To prevent personal information leaks and financial losses, relevant mechanisms still need improvement.
What appears to be a convenient feature may actually pose financial security risks.
Recently, the topic of "removing Alipay account authorization" has sparked widespread discussion on social media platforms. Users discovered that in Alipay's "Personal Information Authorization Management" list, countless software applications had been granted one-click authorization to access their personal information, with many involving sensitive data such as names, phone numbers, and identification documents. Users find themselves trapped in an "authorization overload" situation, creating numerous security vulnerabilities.
"Passwordless payment/automatic deduction" represents another major risk area, with many people discovering numerous "hidden charges." Recently, Liu Yu (pseudonym), a student from Chongqing, revealed that she had activated VIP membership on an online novel reading platform last year using Alipay's passwordless payment feature. Only when checking her recent bills did she discover the VIP membership had been automatically renewing.
"It felt great when subscribing, but canceling was impossible to find. I thought it wasn't renewing, but it was silently deducting money every month. It's like a money thief - because you don't need to think about it, money disappears without you knowing," Liu Yu explained.
On September 17, Alipay responded through its official social media platform, stating that Alipay launched the "Personal Information Authorization Management" feature in 2021 for users' convenience in unified management. Additionally, besides managing authorizations in one place, users can modify privacy settings and view automatic renewal services in the "User Protection Center." In Alipay's payment settings, users can also disable the "automatic deduction" function through automatic renewal/passwordless payment settings.
**10,000 Yuan Fraudulent Charges for 10 Yuan Savings**
Currently, passwordless payment has become a common feature across various lifestyle service platforms like Taobao, Meituan, and Didi, enabling instant completion of small transactions without password input.
Investigation reveals that besides "convenience," some users activate passwordless payment functions specifically for promotional benefits. "To take advantage of first-month discounts, I often activate passwordless payment on various platforms, but I remember to disable this function afterward since I still consider it unsafe," said Mr. Wu (pseudonym), a white-collar worker from Guangdong.
Although many users remain cautious about passwordless payment features or only try small-amount payments, when consuming through third-party platforms, whether to activate passwordless payment has become consumers' "mandatory question" before final payment completion.
For example, Ms. Wang (pseudonym) from Liaoning recently reported being forced to link Alipay passwordless payment when using an online travel service platform. "After clicking payment, the system automatically redirected to the passwordless payment activation page, requiring agreement to terms and activation of passwordless payment to proceed to the next step, without even providing a rejection option," Wang explained.
Chen Zhongtao, a lawyer at Beijing Longan (Guangzhou) Law Firm, pointed out that according to the Personal Information Protection Law, processing personal information and activating important functions like payments must obtain users' "explicit consent" and "separate consent."
This means users must actively and clearly make "consent" actions, rather than being preset to "agree" by platforms.
"Simultaneously, the E-commerce Law explicitly prohibits making bundled services default consent options. Therefore, forcing users to activate passwordless payment through default checking or hiding 'disagree' options during payment processes does not comply with legal requirements," the lawyer stated.
"Passwordless payment represents the universal direction of global mobile payment advancement," said Wang Pengbo, Chief Analyst of Financial Industry at Broadband Consulting, in an interview on September 18. "Objectively speaking, passwordless payment does present certain risk exposure. Therefore, while this feature enhances convenience, it demands higher requirements for platform risk control capabilities and user security awareness."
"Once users lose their phones or account information leaks, attackers might exploit authorized passwordless channels for continuous fraudulent charges. Additionally, some users' unclear understanding of automatic renewal rules or negligent authorization management might lead to erroneous deductions or forgotten charges, causing disputes," Wang Pengbo explained.
From actual cases, passwordless payment functions exploited by criminals can create serious security risks.
According to the China Consumers Association's August report "Analysis of Complaint Situations Handled by National Consumer Organizations in the First Half of 2025," unscrupulous merchants attract elderly people by posting "earn money by walking" or "free red packets" advertisements online, then redirect to passwordless payment automatic deductions for "membership fees." In April, a local court in Shaanxi published a case where a plaintiff's lost phone was used by others for passwordless payment fraud totaling 12,000 yuan.
Social media users have also reported incidents where, after purchasing milk tea discount coupons on second-hand trading platforms, they experienced 10 fraudulent transactions within two minutes. "Just to save 10 yuan on milk tea, I used third-party link redirection to Alipay and activated passwordless payment, resulting in 10,169 yuan being charged to my Huabei account within two minutes."
The user also mentioned being typically cautious when purchasing discount packages and membership coupons on such platforms. "But this one time, I didn't consider carefully and suffered losses. We must maintain vigilance toward passwordless payments and third-party links, never being careless." Fortunately, through platform intervention, the user successfully recovered 9,990 yuan.
Wang Pengbo believes that based on past cases, fraudulent incidents more often result from individual users' device loss, account leaks, or excessive authorization risks rather than design flaws in passwordless functions themselves. "Currently, mainstream payment platforms promise 'full compensation for theft,' so users shouldn't worry too much about this aspect."
Investigation of WeChat Pay's related interface shows that if funds are stolen through WeChat passwordless payment, there's an appeal entry in customer service centers for stolen fund compensation applications. WeChat Pay provides "million-level protection," promising compensation when users' payment accounts experience theft.
On September 18, Douyin representatives told us that Douyin Pay, in partnership with PICC Property and Casualty, provides million-level account security insurance. If account theft is confirmed, the platform compensates account fund losses (maximum annual compensation reaches 1 million yuan).
**Excessive "One-Click Authorization" Poses Risks**
Besides passwordless payment, removing Alipay account authorization represents another focus of user attention. Users report discovering over 100 authorization items in Alipay's personal information authorization management list, with earliest authorization dates tracing back 10 years.
Professionals believe excessive "one-click authorization" leads to non-transparent personal information flows, creating abuse risks. "Many zombie authorizations from long-unused apps and mini-programs persist like data 'backdoors,' continuously posing security threats. Finally, authorizations linked to passwordless payments and automatic deductions directly threaten financial security, easily causing consumers to be charged unknowingly," lawyer Chen Zhongtao stated.
Wang Qiong, a lawyer at Beijing Yunting Law Firm, also believes that if users check Alipay's "Personal Information Authorization Management" and discover they've "been authorized" to certain platforms or financial apps without remembering when they agreed, this violates the Personal Information Protection Law's "separate consent" requirement. "Before platforms give your information to third parties, they must clearly tell you 'the recipient is XX, will use your XX information, for what purpose,' and must let you 'actively click agree,' not secretly bind."
To prevent personal information leaks and property losses, relevant mechanisms need improvement.
Wang Pengbo suggests platforms should adhere to "minimum necessity, informed consent, revocable" principles in authorization management, further optimizing agreement disclosure transparency, using step-by-step guidance, prominent reminders, and cooling-off periods to eliminate improper operations like "forced bundling" or "default checking."
"Simultaneously, after passwordless payment activation, platforms need to strengthen real-time alerts and interception capabilities for abnormal transactions, enhancing users' control over authorizations. For example, platforms can launch 'Personal Information Authorization Management' functions, allowing users to conveniently view all authorized third-party applications and passwordless/automatic deduction items, supporting unbinding at any time."
On the other hand, consumers can proactively take measures to prevent related risks. Platform-user collaborative governance can achieve optimal balance between security and convenience in passwordless payments.
"For consumers, they should proactively and regularly review authorization lists, timely clean up unused authorization services, prioritize activating passwordless functions in trusted applications, and combine fingerprint and facial recognition biometric verification to enhance account security," Wang Pengbo stated.