How Bad Are The Google Wallet Security Problems? Bad Enough

Google Wallet isn't safe, at least not on the consumer end. That's the conclusion from security firm viaForensic's analysis released on Monday (Dec. 12). Yes, Google does a good job of blocking man-in-the-middle attacks. And having a PIN to open the wallet restores some security that Visa stripped out when it brought Chip-and-PIN to the U.S. But Google also stores far too much customer information unencrypted on the phone—and if the phone is malware-infected or stolen, that data becomes far too easy for a thief to get at.

Fortunately, Google doesn't need a technology magic bullet to make its mobile wallet much, much safer. Google just needs to leave a lot less information lying around on the phone—and change how it thinks about smartphones.

The security analysis by viaForensics was actually pretty encouraging when it wasn't damning. Payment-card numbers and CVVs are locked safely in the NFC Secure Element. Almost everything else requires a PIN to get at in the Google Wallet application (the exception is the system logs, which leak a little bit of information with each transaction). If Android's security were perfect, Google Wallet's security would be fine, too.

But it's not. And a cyberthief who gets access to the PIN-protected transaction databases inside the phone can learn a lot about its owner's transactions—not enough to steal payment-card data directly, but more than enough to launch a social-engineering attack on the user. "For example, if I know your name, when you've used your card recently, last four digits and expiration date, I'm pretty confident I could use the information to my advantage. When you add data that is generally available online (such as someone's address), an attacker is well-armed for a successful social engineer attack," the report concludes.

For retailers, the problem is more subtle: Mobile wallets are a great opportunity to get CRM data in something very close to real time. But that can only become a reality if customers are willing to use their phones to make purchases. If they don't trust the phone, mobile wallets will go nowhere.

The security firm's recommendations largely come down to "encrypt all this data, even though it's already PIN-protected." That's certainly something Google should do. The real question is why Google didn't do that from the beginning.

After all, even before mobile wallets, smartphones (and PDAs before them) have typically been stuffed with information. At the very least there are contacts, phone numbers, text messages and personal information. But some smartphone users also find their phones to be a convenient place to stash all their logins and passwords—for work, Webmail accounts and paying bills—along with PINs and keylock combinations, bank-account numbers and, in some cases, payment-card numbers, too.

That's a privacy nightmare—and there aren't any QSAs vetting consumers for PCI compliance.That's a privacy nightmare, because all that data is accessible if the phone is stolen and the thief hacks the phone. It may even be available remotely if the phone is malware infected. These phones are big targets—and there aren't any QSAs vetting consumers for PCI compliance.

In that context, you'd think Google would be especially concerned about locking down information about wallet transactions with both a PIN and encryption. (Yes, encrypting and decrypting data on the fly chews up a phone's processing power. You'd think Google would love the idea of getting users to upgrade their phones, too.)

In fact, because Google is pitching its mobile wallet as a replacement for real wallets, you'd think Google would be thinking in terms of securely storing (in other words, encrypting) everything that's stored on a smartphone. That might not include text messages or E-mail, but locking up all those other big, fat targets for thieves is just in Google's interest.

But first, Google may need to rethink many of its ideas about security. As the viaForensics analysis notes, it's good to require a PIN to get into the mobile wallet. A PIN keeps out casual thieves. But it won't deter a serious cyberthief. Encrypting everything in the wallet would make getting useful information so hard that it would probably be more cost effective just to wipe and sell the phone.

That's the way Google needs to think about security. A smartphone is the only computer that a thief can easily walk off with in any unguarded moment. The usual rules of physical control don't apply. (Think about how often thieves manage to physically compromise PIN pads that are sitting on counters in plain view, where it should be easy to spot a thief at work. Mobile phones are even easier to steal than that.)

Google probably should give users much more control over what data is routinely displayed, too. ViaForensics specifically called out the fact that an E-mail address was displayed when Google Wallet was initially opened up. But the app also automatically displays some very specific details when a card is selected, including the cardholder's balance and credit limit. That's handy—but not necessarily something a mobile-wallet user would want available to any shoulder surfer standing nearby.

(It's also not necessarily in the interest of retailers. Constantly having the balance-due flashed at customers might have a dampening effect on their willingness to spend even more money.)

So encrypting transactions is essential. Providing smartphone users with an encrypted place to store personal information is a good idea, too. Making sure that "deleted" information is actually overwritten, that system logs don't leak card data and that phones only display information users want displayed—those are all essential.

There's a strange split in the relationship that smartphone users have with their phones. These people love their phones. They trust their phones with way too much information, and they're not willing to give up their phones. And if a mobile wallet from Google (or ISIS or PayPal or Apple) gives them a reason to distrust their phones, they still won't give up the phone.

But a mobile wallet? That'll be the first thing to go.