Google Inc.'s mobile wallet is getting a lot of attention, but from the wrong crowd — security experts.
The security firm zvelo Inc. of Greenwood Village, Colo., demonstrated last week the ease with which Google Wallet-equipped phones, under certain conditions, can have their PIN codes extracted. It quickly followed this with a demonstration of how to access the funds loaded to the mobile wallet's prepaid account. The second attack deletes the user's PIN in the process.
Zvelo's demonstrations were "white hacks," in that they were meant to educate rather than steal. But these security flaws may become an impediment to widespread consumer and financial institution adoption of the mobile wallet, and not just Google's.
"This plays right into the concerns that consumers have in general about mobile payments, security and privacy, which are critical" to the success of any mobile wallet, says Denee Carrington, senior analyst for Forrester Research Inc.
In reaction to these security issues, Google last week temporarily disabled the "re-provisioning" of the prepaid account linked to its mobile wallet. Consumers who wish to reset their credentials will not be able to do so for an unspecified period of time. Consumers can continue to use cards that do not require re-provisioning, the company says.
Zvelo's PIN-decoding trick was demonstrated on a phone that was "rooted" to run unauthorized software and a special app to crack the PIN. The attack that grants access to the prepaid account's funds can be performed on an unrooted phone without special software.
"This [security flaw] is something like leaving the key under the mat," says Brian Riley, a research director in the bank cards practice at TowerGroup.
Google says most users would not have to worry about zvelo's PIN-decoding attack, since the process of rooting the phone erases all user data, a spokesman said by email.
"To date, there is no known vulnerability that enables someone to take another consumer's phone and gain root access while preserving any Wallet information such as the PIN," the spokesman wrote. "We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone."
Zvelo says its attack does not require a full root.
"There is a way to gain root access and to get the data of the wallet, or any other data, without a permanent root or anything else that causes the device to be wiped," says Joshua Rubin, senior engineer for zvelo and the lead engineer on the Google study.
Google's security issues may also make it difficult for the company to sign on more bank partners.
"The business-to-business impact of how Google will be viewed by banks or other businesses might be more significant than the consumer impact," says Paul Grill, partner at First Annapolis Consulting Inc.
These recent security problems demonstrate an almost cavalier attitude by non-payments companies toward protecting consumer security, says Aaron McPherson, a practice director with IDC Financial Insights.
"Google is clearly bigger than a payments start-up, but there is some of the same mentality," McPherson says.
Google should pay strict attention to risk management, fraud prevention and risk analysis, he says.
Google Wallet users should also take some responsibility, McPherson says. Smartphones take a "walled garden" approach to security, and rooting a phone breaks down those walls.
PayPal Inc., which is in the initial phases of offering a mobile wallet that relies on the cloud to store security credentials, took years to develop top-notch security standards and today offers a sophisticated multi-layered approach, industry observers say.