steps.
Maintain good digital hygiene
You should know this rule by now, but it’s worth repeating: Pick a strong username and password. Use ones that you’ve never used before.
“Sure, you’ve heard this before. But there’s a reason: It works,” says Mike Butera, head of retail for Fifth Third Bank. “Use a combination of capital and lower-case letters. Also consider using the first letter of words in a phrase or a song to create a password. Substituting numbers for some words or letters will help with password be stronger.”
Also, remembering multiple combinations can be exhausting, so consider a password manager. In that case, you only need to remember one very strong password. It handles the rest. There are several companies that offer this service, typically for a relatively low monthly fee.
Add extra layers of security
If a vendor offers two-factor authentication, use it. Two-factor authentication adds another layer of security by sending you a code—typically via text—that you must enter to access an account.
Other options include adding a pin code to an account. For instance, Capital One suggests adding a four-digital personal key to its integration with Amazon products that support the Alexa virtual assistant. This is particularly helpful for roommates who share an Echo. In this case, you’d need to say the passcode to verify your identity before being able to interact with your Capital One account.
If biometrics, like a fingerprint reader via mobile or a voiceprint, are available, use those, too.
Ultimately, adding security factors beyond a username and password to your account is going to lessen the chance of cyber criminals taking it over.
With the rise of apps and subscription services, a lot payments are happening automatically. Ease of use, particularly around payments, is part of the appeal for services like Uber.
But consumers still need to track where their money is going. Butera urges consumers to review their statements and look for anything out of the ordinary. Mobile banking has made this really easy.
Also, take advantage of your bank’s alert systems. Fifth Third allows more than 25 alerts, ranging from low balance alerts to alerts for each transaction.
“Alerts increasingly are becoming a way that consumers manage their money,” Butera said. “Customers use our alerts to stay in control of their finances and track where their money is being spent.”
Tokenize your payments
The best way for companies to protect stored payment data is by tokenizing it. In this approach, companies store and use a version of your card number—a so-called token—rather than the actual card number.
Apple Pay, for instance, uses tokens. But figuring out if a company is using this process might involve some legwork, such as calling the company or reading the disclosure forms you often skip.
Alternatively, there are companies, including Token and Privacy.com, that tokenize your information for you. Think of them as password managers, but for your payment cards. While each company has its own approach, both limit the number of companies that have your actual credit card number by creating virtual card numbers for different accounts or transactions.
The added benefit of using these so-called burner cards is that your whole payments ecosystem isn’t upended if one account is compromised. If you use one credit card for everything today and one of your subscription services is breached, you’d alert your bank, cancel the card, get a new one and have to send the new card number with every company that automatically charges your account, like Netflix or Spotify. If you tokenized service, you’d only have to regenerate a card number for that one account.
Yana Zaidiner, co-founder and chief operating officer of Token, says people need to remember that while companies should keep our data safe, that’s often not their main function. That can cause problems, so customers ought to do what they can to protect themselves.
“If people want to enjoy both convenience and security—which they should—they should consider how comfortable they are linking a bank account to their device, and what kinds of safeguards they want to put in place,” Zaidiner said.