Readers who reached out to Helsingin Sanomat have shared their experiences of receiving their own payment history from Mobilepay solely via email communication. These readers, based out of Helsinki, have raised concerns that Mobilepay’s payment application could potentially be exploited to acquire information about other users’ payment histories.
Mobilepay underwent a major update in January, which resulted in the disappearance of old payment requests from the app. Consequently, the company encouraged its customers in need of such information to reach out to their customer service via email.
Two Mobilepay users have voiced their anxieties about the company’s security measures, expressing doubts about the effectiveness of their verification process to ensure that the requester of the payment information is indeed the actual customer.
One user shared that he requested his payment history from Mobilepay’s customer service using an email address that he hadn’t registered with the application. This email account was specifically created for contacting customer service. In his request, he provided his name and his phone number linked to the Mobilepay application.
The exchange of messages between this user and the Mobilepay’s customer service was viewed by HS. The user asked for his payment history of the previous year and provided his name and phone number registered with the Mobilepay application. He reported receiving a comprehensive payment history via an Excel file in the reply without any additional verification.
An extract from this file viewed by HS revealed details like the timestamp of payment transactions, sender and receiver of the payment, first and last numbers of the payer’s payment card, the amount, and the payment-associated message.
A similar experience was reported by another Mobilepay user. He too received his payment history by reaching out to customer service with an email address that wasn’t registered with the application. He shared his phone number registered with Mobilepay in his message.
This user also reported that Mobilepay made no additional efforts to confirm his identity. No confirmation requests were sent to him via text or through the Mobilepay application. He voiced his concerns about the potential misuse of this process, fearing that someone could access another person’s payment history using just a phone number and name.
HS reached out to Mobilepay to inquire about their customer identification process to ensure that sensitive payment information doesn’t fall into the wrong hands. Responding to this, Miranda Falk, Director of Communications at Vipps Mobilepay, stated that they use an “overall assessment of sufficient identification information in relation to the customer service request” to identify customers. However, Falk refused to share further details about their customer identification criteria, citing security concerns.
Possible breaches of personal data security are dealt with by the office of the Data Protection Commissioner in Finland. Deputy Data Protection Commissioner Heljä-Tuulia Pihamaa, while not commenting on Mobilepay’s identification processes, highlighted the importance of ensuring the security of payment history information as it can reveal a person’s financial status.
Pihamaa also pointed out the need for balance in the identification process. While making it easy for customers to access their information, data controllers must also consider the risks associated with the potential misuse of this information.
Typically, financial sector operators authenticate the identity of their customers using methods like strong identification with bank IDs. However, there are other means of authentication as well. Pihamaa suggested that under certain circumstances, a call or a text message requiring acknowledgement could serve as a verification method.
According to data protection regulations, it shouldn’t be difficult for a person to check their own data. Pihamaa noted that people rarely complain about the difficulty of checking information in the financial sector because they understand the importance of strong identification due to the sensitive nature of the information.
