Google Wallet security has a weakness

Google has gone to great lengths to ensure the security of the Google Wallet mobile payment system, but it has a weak link.

Google unveiled details of Google Wallet this week. Google Wallet is an ambitious mobile payment plan designed to let your Android smartphone be your wallet, but you should consider very carefully just how secure your credit card data will be in Google Wallet.

Don't get me wrong, Google understands the inherent security risks of storing credit card information, and it has gone to great lengths to ensure sensitive data is protected in every way possible. But, at the end of the security chain is an "authorized" Android app, and that is the Achilles heel of Google Wallet security.

Consider the whole system, and the steps of the process. On the processing end, you really have nothing to worry about. The NFC technology used by Google is not any different than the wireless signals used in many credit and debit cards, or gas station swipe-to-pay systems now.

I can already tap properly-equipped payment terminals -- like those at most McDonald's -- to make payments with my Chase Bank debit card, so doing the same thing with my smartphone wouldn't be any less secure per se. On the back end, the processing and storage of my credit card information is still being protected by the PCI-DSS (payment card industry data security standards) rules that govern such things.

That credit card data is also stored on the Android smartphone. But, Android smartphones equipped for NFC mobile payments have a separate chip to store the sensitive credit card data. The credit card information is encrypted and the chip itself is tamper proof. Seems secure enough, even if a thief has physical possession of the smartphone.

Then comes the weak link -- the Android app. Here too, Google has done its part and developed a system that relies on a PIN from the user to open the app or initiate a transaction using Google Wallet. That alone represents one weak point in the Google Wallet security. Have you seen the kinds of passwords people use because they can't be bothered to remember something more complex? How many Google Wallet PINs will end up being "1111", or "1234", or something equally trivial to guess?

But, even with a strong PIN in place, if there is one Android app that can access the encrypted credit card data and process payments, then it is possible for malicious developers to create other apps, or spoof the Google Wallet app somehow to access that sensitive data as well.

Jimmy Shah, mobile security researcher at McAfee Labs, points out in a blog post that the secure chip that stores the credit card information uses assymetric encryption for authentication -- implying that the Google Wallet app contains the key necessary to authenticate and access the data.

Shah says, "The next step would be to create a malicious application that emulates the official Wallet app to fool the "secure element" chip into giving up your credentials. From here, the attacker can collect account information for sale or for attempts at cloning the data to new NFC cards."

On an iPhone this might be less of a concern because of the walled garden approach and the fact that iPhone apps have to get past the Apple gatekeepers first. But, with the "open" environment of Android, and all of the various unofficial Android app marketplaces out there, distributing a malicious app capable of cracking Google Wallet might not be too difficult.

I am not trying to suggest that Google Wallet is completely insecure, or scare you away from using it. I am still looking forward to the day when mobile payments using a smartphone becomes a mainstream method of doing business. But, I do think you need to be aware of the potential security holes in the system so you can exercise an appropriate level of caution when using Google Wallet.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags consumer electronicsMcDonald'sapplicationsGooglesecurityPhonesAndroidsoftwaredata protection

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tony Bradley

PC World (US online)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?