Mobile wallets are attracting a lot of the wrong kind of attention, from hackers, faux hackers, and business disputes that have security overtones — all suggesting that despite the best efforts of firms such as Google to shore up defenses, the contactless payments safety issue is a shadow that won't go away.
"There is concern that the technology can be hacked. Consumers are always going to wonder. And so when we look at Google in particular, we see the trust among consumers is low, and so when these [reports of vulnerabilities] happen it's not going to help. It's going to hurt the perception among consumers," says Mary Monahan, executive vice president and research director at Javelin Research and Strategy.
Google's been hamstrung by questions about its mobile wallet security for some time, and in the past week has been hit with bad reports on two fronts — a dispute with a large Australian bank and chatter about vulnerabilities at the upcoming Olympics.
According to local press reports, Australia's Commonwealth Bank (CBA) is in dispute with Google (GOOG) over an alleged lag in development of Android near field communication (NFC) technology that has a potential impact on payment security as well as business interests connected to the Google Wallet in that country. The bank, which did not respond to requests for comment by Tuesday morning, claims locally available Android smartphones only have the radio transmitting portion of NFC enabled, but not the "secure element" that's necessary to safely process payment transactions. The definition of secure element varies, but it's generally the encrypted storage device that contains payment data, protects that data from hackers, and runs payment transactions.
The secure element dispute is not just about security, and Commonwealth Bank is not saying mobile payments in general are unsafe. The secure element is often a hot button issue in mobile payments, since the party that possesses the secure element is in the best position to negotiate revenue and fee sharing agreements among mobile payment participants. But Commonwealth Bank is partly referencing security, saying the secure element needs to be provided by Google or handset manufacturers before the bank can offer secure NFC payments on Android devices — something the bank says it wishes to do. Google also did not return requests for comment. The bank claims Google has not given it a timeline for the availability of the secure element.
The bank recently extended its mobile commerce product, Kaching, to Android sans NFC enabled payments, and has updated Kaching to accept Facebook payments. Commonwealth Bank is also quite active in other areas of mobile payments. This week it released an alternative to Square, in which a piece of hardware attached to the Apple iPod Touch, iPhone 4 or iPhone 4S enables the mobile device to be used as a merchant terminal to accept payments.
While security is only one component of the NFC-related haggling between Commonwealth Bank and Google, analysts say it lends to the series of issues Google has faced regarding security as it attempts to build a mobile payments network to rival other efforts such as ISIS. Google says it has been shoring up security for its mobile wallet application, but a series of publicized hacks, mostly staged attacks by third parties such as researchers that have demonstrated vulnerabilities, are creating a broader narrative of safety concerns surrounding the Google Wallet that's slow to fade.
"They keep getting back into the news, and whenever that happens, whenever the vulnerabilities keep coming up, it's going to hurt the perception of the mobile wallet in customers' minds," Monahan says.
Android itself has also proven vulnerable. Zil Bareisis, a senior analyst at Celent, says that in a recent study of malware attacks, Android was the most frequently and broadly targeted operating system.
"The malware is like a new virus, you develop a new virus in places where you have the most chance of success," says Bareisis.
The mobile payment security concerns are also spreading to the Olympics, where Google will reportedly test its mobile wallet, and another pilot from Samsung (SMSN) and Visa (V) will test mobile payments by providing athletes with Samsung Galaxy S III handsets equipped with Visa's payWave NFC application.
There's lots of chatter about fraud tied to these trials. One type of attack drawing attention is called "fuzzing," in which crooks feed corrupt or damaged data to a mobile app to discover vulnerabilities, or inject crafted NFC tags to a phone and monitor the results.
While the concerns over fuzzing have partly come from a blog written by executives from McAfee (MFE), a technology company that can benefit from selling solutions to mitigate security threats, Bareisis says there is a threat given the profile of the event and amount of mobile phones being distributed by the payment firms.
"You're going to have a thousand phones in a centralized location," says Bareisis.