As Google Inc. learned in the past week, the security problems with digital wallets are thorny and complex.
They involve everything from the difficulties of securing payment data on mobile phones used to the question of whether security credentials should be stored in the cloud or on the phone itself.
Any misstep, however temporary, could erode the delicate trust banks and technology companies are trying to build around mobile payments.
The security double-whammy that struck Google came from the research firm zvelo Inc. of Greenwood Village, Colo. Google said Tuesday that it fixed the most glaring flaw zvelo uncovered, but zvelo said it was unable to test Google's fix by deadline.
The Google Wallet app is protected by a PIN chosen by the user. Once unlocked, the Wallet allows payments from a directly linked payment card or a Google-branded prepaid account. Since only Citigroup Inc. has linked its accounts to Google Wallet, most users would store funds in the prepaid account.
Zvelo demonstrated last week that Google Wallet users can have their PIN codes and other wallet information extracted with a PIN-cracking app that can be run under certain conditions.
A separate — and far more straightforward — flaw allows an attacker to access the funds in the user's prepaid account by wiping the user's Google Wallet settings. This attack deletes the user's PIN in the process.
"Ideally, if a user had a prepaid account they would be challenged in some way to prove their identity," but Google provided no such challenge to a user accessing the funds after the app was reset, says Joshua Rubin, senior engineer for zvelo and the lead engineer on the study that exposed the security flaws.
This flaw may reappear in any other mobile payment system, since banks and other technology companies face the same pressures Google did in designing a mobile wallet.
Part of the reason behind Google's streamlined security approach is that consumers would likely find stronger identification procedures an impediment to their use of the mobile wallet. A magnetic-stripe card, by contrast, does not need to be unlocked before each use.
Google Wallet stores payment information, but not the PIN, within the secure element that smartphones contain if they are equipped to make transactions with a near-field communication chip.
But the secure element is currently the subject of a turf war between mobile phone carriers and the banks. Each would like to use the secure element to control the wallet experience and be compensated for it, experts say. Neither wants to assume liability for a data breach.
"Banks are basically at risk for letting themselves get disintermediated by these services," says Peter Wannemacher, an analyst for Forrester Research Inc.
Citi's data was not affected by the security flaw Rubin uncovered, the bank says.
"No Citi client information is stored on the Google Wallet, and the Wallet PIN is separate and distinct from any PIN the client may have enabled on their card account," a Citi spokeswoman says.
Removing data from the mobile-wallet environment might be the right approach, says Rick Oglesby, a senior analyst at Aite Group LLC.
It's excessive to store the wallet PIN within the secure element, since the PIN is meant to unlock the data within the secure element, Oglesby says.
What's needed are layers of security, such as exist for online banking today, experts say. Challenge questions could pop up when the phone detects settings or users have changed, experts say.
Developers could also place a software cache on phones that encrypts personal data, says Rubin.
But for now, it comes down to basics.
"Google's response, which people should heed, is: if you lose your phone, call the toll-free line to make sure the [prepaid] card is cancelled," Rubin says.