This is page 2 of:
Google’s PIN Pains: Will Citi Make This Wallet Safer?
But with Google Wallet, there’s a phone maker, an issuing bank, a mobile operator and Google, all of which have a say in how the phone works (including any mobile payment scheme it supports). Users get to chime in, too: For convenience, users can set the Google Wallet PIN to last for as long as 30 minutesbefore it has to be keyed in again. That’s a long way from the security level of that plastic contactless PIN card.
It’s because the Google Wallet PIN isn’t validated inside the phone’s Secure Element that attacks like the ones published last week are possible. The easiest way to make Google Wallet almost as secure as a contactless card is to move PIN validation inside the Secure Element.
But that requires the cooperation of the issuing bank, as the Zvelo researchers pointed out. Although Google won’t confirm Zvelo’s description of the situation, there’s no real reason to doubt it: “The fear is that Google might no longer be responsible for the security of the PIN, but rather the banks themselves. If this is in fact the case, then the banks may need to follow their own policies and regulations regarding ATM PIN security which obviously, and rightly, receive a great deal of scrutiny.”
Zvelo’s post continues: “At present, the decision is in the banks’ hands. They may actually choose to accept the risk imposed by this vulnerability rather than incur the financial and administrative overhead of allowing Google to release a proper fix” and thereby potentially put the banks on the hook for the PIN security.
“The banks” is a generous way of putting it. Right now, Citi is the only bank whose payment cards can be installed in Google Wallet. And it’s presumably Citi that is preventing Google from moving PIN verification to inside the Secure Element, so the phone version would be much closer to the plastic version in its security approach. (In fairness, Google may be negotiating with other issuing banks, just as it recently started allowing NFC-equipped Android phones from AT&T to install Google Wallet.)
Naturally, it’s not just Citi’s apparent reticence that would be a problem if the PIN goes into the phone’s Secure Element. That would also make it harder for Google Wallet to control other payment card numbers—if, say, the phone also contains a SIM with an additional Secure Element, and maybe an SD card with yet another Secure Element.
How would that work?
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
