The world of mobile payments took a step forward in September when the Google Wallet was rolled out. The mobile application provides secure storage of payment information and uses near field communication (NFC) to complete a transaction. It takes a simple tap of the phone to make a purchase.
The Google Wallet is only available to Sprint customers with Samsung Nexus S 4G or Samsung Galaxy Nexus smart phones. So, the app isn’t exactly spreading like wildfire. Besides being limited to one type of phone in the U.S., questions are being raised about the security of the app.
ViaForensics, a digital forensics firm specializing in mobile security, released an analysis of the Google Wallet at the end of 2011. The analysis found that while the Wallet is generally secure, it leaves too much information unencrypted on the phone.
ViaForensics reported its findings to Google, and Chief Investigative Officer Andrew Hoog says his team worked with Google for about a week. “There were a number of issues that were indeed fixed and then rolled out. We give them a lot of credit for engaging in that process,” says Hoog. “However, there was still enough information stored on the device that we did not feel that we could give it a passing grade.”
The information left behind included the user’s email address, credit card balances, payment due dates, and the last four digits of the card. “If somebody was trying to take over your identity, they could use this information to either pose as you or act like they’re your credit card company and try to get you to release the additional information they need,” says Hoag.
Hoog recommends that on the device Google store only the information that is absolutely needed and that any crucial information be PIN encrypted. To use Google Wallet for a transaction an individual enters a PIN to transmit payment data. A potential fraudster, however, could find the data that is left behind on the handset. To this point, Google has not followed the advice to PIN-encrypt that data. “Generally speaking, for a lot of app developers, having a consumer type in a PIN or a password in order to get into the application is an extra step that they really want to avoid. So much about mobile is give me the information fast, make it very easy, don’t get in my way,” says Hoog.
Speed and convenience are probably keeping Google from making such changes, says George Peabody, director of Emerging Technologies Advisory Service at Mercator Advisory Group. “A point of sale transaction has got to go through quickly. If it has to establish a link over a wireless connection to some back end service, some cloud based service, how long is that going to take and how would that affect the speed of the transaction for the consumer and for the merchant?” he asks. “The speed of transaction for merchants for a quick service restaurant is really, really important. In that domain, milliseconds matter. Caching data in a local device has long been a strategy to obviate performance concerns. But if that’s going to be the case, then it has to be stored in such a manner that it’s not in the clear and can’t be compromised.”
Hoog thinks the Google Wallet holds plenty of promise for users. They may like having PIN encrypted data in a device they carry all the time. They may prefer to tap their phone instead of fishing for a physical card to swipe. “As a consumer I enjoy using it and look forward to maybe some of these security enhancements being put in place,” says Hoog.
“On the flip side, if you say ‘if somebody did get their hands on this information, it would place my identity or my finances at risk,’ then I think you’d decide to wait. I think it’s likely that Google will address some of these issues. All of the payment vendors realize security is going to be very, very important for consumer adoption,” says Hoog.
Peabody thinks it will take a lot of work for Google to move beyond the fear factor that potential customers have regarding security. He says Google and mobile operators will have to work in concert to convince skeptical consumers that the Wallet is a secure method of payment. “When people see it being done and the experience is successful, that’s when adoption starts to take off. Unfortunately, there are a lot of barriers to payments being successful right now. I’m concerned about the NFC ecosystem where all the participants are blocking access and not able to work together.”
Peabody says NFC is a technology that could benefit everybody in the ecosystem, but consumers don’t yet have a consistent experience between merchants, banks and mobile operators. That, he says, will slow adoption of the Google Wallet. He also thinks the technology itself has a long way to go before it can become widespread.
“It’s still very early days. This looks to me like a classic case of technology maturation. The number of people actually able to use Google Wallet is really small … they’ve got to be on Sprint. The number of handsets that are NFC equipped is still very low, in the tens of thousands. So, we’re absolutely in the pilot stage of NFC and mobile-based wallets.”
Bottom line for Hoog is that anyone concerned about the type of data stored should probably hold off getting the Google Wallet. “Our goal is to make sure that they have as much information about what is stored and how it’s transmitted. That way they can make their own decision whether the convenience and the value of the application outweighs any perceived security risks,” says Hoog.
Google dealing with more Wallet hacks
Google had to deal with additional attacks to its Wallet application in early February. First, Web security provider Zvelo uncovered a way crack the Google Wallet PIN security feature. Using an app called “Wallet Cracker,” Zvelo was able to expose the PIN of a Google Wallet account without entering a single invalid attempt, thus bypassing the security feature that locks the wallet following five invalid attempts.
The hackers used a brute force attack because the Wallet’s PIN was stored in the application. The attack was only possible on a device that has been “rooted” to enable application to be added.
Osama Bedier, Google Wallet and Payments vice president, said that any vulnerabilities to the PIN feature are due to misuse, rather than a flaw in design. “Sometimes users choose to disable important security mechanisms in order to gain system-level ‘root’ access to their phone,” said Bedier. “We strongly discourage doing so if you plan to use Google Wallet because the product is not supported on rooted phones. That’s why in most cases, rooting your phone will cause your Google Wallet data to be automatically wiped from the device.
A problem was also discovered with the prepaid accounts that Google offers users. An individual who obtained another’s phone could simply clear the data in the app settings, forcing Google Wallet to reset and prompting the user to establish a new PIN. Using the new PIN, the original Google PrePaid card that was linked to the account is once again accessible.
Google recognized the weakness and shut down the prepaid system, which was fixed a couple of days later.