Using 'autofill' for card info is convenient, but is it safe?


You have your payment information locked into your PayPal One Touch, your iCloud Keychain and the autofill settings on your computer. Shopping online, ordering takeout and calling an Uber couldn't be easier or faster. But how safe is it to let apps and websites remember your banking information?

"There is no such thing as 100 per cent security," says Robert Siciliano, a personal security and identity theft expert.

"It is generally not a good idea to allow various websites to store your credit card information," he says. "On sites that I may use frequently, such as Amazon, I may allow it. However, another site that I might use once a year or maybe never again, of course not."

Online security is easy pickings for scammers, too, says Rodger Desai, chief financial officer of mobile-security authentication company PayFone. Consumers are putting a lot of security on the line for convenience, he says.

"The fraudsters make $6 billion per year on counterfeiting plastic credit cards," he says. "They will look online for new soft targets."

Here's how these experts navigate the world of digital payments so they're balancing security with convenience.

Some sites are safer than others
Auto-filling payment information on websites has been an option since the beginning of e-commerce in the late 1990s, Siciliano says. But its popularity really took off with the rollout of EMV technology - what we know as chip cards - that help to authenticate and secure transactions, Desai says.

After that, consumers saw the proliferation of apps, express online checkouts and one-touch payments.

The experts trust major services, such as Uber, PayPal and JustEat.

"Sites like these generally have a robust security," Siciliano says. They're used by millions of people around the world, so these giants need to make sure consumers' payment information is protected.

These big names, such as Amazon, often have silent authentication behind the scenes, Desai says, which provides an extra layer of safety that smaller-name sites might not have.

Siciliano suggests trusting almost no sites, though.

"Very few sites hold my personal information," he says. He adds you're better off manually inputting your information on websites, rather than keeping your credit card details stored.

Mistakes consumers make
There are simple, common mistakes consumers make when it comes to security, and it's not all dependent on website security. For starters, many consumers don't safeguard passwords.

It's up to you to come up with passwords and PINs that aren't easy to guess. It's not wise to use your name, relatives' names, birthdates or phone numbers. Passwords shouldn't be addresses, social insurance numbers or bank numbers, either. Otherwise, you're handing fraudsters the keys to your accounts.

"Using the same password across multiple critical accounts is probably the biggest mistake the consumers make," Siciliano says. "It is essential that consumers use a different password for all sites."

Siciliano knows remembering passwords gets tricky with so many in play. Use a password manager that will enter your data upon request, he says.

Desai says another common mistake consumers make is not setting up a two-factor authentication. With this feature, if someone is trying to get into your account (or if you lock yourself out), your bank, Gmail or other service will text or email you a code to get back into your account. It's an extra layer of protection that halts fraudsters when they're trying to get into your accounts.

How to take matters into your own hands
Convenience comes at a price - data breaches, fraudulent purchases and other issues come up regularly.

"It is backfiring every day," Siciliano says. "Every single data breach we hear about is as a result of lazy security password reuse and the conveniences of technology and, of course, allowing our information to be stored in multiple places."

You can take control of your situation by frequently poring over your credit card statements and transactions online.

Keep in mind, Canadian credit card companies have zero liability policies, so if you're safeguarding your password and doing what you can to manage online security, you won't be held responsible if unauthorized purchases are made on your card.

"Go to your credit card company or bank's website and set up alerts and notifications to keep you aware of every charge and transaction in real time," Siciliano says.

While you may be logged into various apps and payment tools, the alerts will help you spot a purchase that isn't yours right away. Your creditor can then freeze your card, reverse the purchase and send you new cards, for example.

And if nothing else, you can go back to shopping in-store.

"Everything we do online now is purely for convenience," Siciliano says. "If we went back to the days of paying cash or credit card in person we would face far less risk."

See related: How to secure your phone to keep financial data safe, Are you being safe with your account info -- or paranoid?, Is there privacy in a cashless society?
Published March 21, 2017

Most recent Legal, regulatory, privacy Stories