Security Experts:

Unencrypted Data Weakens Google Wallet (For Now)

Next year you'll be able to do all your holiday shopping without ever opening a physical wallet—or so Google hopes. The previously announced Google Wallet is comfortably into beta. Google is betting that by 2014 half of all smart phones will ship with compatible NFC chips installed. They hope that Google Wallet will be on most if not all of them.

The market for mobile transactions is, by one estimate, expected to be worth $1 Trillion by 2014. The fight, however, is over standards–which mobile wall NFC chip standard will dominate? Where exactly will the credit card data be stored? And how secure will it be?

In the US there are currently four dominate interests at work. There are handset manufacturers, who have to design the phone with the NFC chips. There are the card issuers, Visa and Mastercard, who traditionally take a percentage of every transaction, but now face stiff competition from Paypal and other alternative payment brands. To a lesser degree there are the network operators, AT&T, Verizon, and Sprint; they provide the bandwidth for these transactions, and Wi-Fi (on certain smartphones) transactions as well. Finally, there are the software vendors, Apple, Google, Microsoft, who host the payment applications.

In Japan, where mobile payments have already taken hold, there are fewer moving parts and greater acceptance. For example Osaifu-Keitai (literally “mobile wallet”) provides a framework that includes electronic money, identity card, store loyalty cards, transportation (including railways, buses, and airplanes), and credit cards. The Osaifu-Keitai system is based on Mobile FeliCa which is partially owned by Sony (a hand manufacturer), NTT DoCoMo (a network operator), and JR East (a railway system).

Google has filled in all the blanks with Google Wallet by partnering with Citibank (acquirer/bank), MasterCard (card brand), First Data (card processor), and Sprint (carrier). To overcome the acceptance aspect, Google Wallet will be accepted whereever MasterCard PayPass is currently accepted. By piggybacking on existing technology (PayPass has been around nearly ten years), Google has trumped other electronic wallet solutions that might require the merchant to purchase a new terminal by offering at least 30,000 merchants at the start. Competitors will have difficulty matching that adoption.

For security, Google made the NFC chips used by its wallet dormant unless the application is open. This removes the scenario where you brush up against someone on the subway and electronically capture their credit card information. Further, the app requires a PIN to open and is sandboxed, reducing the risk from cybercriminals leveraging vulnerabilities in the Android OS to attack the wallet. But recent research has suggested that the NFC chips used by Google Wallet may be vulnerable to different attacks.

Google also made the application such that it shows the end-user different cards, allowing the user to select which card to use for a given purchase, although (for now) only Citibank Mastercard and a Google card are available as options. However, the real fly in ointment is the security of software application is weak. Apparently, Google has neglected to encrypt some aspects of the transaction that could be valuable to fraudsters.

In its recent report on the security of Google Wallet, ViaForensics found just about everything except the first 12 digits of your 15-to-16-digit credit cards is accessible to their mobile forensic tools. ViaForensics stresses that the new vulnerabilities they found are not with the core NFC technology but within the apps that use the technology.

Among the findings, credit card balance, limits, expiration date, name on card, transaction dates and locations and more are stored in the clear in a SQL database, and targeted by malware or a physical attack on the device. At a minimum, with relative little effort, the name on the card, the expiration date, last four card digits and email account are available for a third-party to discover. Additionally, Google Analytic tracking data might be available to third-parties as well.

While the report praises Google for securely storing the actual card data on the mobile device–the cards are encrypted, and a PIN is required for use–the danger, warns ViaForensic, is in the storage of the data associated with that card. By scanning your mobile device and capturing the log files, a criminal could learn your name, when you last used your card , the card's last four digits and expiration date. From there's it's a simple matter to look up your address on a public data base and pretty much have all the information needed for a social engineering attack. This data should be encrypted, yet Google Wallet does not encrypt it.

For the next Christmas to be a card-less transaction holiday, Google has a lot of bugs to work out of its current Google Wallet beta. Until then, I'll keep my plastic card, thank you.

view counter
Robert Vamosi, CISSP, an award-winning journalist and analyst who has been covering digital security issues for more than a decade, is a senior analyst for Mocana, a device security start up. He is also the author of When Gadgets Betray Us and a contributing editor at PCWorld, a blogger at Forbes.com, and a former Senior Editor at CNET. He lives in Northern California.