Your Safe Payments Are Probably Not Safe: A Warning by Flexa Co-Founder Trevor Filter by Roberto Popolizio

0 5 6 minutes read

Updated on: February 13, 2025

This article contains

From free VPNs to popular messaging platforms, some of the most popular tools and habits you trust might actually be putting your data at risk. In this interview series by Safety Detectives, I invite cybersecurity experts to reveal the most dangerous mistakes millions of people still make, and their top tips to avoid them.

My guest today is Trevor Filter, co-founder of Flexa, a versatile digital payments platform supporting thousands of stores throughout the United States and Canada, including Nordstrom, GameStop, Lowe’s, and Petco. Previous to Flexa, Filter also built UX for American Express.

We discussed the current state of security in digital payments and the entire financial system *

* spoiler alert: it’s worse than you think.

Are there any cybersecurity habits or apps that most people still consider safe but should avoid at all costs, and why?

A lot of what people consider “safe” in payments is actually leveraging decades-old infrastructure littered with vulnerabilities.

The prime example? Traditional credit and debit card payments.

Every time you tap or swipe your card, you’re exposing not only your name, but also sensitive details that can be stolen, copied, and misused. Payment processors and banks try to patch over these risks with fraud detection and chargebacks, but that’s a reactive approach—fraud still happens at a massive scale.

Another precarious habit is using your personal information with unfamiliar websites or online retailers. Data brokers and advertising networks are constantly finding new ways to acquire information about your purchasing behavior, and when you provide sensitive details like your home address and phone number online, these can be sold to nefarious actors and matched up with your other online accounts to put you at risk.

Can you share an example of how these mistakes caused significant damage, and what could have prevented it?

Some of the most well-known breaches include the 2017 Equifax breach and the 2019 hack of Capital One, in which over 140 million credit profiles and 100 million credit card applications and accounts were exposed, respectively. In each case, hackers exploited vulnerabilities in the basic data infrastructure of these “trusted” companies, gaining access to highly sensitive personal and financial data.

These kinds of attacks highlight the fundamental weakness of traditional payments infrastructure:

When a centralized provider gets compromised, millions of users pay the price.

Matching personal information with online accounts, on the other hand, enables scammers to launch sophisticated phishing attacks on individuals both at home and in corporate environments. No wonder why experts estimate that phishing—as the most common data breach vector—now accounts for 15% of all breaches.

Why do people keep falling for these mistakes, and how can they spot the red flags?

It’s not their fault. The entire financial system—and therefore, everyday commerce—is built around these outdated and insecure structures. Credit cards, centralized payment processors, and even a majority of fintech solutions all rely on intermediaries that are vulnerable to fraud, breaches, and systemic failures. Most people don’t question it because it’s the default.

The key red flag? Any time you’re handing over sensitive payment details—like your card number, CVV, or home address—just to complete a transaction. If there’s a way to pay that doesn’t expose those credentials, that’s always the better option.

Digital assets (and especially stablecoins) enable an entirely new payment model that doesn’t require you to hand over any personal data to verify a payment or trust a third party with any sensitive credentials that can compromise your accounts.

On the flip side, do you have any lesser-known or counterintuitive tips that everyone can implement today? How do they help where traditional solutions fail?

Hide your IP address on home or work networks, by signing up for a private VPN service like Mullvad or Proton VPN. Alternatively (or in addition), upgrade to iCloud+ on Apple devices and enable iCloud+ Private Relay. These simple steps will cost a small amount of money but will help prevent companies from being able to connect your online activity to your physical location.
Pay with crypto instead of cards when possible! Stablecoins are especially suitable for everyday transactions because you don’t have to worry about price fluctuations. Paying with cryptocurrency will dramatically improve your privacy and spare you from exposing any sensitive payment information that could lead to theft or fraud.
Use a privacy-centric browser like Brave, or Safari with content blockers (I like Wipr) to thwart trackers and keep data brokers from building a more complete profile of your browsing activity.

If someone wants to strengthen their online security and privacy, what are five steps they should take today?

Use stablecoins for your everyday transactions. Stablecoins help you make secure, near-instant payments without exposing any financial credentials. Unlike traditional bank transfers or card networks, they settle on a blockchain, making them more resistant to fraud and hacks.

Only store your digital assets with exchanges that are regulated by the New York Department of Financial Services, that insure asset balances, and can assert passing a SOC2 audit.Or better yet, use a self-custody wallet or a multisig storage solution for all of your crypto assets—especially those you don’t anticipate needing for a while. For multisig storage, I recommend Casa. (As they say, if you don’t hold your private keys, your assets aren’t truly yours.)

If digital assets aren’t an option, use one-time-use virtual cards and hide your personal information when paying online—an excellent choice is Privacy.com. If you absolutely have to use one of your own credit or debit cards online, choose a cryptogram-enabled payment option like Apple Pay or Google Pay.

Enable passkeys on any website that offers them. They’re resistant to phishing attacks and stored in the most secure way on each of your devices.If passkeys aren’t available, add a two-factor authentication method like a physical security key or turn on one-time passwords (a.k.a., authenticator codes). Although, try to avoid using SMS messages as a two-factor authentication method if you can.

Use a password manager! I recommend the Passwords app on Apple devices, and 1Password for everything else. You want to make it as easy as possible to use a unique password for every account and store them in a way that’s easy to retrieve. Set aside an afternoon to update each of your financial and social media accounts with unique passwords if you have to—there’s perhaps no simpler way to level up your internet security.

Looking ahead, what opportunities and challenges should people and organizations prepare to face in 2025? What should they start doing today to get ready?

2025 is going to be a turning point for payments security. AI-driven fraud is getting more sophisticated, and traditional financial institutions are already struggling to keep up. Businesses that rely on outdated payments infrastructure will face increasing fraud costs, while consumers will demand better protection.

On the flip side, we’re seeing major advancements in digital payments that offer a more secure and efficient alternative. The adoption of stablecoins and blockchain-based payments will accelerate, especially as regulators encourage this shift. The challenge will be in getting businesses and consumers to shift their habits before another major breach forces their hand.

Companies should start integrating digital asset payment options and prioritize self-custodial security models. If you’re still relying on the old way of doing payments, you’re playing a losing game.