How Bad Are The Google Wallet Security Problems? Bad Enough

Written by Frank Hayes
December 14th, 2011

Google Wallet isn’t safe, at least not on the consumer end. That’s the conclusion from security firm viaForensic’s analysis released on Monday (Dec. 12). Yes, Google does a good job of blocking man-in-the-middle attacks. And having a PIN to open the wallet restores some security that Visa stripped out when it brought Chip-and-PIN to the U.S. But Google also stores far too much customer information unencrypted on the phone—and if the phone is malware-infected or stolen, that data becomes far too easy for a thief to get at.

Fortunately, Google doesn’t need a technology magic bullet to make its mobile wallet much, much safer. Google just needs to leave a lot less information lying around on the phone—and change how it thinks about smartphones.

The security analysis by viaForensics was actually pretty encouraging when it wasn’t damning. Payment-card numbers and CVVs are locked safely in the NFC Secure Element. Almost everything else requires a PIN to get at in the Google Wallet application (the exception is the system logs, which leak a little bit of information with each transaction). If Android’s security were perfect, Google Wallet’s security would be fine, too.

But it’s not. And a cyberthief who gets access to the PIN-protected transaction databases inside the phone can learn a lot about its owner’s transactions—not enough to steal payment-card data directly, but more than enough to launch a social-engineering attack on the user. “For example, if I know your name, when you’ve used your card recently, last four digits and expiration date, I’m pretty confident I could use the information to my advantage. When you add data that is generally available online (such as someone’s address), an attacker is well-armed for a successful social engineer attack,” the report concludes.

For retailers, the problem is more subtle: Mobile wallets are a great opportunity to get CRM data in something very close to real time. But that can only become a reality if customers are willing to use their phones to make purchases. If they don’t trust the phone, mobile wallets will go nowhere.

The security firm’s recommendations largely come down to “encrypt all this data, even though it’s already PIN-protected.” That’s certainly something Google should do. The real question is why Google didn’t do that from the beginning.

After all, even before mobile wallets, smartphones (and PDAs before them) have typically been stuffed with information. At the very least there are contacts, phone numbers, text messages and personal information. But some smartphone users also find their phones to be a convenient place to stash all their logins and passwords—for work, Webmail accounts and paying bills—along with PINs and keylock combinations, bank-account numbers and, in some cases, payment-card numbers, too.

That’s a privacy nightmare—and there aren’t any QSAs vetting consumers for PCI compliance.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.