Is Google Wallet Secure? What You Need to Know

Google announced its long-awaited mobile payments platform, Google Wallet, in New York City on Thursday. The company claims it will revolutionize commerce. But with stories about massive data breaches and hacks an almost daily occurrence, consumers are most concerned about whether Google Wallet is secure. Here’s what you need to know.

Google walletGoogle announced its long-awaited mobile payments platform, Google
Wallet, in New York City on Thursday. The company claims it will
revolutionize commerce. But with stories about massive data breaches and
hacks an almost daily occurance, consumers are most concerned about
whether Google Wallet is secure. Here’s what you need to know.
 

+ Google Wallet — sounds cool! What is it?

+ So I can hook all my credit cards up to it? Cool!

+ How will Google Wallet be secured?

+ What, a couple PINs to protect all my credit cards? That sounds scarily insecure!

+ OK, So you mentioned that thing about a hacker stealing all my credit
card information. Google’s going to make sure that won’t happen, right?

+ Uh huh… So you mentioned that thing about a hacker stealing all my
credit card information…

+ OK. That’s all scary and depressing. Tell me something else cool that you can do with Google Wallet!
+ Are there any other ways that Google’s Wallet kicks my wallet’s butt?

Google Wallet — sounds cool! What is it?

Google Wallet is a mobile payments application that leverages Google’s Android mobile operating system and runs (for now) on the Samsung Nexus S 4G phone, available from U.S. carrier Sprint. According to Google, the e-wallet (our term, not theirs) was designed to be used to pay for items using your mobile phones both at brick and mortar establishments and for online payments. Google says the Wallet will store multiple credit cards, offers, loyalty cards and gift cards, all without the “Costanza wallet” effect. Eventually, Google Wallet will work with a wider range of phones and credit cards. Just not yet.

[Back]

So I can hook all my credit cards up to it? Cool!

Not so fast. At this point, Google Wallet only accepts the Citi Mastercard and a Google Prepaid Card (did these exist before today?!). Citi was Google’s date to the unveiling, along with First Data and Sprint. At some point in the future, Google and Citi will stop dating exclusively and Google will start playing the field and accepting other credit and debit cards, but for now you’re out of luck if you don’t have a Citi Mastercard or a Google Prepaid card – whatever that is.

[Back]

How will Google Wallet be secured?

For the most part, Google Wallet will have the same security as your other mobile banking apps. Hopefully you’ll have your Android phone protected with a password that’s not toally obvious  and that locks your screen when you’re not using the phone. Beyond that, there will be a separate PIN you will need to actually carry out a transaction.

[Back]

What, a couple PINs to protect all my credit cards? That sounds scarily insecure!

Yeah, but – get this – you already keep all your credit cards and debit cards in your wallet, and I’ll be that doesn’t have a password on it, does it? DOES IT?!?!?! Anyway – that’s Google’s point: “a locked wallet is safer.” That is, until somebody figures out how to hack said wallet account and go on an online shopping binge while you sleep. But, again, people lose wallets and have credit cards stolen from them all the time. And human tellers have already proven a hopeless security screen for stolen cards (or haven’t you noticed?) So, long and short: we’re already living with an insecure “architecture.”

[Back]

OK, So you mentioned that thing about a hacker stealing all my credit card information. Google’s going to make sure that won’t happen, right?

That’s what Google says, yeah. The company went to great pains in their announcement to reassure everyone that security was part of the Wallet’s core design, not bolted on after some 17 year old at DEFCON digitally pants-ed the company. So, beyond the access controls around the Wallet app, there are layers of transaction security that should make it difficult to either hijack accounts or sniff out sensitive account or financial information from transactions.  Google Wallet is compliant with existing smartcard based payment systems like PayPass (MasterCard) and SecurePay. Sprint Nexus S phones come with a tamper resistant chip by NXP Semiconductor, dubbed the “Secure Element” that stores the encrypted payment credentials and manages the wireless Near Field Communication (NFC) technology that allows the phone to interact with contactless card readers securely. MasterCard PayPass protects the payment card credentials as they are transferred from the phone to the contactless reader.

[Back]

Uh huh… So you mentioned that thing about a hacker stealing all my credit card information. Google’s going to make sure that won’t happen, right?

Right. Who cares what Google says? The truth is that, while Google has clearly constructed a payments system with security in mind, nobody knows exactly how well it will stand up to attacks or attempts to compromise the security of Google Wallet, because – in the U.S., anyway – mobile payments are in their infancy. But if you talk to security experts, they’ll say that there are reasons to be concerned. Karsten Nohl, an expert on contactless payment security, said that NFC – the contactless technology that is the basis for Google Wallet – “connects phones to a whole new world of insecurities.” “Contact-less payment and identification technology is a diverse field with a few secure choices and plenty of broken, old technology,” he told Threatpost. “While RFID/NFC can certainly provide bulletproof cryptographic protection, most deployments still choose proprietary technology instead. The NFC chips in upcoming phones support both the old and the new standards.” To prove that point, in 2008, Nohl and his colleagues demonstrated that the encryption used to protect data in common smart cards is breakable, even using commodity hardware.

As with many new technologies, the marketplace is setting the terms for NFC deployments and for “acceptable” levels of transaction security, Nohl argues. And that’s bound to lead to lapses. Kevin Fu, a researcher at the University of Massachusetts, also sees problems with the mobile payments ecosystem, which is made up of numerous players – platform developers, credit card companies, issuing banks, application developers, merchants and consumers — but no central authority. “Like most complex systems, there’s a diffusion of responsibility and a need for security at every level, but I’m not aware of any single authority.”

[Back]

OK. That’s all scary and depressing. Tell me something else cool that you can do with Google Wallet!
You can use it with Google’s (beta) Offers feature – this is what Google created after Groupon told the company to go screw. Its not in Boston yet, but where it is available, you get Groupon-type coupons that you can automatically redeem when you use Google Wallet. Kind of like automated coupon clipping. That’s cool. 

[Back]

That is tremendous. Are there any other ways that Google’s Wallet kicks my wallet’s butt?
Your wallet is probably made of leather or some other animal byproduct. No animals had to die to make Google wallet.
[Back]

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.