Google Defends Mobile Wallet Security

Google has demanded users stop their efforts to hack Android smartphones to test the security of the Google Wallet payment service

Stung by two instances where Google Wallet was hacked, Google defended its mobile payment service and claimed it is safer than using credit cards to pay for goods.

Google Wallet is a mobile payment app that communicates with smartphones equipped with near field communications (NFC), a short distance wireless technology. The app runs on Sprint Nexus S 4G smartphones, which users may tap against a cash register to pay for goods at some 20 retailers and restaurants.

PIN protection

The app, designed to let shoppers leave the wallets, cash and credit cards at home, is protected by a PIN code and the phone’s lock screen.

“People are asking if Google Wallet is safe enough for mobile phone payments,” wrote Osama Bedier, vice president of Google Wallet and payments, in a corporate blog post. “The simple answer to this question is yes.”

However, two separate security researchers last week cracked the PIN code used to secure Google Wallet.

On 9 February, web security provider Zvelo found a way to execute a brute-force attack on the Google Wallet PIN code. Zvelo engineer Joshua Rubin said the Wallet-bearing smartphone needs to be rooted by the user or someone who has physical access to the device to divine the PIN code.

Google said it “strongly discourages” users from disabling the PIN code in order to gain root access to their phone because the product is not supported on rooted phones.

“That’s why in most cases, rooting your phone will cause your Google Wallet data to be automatically wiped from the device,” Bedier wrote.

In the other attack, the SmartphoneChamp blog on 10 February detailed how a user who finds a lost Wallet-enabled smartphone that is not protected by a screen lock can clear the data associated with Wallet from the phone’s application settings menu.

‘More secure than a credit card’

What this does is prompt Google Wallet to reset itself and ask the user for a new PIN the next time it is launched. A user can simply create a new PIN and associate a Google PrePaid card to the app to access all previously available funds.

Bedier acknowledged this issue, saying Google temporarily disabled provisioning of prepaid cards as a precaution until Google issues a permanent fix.

“You can be confident that the digital wallet you carry provides defences that plastic and leather simply don’t,” Bedier said.

This is an allusion to the notion that the more wallets stay at home, the fewer will get lost and pose security issues related to lost credit cards.

However, if researchers keep poking holes in Wallet, whether they use tricks to unlock PINs or not, the less credible Wallet’s security will seem. This will be problematic at a time when Google is fighting to expand the service and help it proliferate in commerce markets worldwide.

In general, NFC-based mobile payments are expected to boom over the next five years, though they have been slow to pick up steam in some markets including the US.