In December 2011, digital forensics and security firm viaForensics conveyed to Google evidence that unencrypted cardholder data was stored on Google Wallet-enabled smart phones. Even when a user ostensibly deletes that data from the phone, the data can still be recovered, viaForensics said.
Then website categorization technology provider zvelo Inc. probed deeper to discover that a "brute force attack" on devices could permit fraudsters to crack the four-digit PIN code that allows users to access Google Wallet and make contactless mobile payments at the POS. On Feb. 9, 2012, the day after zvelo went public with its findings, smart phone comparison website thesmartphonechamp.com published a second security flaw.
The website said the second flaw involved a way to gain access to a prepaid card account on a phone by clearing the phone's data through the application settings menu, then reopening Google Wallet. The researchers found that the application installed Google Wallet as if for the first time and asked the user to input a password. Once completed, the user had access to the balance on the phone's prepaid card account.
In a video demonstration of the flaw, the presenter said, "I don't know why Google set it this way, but that's a pretty big security hole there because, basically, anybody can just get a hold of your phone, reset the app and there they go, they have access to your Google prepaid account."
Theodore Svoronos, data security expert and Vice President of Sales at Atlantic Pacific Processing Systems Inc., said user access to cardholder data should rest on two-factor authentication, such as a user name and PIN, rather than just a PIN.
Svoronos said that among the four elements all payment solutions should have – ease of use, adoptability, design features and security – security should be the top priority. He questions whether Google took the necessary steps to ensure Google Wallet's security.
"I honestly believe that before any product goes out, especially in this day and age, it's got to be secure," he said. "If it's not secure, and it's not tested, tried and true, it should never walk out the door."
Svoronos also questions why card data has to reside on smart phones at all. The data would be less vulnerable if the phone was limited to being an access device for card data stored in the cloud, rather than being a card data storage device itself, he said; by being a device that stores payment information, it reflects the worst aspect of a physical wallet – if the wallet is stolen, much of a person's private financial information stored in that wallet is compromised.
"All of a sudden that phone becomes a physical wallet?" he said. "You've opened up a whole new Pandora's Box."
Osama Bedier, Vice President, Google Wallet and Payments, issued a statement Feb. 10 on Google's corporate blog that asserts the safety of Google Wallet and its "advantages over the plastic cards and folded wallets in use today." He reported that Google temporarily disabled the "provisioning" (roughly meaning activation) of new prepaid cards in Google Wallet as the search engine giant works to correct the access problem.
On Feb. 14, Bedier said in a post that Google had restored provisioning and "issued a fix that prevents an existing prepaid card from being re-provisioned to another user."
Time will tell if Google's actions are sufficient to mitigate any damage to the company's reputation caused by the flaw. Todd Ablowitz, President of payment consultancy Double Diamond Group LLC, pointed out that numerous studies prove consumers are "extremely concerned about security as it relates to the mobile phone and payments. … This is their money we're talking about. So people aren't comfortable just trusting that the security is good enough. They want to know it."
Whether the security flaw negatively impacts Google Wallet will depend on public perception, according to Ablowitz. If the flaw is seen as just one of the things Google had to fix during the rollout of Google Wallet, the concerns may fade away, he said. But the opposite development could have far reaching consequences.
"If this gets a life of its own in the public perception, this could be very damaging to Google Wallet and to mobile payments," he said.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Prev Next