Google Wallet Security Solid Until It's Hacked
Google Wallet, the search engine's efforts to enable mobile payments using near-field communication technology from smartphones, has a number of challenges it must overcome to succeed.
One is obviously the general lack of interest in mobile payments via smartphones at a time when the vast majority of people happily use wallets. The second-biggest barrier to wholesale adoption may be consumers' concern about the security Google Wallet provides for their credit card information.
So how does Google promise to protect sensitive user data? Believe it or not, the key is an NXP PN65K chip in the Samsung Nexus S 4G smartphone (the only Google Wallet-enabling phone to date).
This "Secure Element," which stores users' credit card digits, is isolated from the phone's operating system and hardware and uses cryptography (PKI [Public Key Infrastructure] and Triple-DES [Data Encryption Standard]) and memory protection, making it tough to crack.
Only authorized programs like Google Wallet can access the Secure Element to trigger a transaction. Moreover, Google Wallet cannot read or write data from the Secure Element's memory.
Google Wallet also requires a 4-digit PIN, which is the only way to transmit payment credentials. That's not something even today's credit cards require to process. This step also prevents bad guys from brushing by you in a crowd to grab your info via NFC, noted McAfee security researcher Jimmy Shah.
As for whether any malicious application could access a user's credit card on the Secure Element, Google assures that Android enforces strict access policies so that malicious applications wouldn't have access to data stored by Google Wallet.
However, Shah thinks Android might be the best entry point for a perpetrator because Android applications are relatively easy to reverse-engineer.
He believes an attacker has a good chance of extracting the authentication key from the Google Wallet application and creating a malicious application that emulates the official Wallet application to fool the Secure Element chip into giving up a user's credentials.
"From here, the attacker can collect account information for sale or for attempts at cloning the data to new NFC cards," Shah wrote in a blog post.
Lookout Mobile Security CTO Kevin Mahaffey agrees with Shah that some sort of malicious application that can compromise the Google Wallet application or the provisioning process. Alternatively, an application could exploit the software in the Secure Element, enabling a hacker to grab credit card info.
Mahaffey wonders whether the PIN will be here to stay or will go away if Wallet becomes widely adopted. If the PIN is abandoned, Mahaffey said a user could then be susceptible to a man-in-the-middle attack, or the ghost-and-leech attack Shah referenced.
In this attack, a perpetrator can use an NFC reader to swipe consumers' credentials when they make a purchase via their phone. The defense against this attack, Mahaffey noted, is the PIN.
ThreatMetrix Chief Products Officer Alisdair Faulkner said the fundamental challenge between the security of today's credit cards and Google Wallet is that Wallet is on the same environment in which someone else's malicious application is able to get at that data.
"The analogy I would use is that I can put my credit card in my wallet, but my driver's license isn't going to try and communicate with it in any way," Faulkner told eWEEK. "Anywhere that you have stored value, that is going to be something that criminals are going to attack."
"Never before in history have we had this kind of financial data and credentials stored on a device, which we know fundamentally can never be trusted."