StorefrontBacktalk

How Bad Are The Google Wallet Security Problems? Bad Enough

Written by Frank Hayes

December 14th, 2011

Google Wallet isn’t safe, at least not on the consumer end. That’s the conclusion from security firm viaForensic’s analysis released on Monday (Dec. 12). Yes, Google does a good job of blocking man-in-the-middle attacks. And having a PIN to open the wallet restores some security that Visa stripped out when it brought Chip-and-PIN to the U.S. But Google also stores far too much customer information unencrypted on the phone—and if the phone is malware-infected or stolen, that data becomes far too easy for a thief to get at.

Fortunately, Google doesn’t need a technology magic bullet to make its mobile wallet much, much safer. Google just needs to leave a lot less information lying around on the phone—and change how it thinks about smartphones.

The security analysis by viaForensics was actually pretty encouraging when it wasn’t damning. Payment-card numbers and CVVs are locked safely in the NFC Secure Element. Almost everything else requires a PIN to get at in the Google Wallet application (the exception is the system logs, which leak a little bit of information with each transaction). If Android’s security were perfect, Google Wallet’s security would be fine, too.

But it’s not. And a cyberthief who gets access to the PIN-protected transaction databases inside the phone can learn a lot about its owner’s transactions—not enough to steal payment-card data directly, but more than enough to launch a social-engineering attack on the user. “For example, if I know your name, when you’ve used your card recently, last four digits and expiration date, I’m pretty confident I could use the information to my advantage. When you add data that is generally available online (such as someone’s address), an attacker is well-armed for a successful social engineer attack,” the report concludes.

For retailers, the problem is more subtle: Mobile wallets are a great opportunity to get CRM data in something very close to real time. But that can only become a reality if customers are willing to use their phones to make purchases. If they don’t trust the phone, mobile wallets will go nowhere.

The security firm’s recommendations largely come down to “encrypt all this data, even though it’s already PIN-protected.” That’s certainly something Google should do. The real question is why Google didn’t do that from the beginning.

After all, even before mobile wallets, smartphones (and PDAs before them) have typically been stuffed with information. At the very least there are contacts, phone numbers, text messages and personal information. But some smartphone users also find their phones to be a convenient place to stash all their logins and passwords—for work, Webmail accounts and paying bills—along with PINs and keylock combinations, bank-account numbers and, in some cases, payment-card numbers, too.

That’s a privacy nightmare—and there aren’t any QSAs vetting consumers for PCI compliance.

Posted in CRM, In-Store, IT Strategy/Industry, Mobile/Wireless/Contactless, Payment Systems, Security/Fraud

Comments are closed.

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retailing Column every month at Retail-Week.com. Please click here for an archive of those columns.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.