Security Snafus Thin Google Wallet
Google Inc.'s mobile wallet is getting a lot of attention, but from the wrong crowd — security experts.
The security firm zvelo Inc. of Greenwood Village, Colo., demonstrated last week the ease with which Google Wallet-equipped phones, under certain conditions, can have their PIN codes extracted. It quickly followed this with a demonstration of how to access the funds loaded to the mobile wallet's prepaid account. The second attack deletes the user's PIN in the process.
Zvelo's demonstrations were "white hacks," in that they were meant to educate rather than steal. But these security flaws may become an impediment to widespread consumer and financial institution adoption of the mobile wallet, and not just Google's.
"This plays right into the concerns that consumers have in general about mobile payments, security and privacy, which are critical" to the success of any mobile wallet, says Denee Carrington, senior analyst for Forrester Research Inc.
In reaction to these security issues, Google last week temporarily disabled the "re-provisioning" of the prepaid account linked to its mobile wallet. Consumers who wish to reset their credentials will not be able to do so for an unspecified period of time. Consumers can continue to use cards that do not require re-provisioning, the company says.
Zvelo's PIN-decoding trick was demonstrated on a phone that was "rooted" to run unauthorized software and a special app to crack the PIN. The attack that grants access to the prepaid account's funds can be performed on an unrooted phone without special software.
"This [security flaw] is something like leaving the key under the mat," says Brian Riley, a research director in the bank cards practice at TowerGroup.
Google says most users would not have to worry about zvelo's PIN-decoding attack, since the process of rooting the phone erases all user data, a spokesman said by email.
"To date, there is no known vulnerability that enables someone to take another consumer's phone and gain root access while preserving any Wallet information such as the PIN," the spokesman wrote. "We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone."
Zvelo says its attack does not require a full root.
"There is a way to gain root access and to get the data of the wallet, or any other data, without a permanent root or anything else that causes the device to be wiped," says Joshua Rubin, senior engineer for zvelo and the lead engineer on the Google study.
Google's security issues may also make it difficult for the company to sign on more bank partners.
"The business-to-business impact of how Google will be viewed by banks or other businesses might be more significant than the consumer impact," says Paul Grill, partner at First Annapolis Consulting Inc.
These recent security problems demonstrate an almost cavalier attitude by non-payments companies toward protecting consumer security, says Aaron McPherson, a practice director with IDC Financial Insights.
"Google is clearly bigger than a payments start-up, but there is some of the same mentality," McPherson says.
Google should pay strict attention to risk management, fraud prevention and risk analysis, he says.
Google Wallet users should also take some responsibility, McPherson says. Smartphones take a "walled garden" approach to security, and rooting a phone breaks down those walls.
PayPal Inc., which is in the initial phases of offering a mobile wallet that relies on the cloud to store security credentials, took years to develop top-notch security standards and today offers a sophisticated multi-layered approach, industry observers say.
Google does not disclose the number of consumers using its wallet, which it launched last May, but that number is likely to be quite small, in part because most Android phones are not built with the near-field communication chip that Google Wallet uses to make point of sale payments.
Currently only 200,000 merchants accept the wallet for payments, according to Rick Oglesby, a senior analyst at Aite Group LLC.
Google is not the only company to suffer a recent digital payment gaffe, experts say. A glitch in Citigroup Inc.'s iPad app led some users to be charged twice for bill payments, Citi said last week.
Still, the security problems are evidence that Google is perhaps rushing to get its mobile wallet out to market.
For example, Google could have chosen to place the consumer ID within the phone's secure element. But that would have brought up issues of ownership of the credentials and might have made it more complicated for consumers to use, experts say.
"With any new service, you have to balance the appropriate level of security against the minimum impediment to usage," says Steve Ledford, a partner at Novantas LLC.
In addition to a prepaid account, Google allows a Citi-issued MasterCard to be used for mobile payments. That card was not affected by Google's disabling of the prepaid account's re-provisioning, Google says.
But by disabling its prepaid cards, Google removes part of the allure of its mobile wallet, experts say.