Security behind Google Wallet, the company's recently debuted contactless near field communication (NFC)-based cell phone payment platform, is still a gray area, according to experts.
Google heavily promoted the security behind its digital wallet platform at the introductory event in New York City. The company said like a debit card, Google wallet requires a pin number to be entered before it is used.
Google is so confident in the security of its Google Wallet service it even stated the security features go beyond what's possible with traditional wallets and cards. In one sense, Lookout Mobile Security chief technology officer and co-founder Kevin Mahaffey, says this could be true.
Because you have the ability to analyze what is running on the device and where potential fraud is coming from, rather than just having a credit card floating around in the world, there's an opportunity to increase the security of payments, Mahaffey said. There's 16-numbers and a 3-4 digit code that controls your access to money with credit cards, that's kind of crazy. With digital wallets, there's strong cryptograph and a lot of innovation to detect fraud on these devices.
The encrypted financial data related to Google Wallet is stored on a computer chip called the NXP PN65, also known as The Secure Element. The separate chip cannot be tampered with, since it will self destruct if removed, and it's only in use when the pin number is unlocked. If a user loses their cell phone, Google says it would still be secure because they would have to crack the pin.
If a user enters the PIN incorrectly too many times, the Secure Element is disabled and cannot be used for payment until it has been reset by a combination of the issuing bank, the Trusted Service Manager, and the user. Resetting the PIN requires the user to reprovision their credit cards to the Wallet, thereby forcing a would-be thief to provision all the card credentials from scratch, said Osama Bedier, vice president of payments at Google. Even with this protection, Google recommends users call their banks, if they lose their phone.
However, Mahaffey says it's not so cut and dried. A service like Google Wallet, or any NFC contactless payment platform, is also more susceptible to automated, large-scale attacks. He also said NFC technology is vulnerable to an automated skimmer, which is similar to skimming attacks on credit cards. This technology allows for a criminal to scan the NFC enabled phone while it's in someone's pocket, allowing them to access that information by simply standing close with special equipment.
It is worth noting Google has stated it can protect financial data against that kind of fraud. With the Secure Element, the NFC antenna isn't turned on until the phone is illuminated. Thus, when it's in someone's pocket, it's nonexistent. Still, no one knows how secure Google Wallet will be.
It's easy to make claims regarding insecurity or security. The proof is in the pudding, Mahaffey said. All he knows, is it will be tested. When devices are in the field, lots of people are trying to break it.
Like Mahaffey, Tim Armstrong, a malware researcher at Kaspersky Labs, says the jury is still out on the security of NFC technology.
No one has seen Google Wallet implemented and we don't expect to see it for months. A cohesive overview of it is not possible. For all of NFC, there hasn't been a lot of use. It's as safe as RFID technology and that's widely implemented. But there are also plenty of researchers out there who have defeated RFID and gotten direct access to a device or an antenna with flickers. Nothing is 100 percent secure, but it's as safe as anything that's out there, Armstrong said.
Regardless of how secure it is, both experts acknowledge the technology has arrived, and security concerns shouldn't hamstring its development.
It's unavoidable at this point. It's going to happen with Google, Citibank and a few others behind it. It's not a matter of if, but when, Armstrong said.