Google Security Demo Reveals—And Undermines—More Than Intended

For decades, predictably written TV and movie comedies telegraphed their punchlines. Everyone knew what followed a character saying, "Don't you grab those plates. You'll drop them. I'll do it." And so it was last week with Google's news conference to take the wraps off its mobile near field communication (NFC) Google Wallet effort.

In the middle of a live demo of the product, Google Payments VP Osama Bedier told the audience that he was going to use his personal phone and his personal credit card to complete a transaction and that it would all be viewable on the TV screens around the room. He knew the entire event was going to be posted to YouTube, too.

But he also should have known about Murphy's Law and that he was tempting fate to then tell the audience: "This is my credit card. I've obviously blocked out the numbers, but this is my actual credit card. And I've pre-entered the information from my credit card into my phone. I'm sorry I can't show you this screen with the information filled out. I'm a security freak, and this video is probably going to get out to a few places."

Bedier then placed the screen of the phone on a pad that would beam it to the audience. While the screen displayed "verifying your data" and "your data has been sent to Citi for verification," it also showed—slightly grayed out but quite readable to the audience—card numbers and expiration data at the top and bottom of the screen. As Bedier saw this on the room's screens, he quickly grabbed the phone away from the screens' view, to the amusement and laughter of the audience. Smiling sheepishly, he quipped, "That screen isn't dark enough."

Later in the demo, the screen showed more of his credit-card number and the last four digits of his mobile number.

It would be easy enough to dismiss this episode as merely another semi-humorous mishap at a live news conference. (A truly minor glitch: When doing a live demo of what Google has formally dubbed SingleTap, Bedier had to tap twice to get it to work.) But there's an important lesson here, one that goes beyond the fact that live demos—especially mobile demos, which can experience interference from such a wide range of places—are truly dangerous.

Security has never been primarily about high-end routers and extreme encryption. Those elements are important, but the hallmark of a security person is paranoia.Security has never been primarily about high-end routers and extreme encryption. Those elements are important, of course, but security holes are generally due to a lack of attention to detail or to someone not being creative about how a thief might take advantage of the system. The hallmark of a security person is paranoia, evidenced by someone who religiously logs out of a site when done, who grabs his/her paper payment receipt at a restaurant and hand-delivers it to the cashier, and who turns wireless access on to send a message and then immediately shuts it down.

In a datacenter, security is relatively easy—there are policies and procedures, firewalls and monitoring. Get those correct and, at least in theory, it's much easier for IT professionals to keep the bad guys out. Once the basics are in place, then those all-but-paranoid security guys can try to out-think the would-be thieves.

But when it comes to mobile, where ordinary people with no security mindset are at the center of every transaction, there are two security weak points: potential thieves and the mobile users themselves. No suspicious IT people are in the loop, watching for signs of trouble. Security has to be baked into the hardware and software—which means it depends completely on the paranoia of the people who are putting together the system. If they're not security fanatics, no one else in the mobile transaction will be.

With that in mind, let's go back to that Google news conference. Bedier was stressing the security of his new payment system, pointing to safeguards at the chip level. But then he was cavalier with payment-card data from his personal card, even after telling the audience he's a "security freak" and pointing out that displaying the card data is unacceptable. Bedier isn't a spokesmodel. He's in charge of the operational aspects of this rollout, and he was recruited from PayPal specifically for that task.

How much comfort does this demonstration give to retailers that are trying to determine if Google has really thought this process all the way through? Especially when it's a new business model, a new security model, unfamiliar hardware and software and a company that, for all its size and experience handling huge amounts of search data, has never made a ripple in the payments business?

For the record, Google did indeed appear to have created a very good system with reasonable security. That makes it all the more unfortunate that this subliminal message of security lack-of-attention-to-detail went out.