Googles Digital Wallet: A Better Mousetrap?

  /     /     /  
Publicated : 22/11/2024   Category : security


Googles Digital Wallet: A Better Mousetrap?


New mobile payment technology offers some advantages, but security experts say it still has weak spots



The new Google Wallet mobile payment technology is a step forward, security experts say, but it still has weaknesses that could make it vulnerable to attack.
The new application for Android phones, which was introduced last week, stores payment information using encryption. The encryption keys are stored in a specialized hardware chip known as the Secure Element. The product uses near-field communications to send data to payment terminals, completing transactions.
Google Wallet will be an open standard, officials say, so that any credit-card company can use it to store payment details.
Security researchers expect
the technology
to improve upon the current protections used for credit-card transactions.
The bar for physical credit-card transaction security is pretty low, and its hard to imagine a system that is less secure [than physical credit card systems], says Charlie Miller, principal research consultant at Accuvant. My general feeling is that Googles technology cant be any worse than a physical credit card. If you lose [a credit card], youre screwed, and if someone gets access to it or very close to it, they can copy the info.
Google Wallet protects payment data using the encryption hardware provided by the Secure Element, along with public-key encryption and triple DES encryption. This approach is not new: Many laptops sport similar hardware from the Trusted Computing alliance, which uses a separate encryption processor and data store to lock down important keys. Only a program with the proper authentication can access those keys.
Google stressed that the Secure Element and the Trusted Platform Module are two different technologies and have different applications. The Secure Element runs the Java Card Open Platform (JCOP), a popular smartcard operating system, which can be used to add functionality to stored accounts. Access to the data in the Secure Element is governed by the Trusted Service Manager, Googles engineering team stated in an e-mail interview.
The user has to enter in a four-digit PIN and put their phone on a reader to complete a transaction. Google has partnered with Mastercard and its PayPass payment system to support the technology. The Wallet app has additional security precautions above and beyond those enforced by Mastercards PayPass infrastructure. The app will only communicate with a transceiver if the phones screen is on and the PIN has been entered, the team said.
If a user enters the PIN incorrectly too many times, the Secure Element is disabled and the payment instruments cannot be used at all, Googles engineering team stated. To be used again for payment, the Secure Element must be reset by a combination of the Trusted Service Manager and the user. This process removes all previously provisioned payment instruments.
Google Wallet could improve transaction security, says Kevin Mahaffey, CTO at mobile security provider Lookout. The promise of digital wallets can help us get more secure than the current implementation of credit cards, in my mind, he says.
Security experts warned that the implementation has not yet been vetted by the security community.
Im impressed by the level of care that Google has put into the security of the digital wallet, says Lookouts Mahaffey. But Ive never seen a technology that has perfect security right out of the box.
Malware could make it difficult to retrieve the keys, essentially performing a denial-of-service attack against the payment system, researchers say. Or a program could, theoretically, break out of the sandbox and eavesdrop on a transaction.
Attackers who are in this for the money dont attack one person, they attack a million, Mahaffey says. Until we see the product and we have people banging on it, we wont understand the security.
The near-field communications (NFC) transaction could also be attacked, says Jimmy Shah, a mobile security researcher with security firm McAfee. An attack known as Ghost and Leech was able to siphon details from NFC-enabled credit cards sitting in a victims wallet, essentially allowing them to be pickpocketed. Such attacks could work against Google Wallet as well, he says.
The weak point isnt the chip, Shah says. Its the app itself.
In the end, perhaps the biggest flaw in Googles Android-based payment technology is that smartphones are regularly lost. More than a third of consumers have had a cell phone lost or stolen, according to
a report published by Norton
in February. Four in 10 companies have had phones lost or stolen in the last year, according to
a study
conducted by Carnegie Mellon Universitys CyLab and funded by security firm McAfee.
If an attacker has the phone, all bets are off, experts say. In that case, Google recommends that users report the phone -- and all credit cards on it -- as lost.
So far, the Google Wallet is only supported on a single phone, the Sprint Nexus S.
Have a comment on this story? Please click Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Googles Digital Wallet: A Better Mousetrap?