What would happen if you lost your wallet to a thief? It’s a question that Google Wallet users on Android phones are asking themselves in the wake of multiple reports of security vulnerabilities in Google’s mobile payment technology.
Google Wallet is a virtual payment system that can be used with online merchants on the web, as well as in brick-and-mortar stores via a mobile app on Android phones. At issue is the Android app, which stores credit card data on phones equipped with Near Field Communication (NFC) radio technology. The system is designed to allow users to pay for goods and services simply by holding their phone in close proximity to a payment device in the store.
The security vulnerabilities disclosed last week would allow a thief to gain access to the funds available in Google Wallet — provided the thief is in physical possession of a phone that has not been protected with a screen lock.
The Google Wallet app is currently available solely on Samsung Nexus S 4G phones running on the Sprint network, which limits the extent of any exploits in the wild. But the vulnerabilities are an important wake-up call in the area of mobile phone-based credit card payments, which is set to experience rapid growth in the near future.
Exploits for rooted and non-rooted phones
Last week, security research firm Zvelo publicly disclosed a security exploit of Google Wallet for rooted phones. The Zvelo exploit works via a brute-force attack that reveals the user’s Google Wallet PIN, giving the attacker access to the funds in the Wallet.
That disclosure was rapidly followed by reports of another very simple Google Wallet exploit for non-rooted phones that requires no technical skills to execute: The thief simply needs to clear the Google Wallet app data from the Android application settings, thereby forcing Google Wallet to reset itself and request a new PIN.
Google says it is taking the matter seriously, though the company cautions that it’s important to understand the level of risk.
“The Zvelo study was conducted on their own phone, on which they disabled the security mechanisms that protect Google Wallet by rooting the device,” Google spokesperson Nate Taylor told InternetNews.com late last week. “To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.”
Nonetheless, the existence of the exploit for non-rooted phones demonstrates that it’s not necessary for a thief to have root access in order to compromise the security of Google Wallet.
Late Friday night, Google VP Osama Bedier acknowledged that risk by announcing on the Google Commerce blog that prepaid cards would be disabled for the time being: “To address an issue that could have allowed unauthorized use of an existing prepaid card balance if someone recovered a lost phone without a screen lock, tonight we temporarily disabled provisioning of prepaid cards. We took this step as a precaution until we issue a permanent fix soon.”
Still more secure than a real wallet?
Despite the recent vulnerabilities, Google maintains that its Wallet technology remains more secure than a traditional leather wallet — provided users take the basic precaution of enabling the screenlock on their Android phone. After all, a stolen leather wallet provides no protection at all for any cash it might contain. Furthermore, credit cards linked to Google Wallet are protected against fraudulent use just like they are in any other setting. With physical wallets, users must call their credit card companies when a card is lost or stolen — and that’s the same approach Google recommends for Google Wallet.
“We strongly encourage anyone who loses or wants to sell their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card,” Taylor said. “We are currently working on an automated fix as well that will be available soon.”
While Google is confident about their security, at least one security researcher is still concerned. Tom Kellermann, CTO of AirPatrol Corp told InternetNews.com that attacks on mobile payments have been ongoing in Asia for years. Those attacks are now likely to migrate to the U.S.
“The current security mechanisms for mobile devices are not mature enough to handle the advanced cybercriminal,” Kellerman said. “Google should have invested more heavily in securing Google Wallet — encryption alone will not save you in today’s world.”