Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Google Wallet security has a weakness

Google has gone to great lengths to ensure the security of the Google Wallet mobile payment system, but it has a weak link.

Google unveiled details of Google Wallet this week. Google Wallet is an ambitious mobile payment plan designed to let your Android smartphone be your wallet, but you should consider very carefully just how secure your credit card data will be in Google Wallet.

Don't get me wrong, Google understands the inherent security risks of storing credit card information, and it has gone to great lengths to ensure sensitive data is protected in every way possible. But, at the end of the security chain is an "authorized" Android app, and that is the Achilles heel of Google Wallet security.

Consider the whole system, and the steps of the process. On the processing end, you really have nothing to worry about. The NFC technology used by Google is not any different than the wireless signals used in many credit and debit cards, or gas station swipe-to-pay systems now.

I can already tap properly-equipped payment terminals -- like those at most McDonald's -- to make payments with my Chase Bank debit card, so doing the same thing with my smartphone wouldn't be any less secure per se. On the back end, the processing and storage of my credit card information is still being protected by the PCI-DSS (payment card industry data security standards) rules that govern such things.

That credit card data is also stored on the Android smartphone. But, Android smartphones equipped for NFC mobile payments have a separate chip to store the sensitive credit card data. The credit card information is encrypted and the chip itself is tamper proof. Seems secure enough, even if a thief has physical possession of the smartphone.

Then comes the weak link -- the Android app. Here too, Google has done its part and developed a system that relies on a PIN from the user to open the app or initiate a transaction using Google Wallet. That alone represents one weak point in the Google Wallet security. Have you seen the kinds of passwords people use because they can't be bothered to remember something more complex? How many Google Wallet PINs will end up being "1111", or "1234", or something equally trivial to guess?

But, even with a strong PIN in place, if there is one Android app that can access the encrypted credit card data and process payments, then it is possible for malicious developers to create other apps, or spoof the Google Wallet app somehow to access that sensitive data as well.

Jimmy Shah, mobile security researcher at McAfee Labs, points out in a blog post that the secure chip that stores the credit card information uses assymetric encryption for authentication -- implying that the Google Wallet app contains the key necessary to authenticate and access the data.

Shah says, "The next step would be to create a malicious application that emulates the official Wallet app to fool the "secure element" chip into giving up your credentials. From here, the attacker can collect account information for sale or for attempts at cloning the data to new NFC cards."

On an iPhone this might be less of a concern because of the walled garden approach and the fact that iPhone apps have to get past the Apple gatekeepers first. But, with the "open" environment of Android, and all of the various unofficial Android app marketplaces out there, distributing a malicious app capable of cracking Google Wallet might not be too difficult.

I am not trying to suggest that Google Wallet is completely insecure, or scare you away from using it. I am still looking forward to the day when mobile payments using a smartphone becomes a mainstream method of doing business. But, I do think you need to be aware of the potential security holes in the system so you can exercise an appropriate level of caution when using Google Wallet.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Apple, Google, McAfee, McDonald's, NFC
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Android, applications, consumer electronics, data protection, Google, McDonald's, Phones, security, software
Latest Blog Posts
Whitepapers
  • Oracle Database 11g Product Family
    Oracle Database 11g is available in a variety of editions tailored to meet the business and IT needs of all organisations. This paper outlines the features and options available with each edition of Oracle Database 11g. Read on for more details.
    Learn more »
  • Endpoint Buyers Guide
    In this Endpoint Buyers Guide, we examine the top vendors according to market share and industry analysis: Kaspersky Lab, McAfee, Sophos, Symantec and Trend Micro. Each vendor’s solutions are evaluated according to: Product features and capabilities, Effectiveness, Performance, Usability, Data protection and Technical support.
    Learn more »
  • Get the Whole Picture Why Most Organizations Miss User Response Monitoring—and What to Do About It
    You can be armed with vast amounts of performance metrics, but if you don’t know what users are actually experiencing, you don’t have the real performance picture. While this measure is critical, it is one many organizations fail to consistently capture. This guide looks at the challenges of user response monitoring, and it shows how you can overcome these challenges and start to get a real handle on your infrastructure performance and how it impacts your users’ experience.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments