Google’s PIN Pains: Will Citi Make This Wallet Safer?
Written by Frank HayesGoogle Wallet’s security problems that surfaced last week—two different ways for a thief who has stolen a phone to get access to payment cards in the digital wallet—prompted Google to block new Google Wallet provisioning for several days until the company pushed out a fix. But the vulnerabilities also highlighted a major pain point: Shifting payments from plastic card to smartphone isn’t just about technology, it’s also about getting partners to cooperate—in this case, card issuer Citi.
The big problem: The most logical and secure technology fix—moving PINs to secure hardware—is something Citi seems unwilling to do.
Here’s what happened: On February 8, security firm Zvelo reported a way that a smartphone thief could use the phone’s own hardware to calculate all possible encrypted PINs and determine which one unlocks Google Wallet. Zvelo had already reported the vulnerability to Google, which according to Zveloconcluded that it needed to move PIN verification to the NFC Secure Element, where payment card numbers are stored—but that would require approval from the issuing bank, in this case Citi. That hasn’t happened yet. (Google would neither confirm nor deny Zvelo’s account.)
That was Wednesday. On February 9, a blog called The Smartphone Champreported an easier way for a thief to get through Google Wallet’s PIN security: A thief could simply clear the data from the Google Wallet app, which would then ask the thief to name his own new PIN. This would let the thief use the phone’s existing Google Wallet prepaid card but not any payment cards stored in the Secure Element.
A reminder: The Secure Element’s placement is an industry political battle. If it’s in the phone, Google controls the system; if it’s in the SIM, the carrier controls it; if it’s in an SD card, the bank controls it. So, on February 10, Google stopped provisioning new prepaid cards, which effectively blocked the name-your-own-PIN attack. The company pushed a fix out to Android phones and resumed provisioning of prepaid cards on Tuesday (Feb. 14). That fix resolved the name-your-own-PIN hole but didn’t close the Zvelo hole, which Google is reportedly still trying to get Citi to help out with.
If all this sounds far too complicated compared to the contactless cards that Google Wallet is supposed to replace—well, yes, it is. With those plastic cards, the card number and PIN and the card’s software are all stored inside the card’s Secure Element. Only one player is involved in that decision: the issuing bank. And users would have to work mighty hard to reduce the level of security.
But with Google Wallet, there’s a phone maker, an issuing bank, a mobile operator—and Google.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
