Google’s PIN Pains: Will Citi Make This Wallet Safer?

Written by Frank Hayes
February 16th, 2012

Google Wallet’s security problems that surfaced last week—two different ways for a thief who has stolen a phone to get access to payment cards in the digital wallet—prompted Google to block new Google Wallet provisioning for several days until the company pushed out a fix. But the vulnerabilities also highlighted a major pain point: Shifting payments from plastic card to smartphone isn’t just about technology, it’s also about getting partners to cooperate—in this case, card issuer Citi.

The big problem: The most logical and secure technology fix—moving PINs to secure hardware—is something Citi seems unwilling to do.

Here’s what happened: On February 8, security firm Zvelo reported a way that a smartphone thief could use the phone’s own hardware to calculate all possible encrypted PINs and determine which one unlocks Google Wallet. Zvelo had already reported the vulnerability to Google, which according to Zveloconcluded that it needed to move PIN verification to the NFC Secure Element, where payment card numbers are stored—but that would require approval from the issuing bank, in this case Citi. That hasn’t happened yet. (Google would neither confirm nor deny Zvelo’s account.)

That was Wednesday. On February 9, a blog called The Smartphone Champreported an easier way for a thief to get through Google Wallet’s PIN security: A thief could simply clear the data from the Google Wallet app, which would then ask the thief to name his own new PIN. This would let the thief use the phone’s existing Google Wallet prepaid card but not any payment cards stored in the Secure Element.

A reminder: The Secure Element’s placement is an industry political battle. If it’s in the phone, Google controls the system; if it’s in the SIM, the carrier controls it; if it’s in an SD card, the bank controls it. So, on February 10, Google stopped provisioning new prepaid cards, which effectively blocked the name-your-own-PIN attack. The company pushed a fix out to Android phones and resumed provisioning of prepaid cards on Tuesday (Feb. 14). That fix resolved the name-your-own-PIN hole but didn’t close the Zvelo hole, which Google is reportedly still trying to get Citi to help out with.

If all this sounds far too complicated compared to the contactless cards that Google Wallet is supposed to replace—well, yes, it is. With those plastic cards, the card number and PIN and the card’s software are all stored inside the card’s Secure Element. Only one player is involved in that decision: the issuing bank. And users would have to work mighty hard to reduce the level of security.

But with Google Wallet, there’s a phone maker, an issuing bank, a mobile operator—and Google.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.